XDR: The Next Big Thing in Security
From being listed as one of Gartner’s Top 10 Security Projects for 2020-2021 to countless thought leaders labeling it “the latest evolution,” XDR (extended detection and response) has emerged as an exciting new holistic approach to proactive protection against today’s sophisticated cyberattacks. Beyond the buzz, the solution has also shown promise to transform the scale and efficiency of the SOC. As interest and adoption for XDR continues to rise rapidly, it’s important that security leaders look past industry hype to understand how XDR can be used to impact their organization.
1 Gartner Top Security Projects for 2020-2021
Putting the "X" in XDR
While you’re likely quite familiar with the “D” and the “R”, it’s the “X” that has introduced a new development in detection and response. That X represents the integration and extension of protection across the entire enterprise. The predecessor to XDR, EDR (endpoint detection and response) focused on monitoring and protecting organizations from threats at the endpoints. With data moving beyond the perimeter, XDR was necessary to extend the range of protection to the network, servers, and cloud as well as endpoints. Analyst firm ESG defines XDR as:
An integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.
Simply put, XDR offers a single platform for prevention, detection, and response to identify and stop threats across multiple attack vectors. With enhanced visibility into a quickly changing threat landscape, the primary value behind XDR solutions includes:
- Maximizing security effectiveness and accelerating the time to detect (MTTD) and respond (MTTR) to threats by applying machine learning and other analytical techniques to telemetry, logs, and other data coming from across the attack surface
- Boosting the efficiency of security operations by unburdening security teams from manual tasks, providing a single tool to view data, conduct investigations, and perform response actions.
A Deeper Look Into How XDR Powers Rapid Attack Detection and Response
What problems does XDR solve?
As modern threats continue to grow in complexity, many cybersecurity solutions have been slow to evolve. Sophisticated threats, such as ransomware and zero-day attacks, continue to increase in volume and have proven to be very costly for many organizations. To address these, organizations must implement a proactive approach that includes prevention, detection, and response.
Unify prevention, detection, and response
Endpoint protection is often the first line of defense for many organizations. Identifying and stopping threats on the endpoint instantly and automatically, saves time and prevents lateral movement. After all, if a security analyst team can’t readily see which threats have been prevented, they’ll spend the majority of their daily effort correlating and validating low-value attacks. Combining extended detection and response capabilities with next-generation endpoint prevention enables security operations to focus on high-priority and critical threats.
Siloed defense is time-consuming
Security analysts spend approximately 24 to 30 minutes investigating each alert. With disparate security tools, analysts have to manually stitch data or bounce between tools. XDR centralizes security events across multiple security controls to provide a holistic approach into how complex attacks progress across a kill chain. XDR combines weak security signals from multiple sources into stronger signals to identify known and unknown threats.
Alert fatigue impacts productivity
Data without context is nothing more than meaningless noise. Without an integrated platform to correlate data, it won’t take long before security analysts are buried in an overwhelming volume of alerts too much cybersecurity noise. With greater context, XDR dismisses false positives to enable security operations to focus on incidents that matter. Without integration and correlation, security teams can easily get lost in the "noise" of abundant alerts and have trouble prioritizing which ones to investigate.
Advanced threat detection is in high demand.
83% of IT pros are increasing their budgets on threat detection and response technologies.2
Read the eBook
IT pros view XDR as a viable approach to improve detection
Threat detection represents 3 of the top 4 most appealing XDR capabilities to IT pros:2
- Visualization of Complex Attacks: 42%
- Analytics that detect modern attacks: 38%
- Improved mean time to detect: 31%
Read the eBook
XDR uplevels SecOps effectiveness
Nearly 60% of IT pros believe XDR could improve the capabilities of security analysts.2
Read the eBook
Approaches to XDR
Proprietary or Native XDR is offered by vendors that have unified their own suite of security solutions on a centralized XDR management platform. A primary advantage to Proprietary XDR is a faster time to value due to off-the-shelf integration and pre-tuned detection mechanisms across the portfolio. On the other side of the coin, this approach requires considerable dependence on a single provider through vendor lock-in. Further, customers may be forced to “rip and replace” existing security controls as well as sacrifice efficacy where vendors have gaps in their product portfolio.
Open or Hybrid XDR integrates best-of-breed security products, as opposed to single vendor solutions, into a coordinated approach to reduce meaningless security alerts and increase threat visibility. Many security leaders prefer Open XDR because it allows them to leverage their investment in existing security tools and ensures flexibility to add solutions that organizations may require in the future. Built on a cloud-native architecture, Open XDR leverages big data to normalize and correlate more effectively in addition to meeting SecOps needs for scalability.
What is Open XDR?
Centralization & Correlation Capabilities Reduce Alert Fatigue
Gartner lists centralization and correlation capabilities as critical requirements for an XDR solution. Centralization is the consolidation of historic and real-time event data into common data formats within a central repository. With a complete picture of threat activity, correlation combines related signals from multiple security components to identify malicious activity and validate alerts.
Detect Threats Faster and More Accurately
Threat actors often exploit gaps created by siloed point solutions. Without a fully integrated platform, many security teams struggle to identify the blinds spots and rapidly detect and respond to advanced and evasive threats within their attack surface. XDR enables security operations teams to detect sophisticated attacks anywhere in their environment, while spending less time dealing with false positives and getting to real threats sooner with validated and prioritized alerts. The use of disconnected security tools reduces the ability to detect complex attacks. With holistic visibility, XDR enables faster detection, reduced dwell time, and quicker mitigation.
Greater Efficiency Improves SecOps Productivity
Sifting through an overwhelming amount of data to find high-fidelity alerts can be time-consuming, often leaving security analysts spending less of their time on investigations and responding to critical threats. Leveraging the power of machine-learning, next-generation endpoint prevention automatically blocks threats to reduce the risk of a breach while decreasing the volume of threats that must be investigated. XDR provides an integrated incident response capability that delivers high-fidelity alerts with greater context. With a centralized management hub that enhances visibility across all environments and workflow-automation capabilities, security analysts become more efficient and productive..
XDR vs SIEM
Discover how XDR stacks up against a SIEM solution
You may be wondering how XDR (Extended Detection and Response) differs from a traditional SIEM (Security Information and Event Management) solution. The biggest difference between XDR and SIEM can be seen in how alerts get created. XDR alerts are the curated opinion of the XDR system, taking into account all ingested data, applied intelligence, and optimizations provided by the XDR vendor. On the other hand, SIEM alerts primarily involve the automation of log processing rules and watchlists that the SIEM owner set up. SIEMs are general-purpose bit-buckets, meaning they are only as good as their owner’s knowledge, visibility, and experience with the threat landscape. An organization’s ability to dedicate resources for maintenance and continuous improvement of the SIEM will dramatically affect their security outcome. In contrast, XDR systems are as good as their creators. They are purpose-built for security analysis and threat hunting. True XDR solutions can ingest all types of data, apply advanced analytics created by the designers, and bring to light situations that the system's owners might have never known about otherwise.
With expertise in so many security domains, along with world-class threat research capabilities and mountains of real-world data, Secureworks® is well equipped to make Taegis™ the best XDR solution in the market.
ESG surveyed cybersecurity professionals across multiple industry verticals to better understand the market perception of XDR, as well as value points and challenges that come with an XDR solution. Read the eBook to learn more about what ESG research revealed about the state of XDR and how it may meet the needs of your future security program.