Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Is XDR Enough? The Hidden Gaps in Your Security Net

When evaluating XDR, consider its value based on its ability to reduce complexity and improve threat detection and response times.

Enterprise networks have undergone a massive change over the last two decades. Data and applications are everywhere, spanning a complex labyrinth of multi-cloud, on-premises, and legacy infrastructures being accessed by mobile and remote users.

In fact, some architectures have become so vast and distributed that security teams lack complete visibility of potential threats that put environments at risk. Traditionally, security teams have deployed multiple security tools — an average of 50-100 — thinking this will give them best-of-breed protection against various threats.

Without end-to-end visibility into network traffic flows and user activity, managing distributed deployments using multiple management tools will adversely impact a security team’s effectiveness. Moving between multiple tools, chasing 1000-plus security alerts daily, and hoping nothing gets missed, will frustrate even the most senior security analyst. And despite these efforts, attackers still find ways to exploit gaps in protection.

Of course, the security industry is aware of these issues plaguing enterprises and has produced XDR (extended detection and response). But does XDR live up to the hype?

What Is XDR?

XDR provides consolidated visibility across multiple security platforms to bring a holistic view of the security posture and create a simple starting point for security operations. It enables a deep analysis of multiple data sources to deliver more accurate detection with less noise, resulting in a faster, more effective response to security threats. Its detection and prevention mechanisms include machine learning and behavioral analytics, contextual analysis, threat hunting, SOAR integration and other functions.

XDR is a more advanced approach to detection and response because it extends beyond endpoints alone to expose complex threats across the entire security posture. It is a highly effective tool for security organizations that are suffering from a skills shortage and insufficient resources. The contextual information regarding actual attacks allows security analysts to comprehend and quickly contain threats. 

This means threat monitoring and threat remediation are made effective because security teams can view all threat data using a single platform that correlates events from multiple security sources. XDR addresses visibility gaps and helps address alert fatigue, improving detection and response times.

Advertisement. Scroll to continue reading.

XDR Hype and Reality

Let’s understand some top reasons why XDR may be overhyped.

1. Seamless Integration And Interoperability is a Far-fetched Reality

On paper, XDR promises to offer native integration with most third-party products. Some may speculate that it is unrealistic to expect that a single tool can offer and maintain threat detection and response capabilities that would seamlessly work across scores of disparate and siloed security controls. There’s already too much confusion surrounding open XDR versus closed XDR.

2. Limited Visibility Into Cloud Traffic and Applications

As cloud, remote work, and the Industrial Internet of Things (IIoT) become the new norm, data, applications, and devices that once resided within on-premise corporate environments have suddenly drifted away. Even the most sophisticated XDR solutions will find it challenging to gain visibility and make sense of this hybrid traffic. This loss of visibility and control across cloud and on-premises components can result in a loss of context, inevitably leaving gaping holes in the security posture.

3. Never Have Enough Resources To Investigate All XDR Alerts

Security teams are already inundated with thousands of alerts per day. Imagine the number of alerts they would receive if XDR ingested information from multiple sources. Without automation, prioritization, and contextual information, security teams can get distracted, creating more loopholes. The security skills gap is real and there will never be enough resources to investigate every alert in detail.

Is SASE the Future of XDR?

Single-vendor SASE is a model that converges networking and security technologies into a single cloud-delivered platform. Since all traffic flows through a single converged platform, detecting and correlating security events is less troublesome. From an XDR perspective, this means SASE would ideally make threat detection and response easier since all security tools are part of the same platform and would, therefore, speak a common language. 

A key strength of XDR is how it facilitates in-depth analysis of disconnected security alerts from multiple data sources. This allows it to deliver more coherent threat identification while filtering out most of the noise. XDR detects security threats across networks and endpoints by enhancing cross-network visibility to enhance security operations. This, naturally, leads to faster responses to security threats and an improved overall security posture. However, a gap in data quality tends to render this argument less effective for standard XDR tools.

This is where a single-vendor SASE cloud can extend the capabilities of XDR. Security teams get the needed visibility into all network and endpoint traffic flows over a single global cloud network to detect potential threats. It captures all security events in a single data lake, easily correlates and prioritizes threats, and presents them in a single management dashboard. In turn, security teams can view, understand, and act on these threats to eliminate risk to their organizations.

This is all possible with a SASE cloud because there is no integration or normalization required for the security data to be understood. This provides a higher quality of data to the XDR engine, which leads to more accurate threat detection and faster remediation. This is how the SASE cloud makes XDR more effective, reducing security risk.

When evaluating XDR, consider its value based on its ability to reduce complexity and improve threat detection and response times. Evaluate the platform that it’s built upon because this will also impact its effectiveness.

Related: XDR and the Age-old Problem of Alert Fatigue

Written By

Etay Maor is Senior Director of Security Strategy for Cato Networks. Previously, he was Chief Security Officer for IntSights and held senior security positions at IBM and RSA Security's Cyber Threats Research Labs. An adjunct professor at Boston College, he holds a BA in computer science and a MA in counter-terrorism and cyber terrorism from Reichman University (IDC Herzliya), Tel Aviv.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...

Endpoint Security

The Zero Day Dilemma

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.