The Importance of Open Source to an XDR Architecture

No longer satisfied with infecting files or systems, adversaries are now intent on crippling entire enterprises. Damaging supply chain, ransomware and wiper attacks are making headline news, impacting not only the organization but their stakeholders too. As threat actors’ approaches and targets change, our approach to detection and response is changing as well. 

Extended Detection and Response (XDR) is now widely considered to be the most effective path forward to enable detection and response across the infrastructure, across all attack vectors, across different vendors, and across security technologies that are cloud based and on premises. Delivering on this promise requires ALL tools and ALL teams working in concert, so the “X factor” in an XDR architecture is integration. And this integration must be broad and deep so that organizations can get the most value out of their existing best-of-breed security solutions, including their free, open source tools.

[ Read: XDR is a Destination, Not a Solution ]

Myriad open source threat feeds and intelligence sources provide important information and preventative measures for defending against existing and emerging threats. Additionally, MISP is a great source for information sharing. The MITRE ATT&CK extensive knowledgebase helps teams more deeply understand adversary campaigns and risk mitigations based on real-world observations. And connecting with TheHive accelerates incident response, which is the priority for many organizations. Individually, these tools offer tremendous benefits. But when you integrate them as part of an overall XDR architecture, their benefits are magnified in three ways.

1. Enrich events with critical data about the latest threats. Detection now requires a breadth and depth of information from disparate systems and sources brought into a single view, so you can gain a comprehensive understanding of the threat you are facing and know what you must defend. On their own, events from all internal data sources, including your SIEM system, log management repository, case management system and security infrastructure – on premise and in the cloud, appear to be independent. But when you can aggregate this data and then augment and enrich it automatically with threat data from the multiple sources you subscribe to – open source, commercial, government, industry and existing security vendors – as well as open-source frameworks like MITRE ATT&CK, you start to see the bigger picture. What’s more, when new crises and outbreaks occur, much of the information and preventative measures that flood the security community come from a variety of open sources and in a variety of formats—including research blogs, commercial and government reports, news websites and GitHub repositories. A security operations platform that includes out-of-the-box connectors makes importing this information easy. While custom connectors that can be written and deployed within hours allow you to ingest data from additional sources of threat data as they become available. 

2. Capture more value from existing teams and tools. Bi-directional integration ensures that data flows between teams and tools as part of existing workflows. With a software development kit (SDK) and easy-to-use APIs, integration with existing tools, including MISP and TheHive, is fast. When the right data can get to the right systems and teams at the right time, data utilization improves and teams are more efficient and effective because they are able to share actionable intelligence using tools they know and trust. Organizations get more value from all their existing resources, while accelerating detection and response. Bi-directional integration also enables a feedback loop so teams can capture and store data for learning and improvement. New data and observations from the MISP community, TheHive, MITRE ATT&CK, your internal analysts and other trusted sources continue to improve analysis, decision-making and actions.

3. Take the right actions faster. Multiple systems are now involved in attacks, so response requires the capability to look beyond one file or system to find all related events and data across the organization. Connecting the dots and contextualizing with additional intelligence accelerates remediation and response to an incident across the infrastructure. MITRE ATT&CK plays a central role in helping teams expand their search for artifacts associated with a campaign within their environment, test hypotheses to confirm or disprove findings, and make decisions quickly about response and remediation. TheHive can support incident response, but you can also integrate with an ecosystem of tools to support a variety of use cases including spear phishing, threat hunting, alert triage and vulnerability management. With a deeper understanding of what is happening across your environment and integration across different tool sets, you can send associated data back to the right tools across your defensive grid immediately and automatically to take the right actions faster.

Many organizations first turn to open-source tools because they are free. Today, these tools have earned a loyal following as result of the tremendous value they deliver, and teams will continue to rely on them as an essential part of their security toolkit for decades to come. Now, as part of an XDR architecture where integration is broad and deep, there is an opportunity to elevate open source tools even further because, as ESG’s Jon Oltsik has said, “XDR assumes the whole is even greater than the sum of its parts.” Open source tools are an important part.

Related: 3 Questions for MDRs Helping to Get Your Enterprise to XDR

Related: Three Approaches to an XDR Architecture