Enterprise security strategy has evolved over the years, from endpoint to network security and back to a focus on endpoint during the pandemic. To cover the scope of the threat landscape, there's extended detection and response (XDR).
XDR is based on a combination of network and endpoint detection and response (NDR, EDR) working in conjunction with other tools.
"The system is correlating that data and allowing you to immediately pivot from network to endpoint, endpoint to network and contextualize each," said Jake Williams, president and founder of Rendition Infosec, during Black Hat last week. When XDR is properly deployed, "I just can't tell you how exciting it is to be able to get in as an incident responder and be able to pivot through the data that XDR provides."
Confusion lies in how XDR interacts with other tools. Security operations centers (SOCs) often will have NDR and EDR modules deployed thinking together it makes XDR. But that's almost like having a rifle and some bullets, said Williams, but "they're in separate rooms and I can't bring the two together. It's just not as powerful together."
During a cyber incident, "swivel chair agony" can burden SOCs that have to go to multiple solutions to piece together the narrative, which cuts into response time, said Al Huger, VP and GM of security platform and response at Cisco, during the panel. Cisco also provides XDR tools.
"Time is not a luxury you have. Like it's the one piece of currency, as responders and security professionals, that we all need and can't buy," he said.
But SOCs are not entirely clear on what XDR is or how to add it to their existing security stack. And when companies are working to improve how they use their existing security solutions, adding another one to the mix could either benefit their SOC or add unnecessary responsibilities.
More than one-third of security professionals view XDR as a solution that uses multiple data sources to collect, process, analyze and act on threats, according to a Cybereason and ESG survey of 388 North-America based cybersecurity professionals, conducted in October 2020. Others see XDR as a software (18%) or the next evolution of EDR (15%). Though perceptions differ, none are entirely wrong.
In a complex environment, XDR is a way to fill the gaps left by traditional threat detection technologies. Companies expect XDR to automatically hunt and respond.
At the very least, the tool reduces the amount of time needed to process threat data, Huger said.
Changing the tech stack
Because of XDR's capabilities, enterprises will democratize it, said Eric Parizo, principal analyst of security operations at Omdia Research, during the Black Hat panel. XDR is meant to be a one-stop-shop for detection, investigation and response across endpoints, networks and clouds.
The technology stack in an average SOC likely has not changed in recent years, according to Parizo. In addition to security orchestration automation and response (SOAR) modernizing the SOC, XDR is the solution that is beginning to make waves in SOCs.
In May, Forrester declared XDR the most effective technology for threat hunting across business tools. Because of its ability to detect and rapidly respond to threats, the research firm says XDR expands threat hunting with telemetry data, email security and cloud data.
In the next six to 12 months, roughly two-thirds of organizations expect to invest in XDR capabilities, according to the Cybereason survey. Some organizations plan to divert funds once dedicated to EDR or security information and event management (SIEM) to XDR.
For 58% of companies, SIEM is considered their most effective threat detection and response tool, because it can specify the type of incident — phishing, data exfiltration, exploit or vulnerability, and so forth, according to the survey. But SIEM can be used ineffectively, with challenges including expensive software licensing, maintaining a SIEM infrastructure and restrictions on detection of unknown threats, the report said.
"SIEMs haven't really gotten it figured out either," said Parizo. "What tells me that these so-called XDR players are going to figure out that third-party telemetry gathering, processing normalization problems that core SIEMs fall down." XDR is not a SIEM replacement — it's a supplement.
What's in XDR adoption
How and where XDR collects data will vary from company to company. More than likely, XDR will need access to data lakes supporting the products in the XDR process, which could be endpoints, firewalls or identity management systems, Huger said. XDR also has to be able to "maintain its own set of data that it correlates from those systems that can be referenced and used," he said.
While companies interested in XDR can use the engineers they already have, "you shouldn't," said WIlliams. It's better to have people come in dedicated to the needed skills of XDR and redirect their existing workforce to what needs their attention. Half of the Cybereason respondents are interested in fully managed XDR or staff augmentation services that extend beyond 24/7 incident detection operations.
Ultimately, companies have to ask if XDR will make a responder's job easier or more effective — because sometimes it won't, depending on what the SOC already has. If a SOC is considering XDR, it should be looking at it from the viewpoint of the practitioner, not the current fad of the security market.
XDR is not something that adds to the infrastructure. "From a vendor perspective, there's this desire always with something to monetize the hell out of it," said Huger. "So XDR becomes 'We're going to build everything out of this, and you're going to give us a lot of money.' And I don't know if that's what our customers are asking for."