Leveraging the X in XDR: Correlating Across Multiple Sources of Telemetry

Several trends are driving Managed Detection and Response (MDR) adoption as a viable alternative for organizations that don’t necessarily have the resources on-hand to conduct intense threat hunting internally. The MDR market is expected to reach over $7 billion by 2028. That’s up from $974.9 million in 2020, per Big News Network.

The cybersecurity skills gap remains an ongoing issue for many organizations driving MDR adoption. Back in 2020, for instance, 72% of IT managers told Cybrary that their organizations were struggling with a cybersecurity skills gap. 

Approximately the same proportion (65%) said that those gaps limited their effectiveness in defending against digital threats. A year later, 95% of IT managers reported that the skills gap was wider than ever.

It doesn’t appear that things will improve in 2022. According to ITProPortal, a 2021 study found that the cybersecurity skills gap was 2.7 million unopened jobs, and that’s after 700,000 professionals joined the security industry.

Simultaneously, the costs of a data breach are on the rise. The Cost of a Data Breach Study 2021 study observed that the average total data breach costs had grown from $3.86 million to $4.24 million, which is the highest total cost in the report’s history.

Qualifying Detection and Response

Organizations need the help of an MDR services provider to manage their security programs for them. That said, not any detection and response modality will do. Take Endpoint Detection and Response (EDR) as an example: EDR provides continuous monitoring and threat detection and automated threat response to detect and neutralize potential threats at the endpoint level. 

But therein lies EDR’s weakness: It can yield visibility only into what’s going on with an organization’s endpoints, but it can’t allow security teams visibility into threats leveraging cloud deployments, application suites, or user identities for example. It also can’t provide complete visibility and correlations into attack chains that extend beyond endpoint devices.

The limitations of EDR highlight the extent to which the attack surface has expanded for most organizations. With so many organizations now using cloud-based apps and operating under a hybrid work model, it’s not surprising that 74% of security decision-makers said that their controls and protocols have become more complex. 

Approximately the same proportion (73%) indicated that they’re struggling to keep up with a growing volume of threats that their organization’s digital transformation journey is creating, noted Help Net Security.

This explains why many MDR providers are evolving to offer Managed Extended Detection and Response (MXDR) services. This security approach provides the expanded visibility to detect and respond across the whole of the organization’s network environment that an Extended Detection and Response (XDR) solution can provide and combines it with the advantages that a managed service offers. 

Even so, just like with detection and response, not all XDR platforms share the same capabilities. For instance, there’s Native XDR vs. Open XDR. The former implements XDR functionality within the context of a single vendor’s portfolio, making the buying experience easier for customers while also potentially threatening organizations with vendor lock-in and drastically limited interaction options. 

By contrast, Open XDR enables organizations to take a more holistic approach where they can choose from an array of security tools to integrate from a range of vendors who can deliver the telemetry types best suited to meet their specific security requirements. This approach to detection and response also spares organizations from needing to replace their existing investments.

Then there’s pseudo-XDR vs. AI-driven XDR. Most XDR offerings claim to integrate with threat intelligence streams to help organizations spot indicators of potential attacks, but they are little more than an EDR tool with some cloud visibility tacked on. One good way to spot these pseudo-XDR offerings is to ask the provider if the tool can ingest and analyze all available telemetry or if the platform has limitations that require some or most of the telemetry to be ignored.

A word of caution here: some vendors will attempt to get creative with the answer to this question by positioning the limitations as a desirable “feature” by calling it things like Smart Filtering.

The fact is an XDR tool that cannot ingest and analyze all available telemetry is lacking the “extended” value organizations require and are in practice not much more than a glorified EDR (and if you want to have even more fun, ask why their EDR tool also has to filter out endpoint telemetry!).

AI-driven XDR is different in that it uses artificial intelligence (AI) and machine learning (ML) to deliver deeply contextual correlations between telemetry from disparate sources to identify potential attacks earlier regardless of where they’re occurring on the network.

In doing so, AI-driven XDR frees up valuable time for security teams where pseudo-XDR offerings require a great deal of manual investigation of individual, uncorrelated alerts with high false-positive rates.

These capabilities are even more important when shopping for an MXDR provider, as your teams will not necessarily be seeing what the analysts managing your environment do, and you could easily assume the protection is far more comprehensive than it is, so don’t be afraid to ask the hard questions of a potential service provider.

The AI-Driven XDR Advantage

An AI-driven XDR solution also enables organizations to embrace an operation-centric approach to security that delivers the visibility organizations require to be confident in their security posture across all network assets and the automated responses to halt attack progressions at the earliest stages. 

In addition, an AI-driven XDR solution should provide Defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces, and more.

 

Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed