Cybereason Blog | Cybersecurity News and Analysis

How XDR Can Play a Key Role in Achieving Zero Trust

Written by Anthony M. Freed | Jul 26, 2022 1:46:18 PM

Security goalposts are shifting rapidly as a result of a regulatory-driven move for more open and transparent cloud-based systems that have increased organizations' attack surface and further tanked the traditional notion of perimeter security. 

With recent events in the security space such as the move to working remotely during the COVID-19 pandemic, the rise of the Internet of Things (IoT), 5G and IPV6, and the increase in highly-targeted RansomOps attacks that have had a detrimental impact to businesses, this trend has accelerated exponentially. 

As a result, there are new security risks emerging as adversaries’ tactics are evolving to target these new attack vectors. Given this growing threat landscape, many organizations are looking at Zero Trust architectures as a valuable cybersecurity framework to leverage.

What is a Zero Trust Security Approach?

The term Zero Trust security was first used by John Kindervag and holds true that no environment is completely secure because trust within the network is therefore often misplaced. It also recognizes that most investments focus on securing networks and devices at the expense of enterprise data that is often the organization's crown jewels.

Zero Trust is "…a conceptual and architectural model for how security teams should redesign networks into secure micro-perimeters, use obfuscation to strengthen data security, limit the risks associated with excessive user privileges, and use analytics and automation to dramatically improve security detection and response." 

The National Institute of Standards and Technology (NIST) has further described Zero Trust as the term for:

“an evolving set of cyber security paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero-trust architecture (ZTA) uses Zero Trust principles to plan industrial and enterprise infrastructure and workflows. Zero Trust assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorisation (both subject and device) are discrete functions performed before a session to an enterprise resource is established… The network location is no longer seen as the prime component to the security posture of the resource.”

What is XDR?

XDR, short for Extended Detection and Response, is an emerging solution capable of analyzing and correlating event telemetry from across multiple assets and security layers — email, server, cloud, endpoint and network — to quickly detect attacks.

With the adversary using more sophisticated techniques than ever, attackers have been able to easily hide in the network seams. XDR delivers on the failed promises of SIEM and SOAR technologies to deliver prevention, detection and response across disparate network assets, application suites, cloud deployments, user identities and more.

XDR offers the chance for security teams to move away from constantly triaging and investigating individual alerts to advance to a more Operation-Centric approach, where XDR provides the deeply contextual correlations required to detect and end attacks at their earliest stages, long before they can escalate to a serious breach event.

XDR has evolved to take a broader approach to identifying threats, looking at the bigger picture across multiple security layers and network components, and provides the ability to automate predictive responses by understanding the entire malicious operation, as opposed to just alerting to one aspect of the attack or another individually. 

How Does XDR Work?

XDR draws from multiple event telemetry streams to provide a clear overview and analysis of all security layers. It makes complex security capabilities more accessible to security teams. XDR automates and simplifies detection processes that–prior to the advent of XDR–required significant time and resources for manual assessments. 

Instead of an endless stream of uncorrelated alerts full of false positives, security teams can focus on detections of chains of potentially malicious behaviors and see the full scope of the operation in realt-time from root cause across all affected devices and users.

XDR breaks down intelligence silos and correlates event data across all elements of a business’s system. The result is clearer visibility into an emerging threat. For example, XDR automates root cause analysis to show a clear timeline and path of a threat across email, endpoints, servers, cloud workloads and identities. This allows analysts to assess the threat and take appropriate action instead of manually piecing together everything from a random assortment in otherwise unconnected alerts.

How Does XDR Enable Zero Trust?

XDR provides an alternative to network traffic analysis (NTA) tools and other reactive tools, and delivers the visibility and interrelationships between security solution alerts that work to enhance EDR, SIEM and SOAR solutions. 

It uses threat intelligence feeds and traffic algorithms that are multi-dimensional to spot possible attacks before any damage is done. XDR does this in real time in the cloud, through networks and across individual endpoints. 

Organizations can therefore use XDR through these functions to address Zero Trust initiatives to deliver threat earlier detection in real-time, as it can act as Zero Trust’s “central nervous system” by providing continuous monitoring of events across all security operations. 

Scaling Zero Trust with XDR

Zero Trust is not one piece of knowledge on its own, and relies on single sign-on, network segmentation and multi-factor authentication to oversee which users are to be trusted. These technologies can help organizations achieve the spirit of Zero Trust, but they can’t elevate them to the level of having enterprise-wide security. XDR, on the other hand, can.

The first step in the Zero Trust journey begins with removing trust blinders and truly instrumenting, monitoring, and seeing malicious behaviors hiding in plain sight behind trusted identities and applications without disrupting or causing harm to IT and the business– and XDR provides this capability.

Leveraging the breadth of integrations across identity, email, workspaces, and cloud services, XDR can ensure effective, high fidelity detection of stealthy threats before they escalate to ensure effective data loss prevention and allow for protection against complex ransomware and data theft exploits. 

Today’s defenders are often hampered by a siloed tech stack that often introduces major blind spots, particularly in areas like identity and email. The reality is that it’s harder in today’s distributed environment to follow and end attacks. When an attacker pivots to target prized data, it’s no longer simply within the corporate network. They likely will steal an identity and move to a SaaS application or may pivot to cloud infrastructure.

This is where the power of XDR comes into play. Any organization planning to move to a Zero Trust architecture must first meet the demand for actionable incident response against top threats like ransomware, business email compromise, and account takeover. XDR is designed to provide visibility organizations require to be confident in their Zero Trust security posture across all network assets.

Modern enterprises are much more than endpoints on networks, and thus need detection and response capabilities that cover all aspects of their business operations if they want to achieve a Zero Trust posture.


Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.