securitytechnology

3 Reasons XDR Technology Can Prevent the Next Breach

3 Reasons XDR Technology Can Prevent the Next Breach

What is XDR?

Extended Detection and Response (XDR) is an integrated security solution for automatic monitoring, analysis, detection and remediation of security threats. Its purpose is to increase the accuracy of detection, while improving the efficiency of investigation and response performed by security teams. Gartner ranked XDR as one of the most promising security trends for 2020. 

One of the primary goals of XDR solutions is to improve detection and response capabilities. XDR unifies visibility and control across endpoints, networks and cloud workloads. It provides contextual information on threats, and automatically compiles data security teams can use for forensic investigation. It leverages AI/ML algorithms to defend against both known and future attack techniques.

An important aspect of XDR is that it provides integration between data sources and security operations. XDR collects and intelligently combines data from multiple sources to identify more threats, combine multiple events into one security incident, and reduce the number of false positives. This can save a lot of time for overworked security operations center (SOC) analysts. 

XDR is similar to security information and event management (SIEM), because it organizes security data from many different tools in a consistent manner. But unlike SIEM, XDR goes much deeper in the forensic investigation it can collect, and in the advanced analysis it can perform on this data automatically. 

In addition, XDR has the “R”—response. It can integrate with security tools and automatically perform actions to contain and eradicate a threat, when it discovers one. Whereas a SIEM is a passive system that only generates alerts, leaving it to security teams to take action to contain the threat.

How Can XDR Prevent the Next Security Breach?

According to a new ESG study, XDR will make security teams better able to detect security threats, more agile, and more productive. The bottom line is that they will be able to detect and prevent more security incidents before they turn into full-blown breaches. Here are four ways this new technology will help security teams prevent future breaches and prevent large-scale damage to their organizations.

Automated Detection and Response

Without XDR, detection and response of security incidents is very labor intensive. Attacker dwell time in the USA is over 180 days—the primary reason being that security analysts are overloaded with alerts, each of which requires time and effort to manually investigate. 

Automation can save a lot of time for security analysts, letting them focus on the security incidents that really matter:

  • 33% of organizations say that security analysts waste a lot of their time on tasks that could be automated.
  • 42% of organizations said that a complete view of security attacks, rather than fragmented alerts, would make incident response much faster.

XDR can automate two aspects of the incident response process:

  • Collecting data, forensic investigation and triage of security incidents.
  • Rapid response to incidents using automated playbooks across multiple security tools.

This means that analysts can identify a real attack much faster, and respond to it instantly. In many cases, XDR can even detect an attack and respond fully automatically, because analysts have even noticed the incident.

Augmenting SIEM Data

Research shows that SIEMs are one of the top three most valuable security tools in today’s SOCs. SIEM alerts are useful, but they are only the starting point of an analyst’s work. Analysts still have to manually triage, investigate, and respond to attacks. In addition, 30% of organizations report that SIEMs are less effective at detecting unknown threats.

XDR does not replace SIEM, but it augments its data with in-depth forensic information, drawn from across the IT environment. It can help automatically triage SIEM events, and also automatically respond to them. This means that SIEM extended by EDR can help analysts identify many more real security incidents.

Threat Hunting

Threat hunting is a network security practice that involves processing information on networks, endpoints, and infrastructure. Using this information, skilled security analysts can methodically detect advanced threats, which have managed to evade existing security solutions and defenses. 

Firewalls, intrusion prevention/detection solutions (IPS/IDS) and log management are all zero-day threats designed to detect and defend against threats. Threat hunting provides another security layer—identifying security threats all these tools have missed, and are active in the IT environment. 

XDR is extremely suitable for threat hunting, because it assumes that the environment is already breached, and that threats already exist inside the security perimeter. Using a traditional security stack with SIEM at its center, it is very difficult to search for hidden threats. 

XDR makes it possible to search log files, access requests, and application events, and combine data from multiple security layers to identify evasive threats. In a nutshell, XDR makes threat hunting a practical and effective way to discover security threats—which can directly identify and eliminate the next security breach.

What Should I Look For in a Good XDR Solution?

XDR will be a critical component of the future security stack. There are several key capabilities you should look for in an XDR solution:

  • Integration—to work seamlessly across the entire security stack, XDR needs to provide rich APIs and easily integrate with a wide range of security tools.
  • Cross-stack capabilities—XDR should be able to collect, triage, analyze, and respond to security events across all security layers, including endpoints, network, and cloud.
  • AI analysis—XDR must leverage cutting edge AI technology to combine and automatically investigate alerts. Prefer solutions that are AI-first, and do not partially rely on old correlative or statistical models.
  • Ease of use—the XDR solution should be easy to learn even for Tier 1 analysts, and easy to maintain, configure and update. The whole premise of XDR is it should improve productivity for security teams, so avoid tools that require a steep learning curve, or lengthy certification.

Conclusion

In this article I introduced XDR and covered three ways XDR solutions can prevent the next security breach:

  • Automated detection and response of security incidents, without waiting for overworked analysts to triage and investigate each alert.
  • Augmenting SIEM data, making it easier for analysts to see the complete attack story, without having to dive into data from isolated security silos.
  • Rapid, seamless threat hunting to identify evasive threats that have already penetrated the security perimeter.

I hope this review will be helpful in your future evaluation and selection of security tools.

——————–

Author Bio: Gilad David Maayan

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.

LinkedIn: https://www.linkedin.com/in/giladdavidmaayan/

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.