So, what is XDR anyway? Shorthand for Extended Detection and Response, XDR is a security approach that delivers unified detection and response capabilities across an organization’s entire network infrastructure, and we’ve seen the proliferation of XDR services and platforms over the past few years.
Notwithstanding XDR’s tremendous growth in adoption, more than a few misconceptions about XDR remain, so let’s debunk three of those myths here:
Myth 1: XDR is Focused On the Endpoint
Not exactly. That’s what Endpoint Detection and Response (EDR), which is just one aspect of what XDR delivers. EDR solutions focus solely on the endpoint, and they don’t correlate intelligence from the cloud and other parts of an organization’s infrastructure.
In fact, most EDR platforms are not even capable of ingesting all of the relevant endpoint telemetry and are forced to “filter out” intelligence without even knowing if that information is critical to making a detection because the solutions cannot handle the volumes of data generated.
Indeed, there are vendors that simply cannot ingest all available telemetry for EDR, yet they profess to be able to deliver an XDR solution that ingests endpoint data plus an array of telemetry from numerous other sources on the network and in the cloud.
Data filtering negatively impacts the ability to proactively thwart attacks because it omits telemetry that could allow for earlier detection of malicious activity. When broadened to include non-endpoint sources, data filtering can further distort an organization’s visibility into the threats confronting them.
XDR does not suffer from these limitations. It extends continuous threat detection and monitoring as well as automated response to endpoints, applications, cloud workloads, and the network…all without data filtering. This helps to ensure the high fidelity of a threat detection yielded by XDR.
Myth 2: XDR Should be Augmented by a SIEM
It’s true that XDR delivers much of the same functionality as SIEM (Security Information and Event Management) tools. Chief among their similarities is the ability to aggregate and correlate data from a variety of sources spread across an organization’s infrastructure, thereby providing the required visibility for threat detection, investigation, and response.
But there are several key factors that hold SIEMs back. As we noted in a previous blog, SIEMs are nothing without the data lake structure and cloud analytics they need to centralize security events. Those resources vary in the types and quality of data to which they have access, a reality which affects the value and effectiveness of a SIEM.
There are also the costs, time, and other resources involved with building, tuning, and maintaining a SIEM. Tuning is an especially common pain point with SIEMs. Indeed, these tools frequently generate false positives and an overwhelming volume of alerts.
Such noise contributes to “alert fatigue” in the organization, motivating infosec personnel to overlook the deluge of alerts coming in and miss opportunities to launch investigations at the earliest signs of an incursion. Simultaneously, SIEMs don’t do much to help security teams with executing a response beyond generating a lot of alerts that need to be manually triaged.
XDR, by contrast, doesn’t require any data lake structure. It correlates alerts across disparate network assets to deliver actionable intelligence that works to reduce alert fatigue. What’s more, XDR enables security teams to build automated playbooks using the platform itself, thereby streamlining response.
Myth 3: All XDR Platforms Are Created Equal
This is definitely not true. Consider the fact that there’s hybrid/open vs. native XDR. The latter only offers integrations to other security tools developed by the same vendor. This can lock customers into an agreement with a vendor that might not offer the security capabilities they need to protect their systems and data. It also means existing investments in solutions from other vendors cannot be fully realized.
In contrast, Open (or hybrid) XDR takes a collective approach that leverages multiple security tools, vendors, and telemetry types to meet organizations’ needs from within a single detection and response platform. There’s no vendor lock-in here. Security teams are free to choose the vendors and tools they want, allowing them to get the most out of their XDR platform, and the DevOps and API integrations enable personnel to bring these tools and telemetry sources together.
There’s also an argument to be made about what defines a truly mature XDR offering versus pseudo-XDR solutions that are basically nothing more than an EDR tool with a cloud integration. All XDR platforms integrate with threat intelligence to spot known Indicators of Compromise (IOCs), as we wrote about previously, but only an advanced XDR solution can detect based on Indicators of Behavior (IOBs).
IOBs are the more subtle signs of an attack in progress which include otherwise benign activity one would expect to see occurring on a network. When these “legitimate” behaviors are chained in certain sequences, they produce conditions that are either exceedingly rare or represent a distinct advantage for an attacker.
This is where the context-rich correlations across endpoints, the cloud, application suites and user identities that a mature XDR solution delivers are critical for detecting malicious activity at the earliest stages of an attack.
Take ransomware attacks for example: most security solutions are focused on detecting the exploit and blocking the ransomware payload, or rolling back the encryption after the attack was successful. But the detonation of the ransomware executable is the tail end of what is actually a much longer attack sequence, with weeks or even months of detectable activity from initial ingress, to lateral movement, to credential abuse and privilege escalation, to name a few.
A mature XDR solution can make the necessary correlations to detect that activity long before the ransomware payload is delivered, reducing a potentially devastating attack to the level of an intrusion attempt or similar.
Additionally, the ability to leverage artificial intelligence (AI) and machine learning (ML) to correlate telemetry from across an organization’s infrastructure is a key aspect of a mature XDR solution. The application of AI/ML allows Defenders to move from a detect and respond mode to a more proactive “predictive response” posture where the likely next steps an attack can and would take are instantly anticipated and blocked, eliminating the opportunity to progress the attack to the next stage.
This predictive capability is the key to the future of security, enabling organizations to “defend forward” by understanding attacks from an operation-centric approach, where analysts are freed from chasing alerts that point to individual elements of an attack in favor of a holistic view of the entire attack story from root cause to every affected device, system and user. And only an AI-driven XDR solution can deliver this “predictive response” capability that will shorten detection and remediation periods from days or weeks down to minutes.
The AI-Driven XDR Advantage
An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility organizations require to be confident in their security posture across all network assets, and the automated responses to halt attack progressions at the earliest stages.
This approach also provides Defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces and more.
Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.