We have a pretty good idea by now of what Extended Detection and Response (XDR) is. As we noted in an earlier article, titled XDR: The Next Step in Threat Detection and Response, XDR is a security approach that builds on the successes of Endpoint Detection and Response (EDR).
It does this by extending EDR’s focus on achieving visibility and automating response not just across endpoints but also applications, cloud environments, and the network. As such, XDR functions less as an alternative of EDR and more as an evolution of it.
XDR helps to improve the productivity of security operations with telemetry and incident correlation across endpoints, on-prem and cloud workloads, user identities and more. Furthermore, relief from alert fatigue is one of the biggest benefits of XDR. Fewer alerts mean fewer false positives, thus saving security professionals time and allowing them to focus on correlated events that are context-rich and highly actionable.
Reducing the deluge of uncorrelated alerts is especially important in today’s world where organizations are facing more security alerts than ever, yet are not necessarily realizing better security outcomes as a result. As reported by Beta News, 70% of security teams witnessed the volume of their security alerts double between 2015 and 2020. Such growth has contributed to a feeling of alert fatigue among 83% of respondents.
Alert fatigue doesn’t just highlight the need for alert reduction, it also underscores the importance of automation for timely response, thus reducing the mean-time-to-respond to an event (MttR). Fortunately for organizations, XDR is designed with automated response in mind, and actually delivers on the automation functionality that SIEM and SOAR solutions have long promised but never really delivered.
TechnologyAdvice points out that XDR automatically analyzes and correlates alerts. This functionality not only cuts down on the noise but also helps security teams to visualize the entire attack chain of a potential security incident. Infosec professionals need to have that level of visibility so that they can shut down malicious activity earlier in the attack sequence.
Legacy antivirus and NextGen AV vendors who never successfully moved into the EDR space are inclined to allege that moving to XDR means the organization will be faced with certain tradeoffs, a myth that is worth unraveling here. First, there are the costs that come with purchasing any solution, including XDR. These expenses include the costs of purchasing software tools, retraining employees, and/or consulting with experts as well as the time and resources that organizations need to map out their implementation. But is this really a shortcoming for XDR specifically? We’d argue it isn’t.
For decades, organizations have incrementally invested in the next iteration of security platforms as the field of security has evolved. But most of these new approaches resulted in simply pushing the attacks further up or down the IT stack. Organizations will need to similarly allocate budget to advance their program to include XDR, but the realized return on that investment in an XDR solution results in high fidelity detections that actually return the high ground to the defenders by significantly increasing the burden on the attacker.
XDR’s value is rooted in its ability to provide visibility and control that covers the seams in the network that attackers have come to rely on to obscure their operations. There are no silver bullets in security, but the XDR vision offers more than piece of mind because it's a powerful offensive tool for the defender that surfaces complex attacks earlier than any preceding generation of security solutions.
There’s also the question of what value XDR response automation brings to an organization - again, there is tremendous upside for the organization here. Automation of telemetry enrichment across otherwise disparate elements of a network means the ability to detect subtle chains of malicious behavior earlier, and automation of a set of responses to those earlier attack means greater success in thwarting a security event before it can escalate to the point of a full fledged breach event.
Consider the value that stopping a ransomware attack at initial ingress or at the stage of lateral movement on the network has for your organization versus being faced with a costly and disruptive incident response scramble and “roll-back” of encryption on every affected system, and you quickly see why an investment in an XDR solution is quite preferable to the alternative.
Lastly, there’s the risk of relying on a single platform that’s “trying to own it all,” in the words of Security Boulevard. Some security vendors might sell organizations on the idea that they can throw out their existing security tools and replace them with XDR, but that’s just bad marketing, not bad practice. XDR does not claim to be a replacement for all other solutions. Like everything else, it functions best when organizations integrate it into their existing security strategy and maintain a layered to approach to network defenses.
Cybereason XDR is designed to go even a step further with automated responses to attack progressions, eliminating the need for Security Orchestration, Automation and Response (SOAR) products as well. Organizations can enjoy these benefits whether they drop their SIEM and SOAR entirely or augment it with Cybereason XDR.
Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.