As adversaries changed their view of an attack to include vectors across an organization, defenders have had to evolve their approach as well. This is best captured by Mark Harris from Gartner who observed that adversaries have shifted their focus of attacks from infecting files to infecting systems and now to infecting the entire enterprise. Previously, I talked about how this has impacted our approach to threat detection. It is no longer just about finding the one control point or system where the attack is being triggered. Multiple points across the enterprise are involved so you need to be able to connect the dots for a comprehensive understanding of the threat you are facing and know what you must defend. This is why Extended Detection and Response (XDR) is generating great interest right now.
Here, I’d like to talk about how our approach to response has been impacted and must evolve and expand as well. It is no longer about our antivirus tool detecting a malicious file and quarantining. Nor can we just rely on Endpoint Protection Platforms (EPP) or Endpoint Detection and Response (EDR) tools to detect suspicious activity on a user’s system to quarantine the system or even to reimage. While response became a bit more complicated, still our actions were contained to a single system.
[ Read: XDR is a Destination, Not a Solution ]
Now, multiple systems across the enterprise are involved in attacks so we need to be able to put the pieces together to get a complete picture of what is happening. Response requires looking beyond one file or system to find all related events and data across the organization, connecting the dots and contextualizing with additional intelligence so you can determine how to remediate and respond to the incident.
Let’s take one common example: a malicious file detected on an endpoint that entered your environment through an email. First, you want to look at your email servers and determine if other systems also received an email with that attachment so you can address those systems as well. Next, you want to see if any of those infected systems are communicating with an external server or system. This requires taking a closer look at network activity related to this spear phishing attack. So, you check the SIEM for other potentially related events and use the sandbox to gain additional information about the malware by observing behavior from the attachment.
With this internal data stored in a central platform, you can pivot to external data sources like MITRE ATT&CK that describe campaigns, adversaries and their TTPs, to learn more about the malware and then expand your search further. For example, if an indicator is associated with a specific campaign or adversary, are there associated artifacts you can look for in other tools to confirm the presence of malicious activity? What other intelligence can be deployed to your infrastructure for future blocking? This level of response is much more complicated, coordinated across different tool sets and data sets so you see a broader picture that includes campaigns, adversaries and all impacted systems, versus a single incident on a single system. Now you can execute a comprehensive response. Aggregating internal and external data for context, correlating and prioritizing it for action and then sending associated data back to the right tools across your defensive grid immediately and automatically to accelerate response. Coming full circle, a modern approach to response must also include the ability to capture and store data from the response for learning and improvement.
Over the past few years, Security Orchestration, Automation and Response (SOAR) platforms and tools have emerged to accelerate response across different tools sets by automating processes. But they inherently can’t keep up with all this complexity in an efficient and effective way. The problem is that SOAR is just focused on the process, not the data that is being captured across disparate systems and sources. Static processes without capturing process results can’t learn and get better over time. As our example shows, what’s needed is an approach that isn’t just about running the process, but is data driven from the start to address response across the organization today and inform response tomorrow.
And this takes us back to XDR and the need to extend beyond a single control point. As I discussed in a prior article, the promise of data-driven detection is there, but currently there is a gap between promise and operational reality. The same is true on the extended response side of the coin. It would be great if you could get a single solution with multiple enforcement points from a single vendor, but the operational reality is that no organization is starting with a clean slate. To reach the ultimate goal of detection and response across the enterprise, we need to start evaluating XDR within the context of integration capabilities. We’ll explore that topic further next time.