7 Requirements for a Successful XDR Strategy
If you’re a security practitioner wondering where to start your XDR journey, here’s a look at the fundamental building blocks of a successful XDR strategy.
Dan Verton
The Biden administration issued a new cybersecurity strategy last week that has many observers applauding its emphasis on regulating minimum cybersecurity standards and enforcing so-called secure by design development practices, among other things.
In 10 years of service in the intelligence community and another 20 as a journalist covering national cybersecurity, I’ve seen my share of government strategies. Almost all have been divorced from the reality of tactical implementation and the crucible of cyberwar. For example, consider how Kemba Walton, Acting National Cyber Director, described the strategy at an event hosted March 2 by the Washington, D.C.-based think tank Center for Strategic and International Studies.
“The truth is that we need to make some fundamental shifts in the way our digital ecosystem works,” Walton said. “This is where President Biden’s strategy takes a new approach. We need to rebalance the responsibility for managing cyber risk, rethink whom we’re asking to keep all of us secure.”
In his book Only the Paranoid Survive, former Intel CEO Andy Grove defined an inflection point as “a time in the life of a business when its fundamentals are about to change. That change can mean an opportunity to rise to new heights. But it may just as likely signal the beginning of the end.”
We are at such an inflection point in U.S. National Cybersecurity strategy.
The strategy’s high-level objectives are laudable in their intentions, but they are largely unachievable in the current political climate. Wasting the two to three years it will take to enact new regulations or pass the needed legislation to support things like minimum standards liability for critical infrastructure operators and software developers will only further delay the urgently needed forward progress to detect, deter, and deny Chinese and Russian state-sponsored threat actors.
None of this is to argue that we should not be working toward improving standards and demanding accountability. But we must also account for the adversary — something the current strategy does not do very well. Today’s minimum standard is tomorrow’s vulnerability, and the adversary will have a say in how that is determined.
In his book, Good Strategy, Bad Strategy, Richard Rumelt, Emeritus Professor at UCLA Anderson, wrote: “The most basic idea of strategy is the application of strength against weakness. A good strategy doesn’t just draw on existing strength; it creates strength.”
Although the strategy work of the government is absolutely essential, we cannot wait for consensus on new laws, policies, and regulations. There is a better way, but it requires a fundamental change in how we approach security by moving away from the labor intensive, inefficient and ineffective alert-centric model we continue to cling to in favor of a more effective, highly efficient Operation-Centric approach.
An Operation-Centric model focuses on disrupting the entire attack operation versus responding to uncorrelated alerts that fail to identify root cause, interrupt command and control (C2), prevent data exfiltration, eliminate persistence mechanisms, and more.
Solutions that are highly effective against today’s threats—especially sophisticated threats like ransomware and state-sponsored threat actors—must detect malicious activity immediately without waiting for additional processing time or human analyst intervention.
An Operation-Centric approach can deliver detection and response automation at scale by leveraging Indicators of Behavior (IOBs), the more subtle signs of an attack that can surface the entire malicious operation at its earliest stages, allowing for earlier detections that inform a predictive response capability for comprehensive remediation that our current reliance on retrospective Indicators of Compromise (IOCs) can never deliver.
Every day, Cybereason helps security teams Move from an alert-centric security model to an Operation-Centric model and significantly improve operational effectiveness and efficiency. Small teams can do the work of larger teams, less experienced teams are immediately more effective, and the ability to mitigate risk improves exponentially.
Cybereason is dedicated to teaming with defenders from the government, critical infrastructure operators, and private industry to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place.
Contact Cybereason today to learn how your organization can benefit from an operation-centric approach to security for increased efficiency and efficacy.
Dan Verton is Director of Content Marketing at Cybereason. Dan has 30 years of experience as a former intelligence officer and journalist. He is the 2003 first-place recipient of the Jesse H. Neal National Business Journalism Award for Best News Reporting – the nation’s highest award for tech trade journalism and is the author of the groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill, 2003). He most recently served as an intelligence advisor and co-author of a nationwide TSA anti-terrorism awareness training program.
All Posts by Dan VertonIf you’re a security practitioner wondering where to start your XDR journey, here’s a look at the fundamental building blocks of a successful XDR strategy.
Cybereason has launched subscription-based bundles for unlimited Incident Response and Professional Services that deliver the speed and agility needed to quickly identify, correlate and contain threats while reducing costs by as much as thirty percent...
If you’re a security practitioner wondering where to start your XDR journey, here’s a look at the fundamental building blocks of a successful XDR strategy.
Cybereason has launched subscription-based bundles for unlimited Incident Response and Professional Services that deliver the speed and agility needed to quickly identify, correlate and contain threats while reducing costs by as much as thirty percent...
Get the latest research, expert insights, and security industry news.
Subscribe