Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

The Importance of Open Source to an XDR Architecture

No longer satisfied with infecting files or systems, adversaries are now intent on crippling entire enterprises. Damaging supply chain, ransomware and wiper attacks are making headline news, impacting not only the organization but their stakeholders too. As threat actors’ approaches and targets change, our approach to detection and response is changing as well. 

No longer satisfied with infecting files or systems, adversaries are now intent on crippling entire enterprises. Damaging supply chain, ransomware and wiper attacks are making headline news, impacting not only the organization but their stakeholders too. As threat actors’ approaches and targets change, our approach to detection and response is changing as well. 

Extended Detection and Response (XDR) is now widely considered to be the most effective path forward to enable detection and response across the infrastructure, across all attack vectors, across different vendors, and across security technologies that are cloud based and on premises. Delivering on this promise requires ALL tools and ALL teams working in concert, so the “X factor” in an XDR architecture is integration. And this integration must be broad and deep so that organizations can get the most value out of their existing best-of-breed security solutions, including their free, open source tools.

[ Read: XDR is a Destination, Not a Solution ]

Myriad open source threat feeds and intelligence sources provide important information and preventative measures for defending against existing and emerging threats. Additionally, MISP is a great source for information sharing. The MITRE ATT&CK extensive knowledgebase helps teams more deeply understand adversary campaigns and risk mitigations based on real-world observations. And connecting with TheHive accelerates incident response, which is the priority for many organizations. Individually, these tools offer tremendous benefits. But when you integrate them as part of an overall XDR architecture, their benefits are magnified in three ways.

1. Enrich events with critical data about the latest threats. Detection now requires a breadth and depth of information from disparate systems and sources brought into a single view, so you can gain a comprehensive understanding of the threat you are facing and know what you must defend. On their own, events from all internal data sources, including your SIEM system, log management repository, case management system and security infrastructure – on premise and in the cloud, appear to be independent. But when you can aggregate this data and then augment and enrich it automatically with threat data from the multiple sources you subscribe to – open source, commercial, government, industry and existing security vendors – as well as open-source frameworks like MITRE ATT&CK, you start to see the bigger picture. What’s more, when new crises and outbreaks occur, much of the information and preventative measures that flood the security community come from a variety of open sources and in a variety of formats—including research blogs, commercial and government reports, news websites and GitHub repositories. A security operations platform that includes out-of-the-box connectors makes importing this information easy. While custom connectors that can be written and deployed within hours allow you to ingest data from additional sources of threat data as they become available. 

2. Capture more value from existing teams and tools. Bi-directional integration ensures that data flows between teams and tools as part of existing workflows. With a software development kit (SDK) and easy-to-use APIs, integration with existing tools, including MISP and TheHive, is fast. When the right data can get to the right systems and teams at the right time, data utilization improves and teams are more efficient and effective because they are able to share actionable intelligence using tools they know and trust. Organizations get more value from all their existing resources, while accelerating detection and response. Bi-directional integration also enables a feedback loop so teams can capture and store data for learning and improvement. New data and observations from the MISP community, TheHive, MITRE ATT&CK, your internal analysts and other trusted sources continue to improve analysis, decision-making and actions.

3. Take the right actions faster. Multiple systems are now involved in attacks, so response requires the capability to look beyond one file or system to find all related events and data across the organization. Connecting the dots and contextualizing with additional intelligence accelerates remediation and response to an incident across the infrastructure. MITRE ATT&CK plays a central role in helping teams expand their search for artifacts associated with a campaign within their environment, test hypotheses to confirm or disprove findings, and make decisions quickly about response and remediation. TheHive can support incident response, but you can also integrate with an ecosystem of tools to support a variety of use cases including spear phishing, threat hunting, alert triage and vulnerability management. With a deeper understanding of what is happening across your environment and integration across different tool sets, you can send associated data back to the right tools across your defensive grid immediately and automatically to take the right actions faster.

Many organizations first turn to open-source tools because they are free. Today, these tools have earned a loyal following as result of the tremendous value they deliver, and teams will continue to rely on them as an essential part of their security toolkit for decades to come. Now, as part of an XDR architecture where integration is broad and deep, there is an opportunity to elevate open source tools even further because, as ESG’s Jon Oltsik has said, “XDR assumes the whole is even greater than the sum of its parts.” Open source tools are an important part.

Related3 Questions for MDRs Helping to Get Your Enterprise to XDR

Related: Three Approaches to an XDR Architecture

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...