XDR and the Age-old Problem of Alert Fatigue

XDR’s fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

According to 451 Research’s M&A Knowledgebase, cybersecurity M&A activity in 2021 reached an all-time high total deal value of $74.1 billion. Contributing to that growth, extended detection and response (XDR) went from zero to 28 deals in 19 months and is expected to drive continued M&A activity, with good reason. Extending its research into XDR, 451 Research recently found that XDR is now the most frequently reported area of augmentation to SIEM/security analytics with 43% of respondents citing it as the top technology to combine with these core security operations technologies. 

Augmentation is the key word. The SIEM is already aggregating logs and events from different tools and creating its own alerts. Augmenting with XDR to gain broader visibility across the enterprise is a good thing because bad guys use gaps to their advantage. But the unintended consequence is that the number of alerts is increasing by an order of magnitude. It’s not surprising then, that these survey respondents also say they still struggle with alert overload; on a typical day, 48% of alerts go uninvestigated, up from 41% in the prior year’s survey. Alert fatigue has plagued security analysts for years. Adding more detections in more areas exacerbates the problem. 

To reverse the trend, we need to think about XDR as an architectural approach, not a solution. When XDR is defined as an open platform focused on integration and automation, analysts can quickly connect the dots, understand what’s happening across their environment and determine whether or not an alert should be escalated to incident response. 

First Things First: Integration. 

An XDR architecture must support integration to any tool the enterprise has, including all internal data sources – the SIEM system, log management repository, case management system and security infrastructure – on premise and in the cloud. It must also integrate with the multiple external data sources organizations subscribe to – commercial, open source, government, industry and existing security vendors, as well as with frameworks like MITRE ATT&CK. Integration with RSS feeds, research blogs, news websites and GitHub repositories helps analysts keep up with new information that provides additional context to further inform alert triage.

In addition to enabling data flow and enrichment with context, integration also breaks down the silos teams operate within so they can see the big picture of what is truly happening across the environment and investigate further. Integration with and across existing tools enables visibility, collaboration and deeper understanding. Teams can work together using tools they are already comfortable with to make better decisions faster.

Automation Comes Next.

Integration is a core attribute of an XDR architecture. But the ability to bring data together and break down silos is not enough. Automation is also required because analysts simply can’t make sense of all this data on their own. Yet, while a global survey (PDF) found that confidence in security automation is rising, only 18% of respondents are applying automation to alert triage. This is a missed opportunity because the repetitive, low-risk, time-consuming tasks of alert triage – like internal and external data normalization, correlation, contextualization, and prioritization – are prime candidates for automation. 

Automation simplifies the work of alert triage by reducing noise and false positives and enabling teams to quickly tap into the richness of all available data to get a comprehensive view of what is going on. Based on parameters they set, teams can get to the alerts that matter faster and, thanks to integration, relevant data can be presented on a single screen so it’s easier and faster for analysts to conduct investigations, detect malicious activity across the enterprise and accelerate resolution.

XDR seems destined to be core to security infrastructure for the foreseeable future. But its fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture. Otherwise, it’s just one more tool that adds to the volume of alerts we couldn’t handle before, and does not break down silos and enable collaboration, decision-making and response across the organization. That’s certainly not the consequence anyone intended for XDR and there’s too much at stake to let that happen.