Global headlines haunt the dreams of regional CISOs. “When will it be my turn?” they muse, wondering if their state of readiness will be equal to the threat actor that eventually slips behind their defenses. The challenges will be familiar to any who share this state of mind. Too many point products. Too much white noise. Too many false positives. Inadequate resources and actionable intel. Not surprisingly, the recent Trellix Cyber Readiness Report highlighted that while EDR and XDR technologies were a priority for organisations, a lack of in-house cybersecurity skills, implementation expertise and trusted vendors were key barriers to the deployment of such technologies.
Under these conditions, Security Operations Centre (SOC) teams cannot respond quickly enough to mitigate the harm of an intrusion. But of course, they are expected to do just that. Pressure builds. Skilled people leave. Talent gaps ensue. And subsequent incidents get worse. It is a cycle of deterioration faced by many SOCs. And it is one that can be halted to a large extent by extended detection and response.
You have probably heard of XDR. It is the cybersecurity solution that unites others — SIEM, EDR, NDR, SWG, SEG, and CASB — under a common banner and seeks to eliminate the “needle in a haystack” frustrations of many anomaly investigations. XDR has its eyes fixed on emails, endpoints, internal networks, cloud environments and more, with insights grouped and presented visually in a single dashboard. XDR automates, guides, flags, and advises. And it does so intelligently, backed by threat knowledge and the industry’s best-practice playbooks.
Teams are more agile and more empowered. People stick around and hone their skills, and teams get smarter still. But not all XDR platforms produce the same results. So, what does the idyll look like? To answer that question, we should look at the solution’s behavior throughout the threat lifecycle.
Detection
Active monitoring of alerts and events from various sensors goes without saying. SIEM should be included. Ticketing systems should be included. The activity logs of email security and endpoint protection systems should be included. As should DNS logs, Web proxy logs, and even notifications from system administrators, customers, ISPs and other third parties about potential malware.
Investigation
Indicators of compromise (IOCs) such as suspect hashes, links, IP addresses, domains, URLs, and others can be found in the telemetry previously gathered. The ideal XDR platform validates these IOCs against only the industry’s most trusted sources. Once a genuine malware sample is identified, it should be isolated in a sandbox environment so its behavior can be examined safely. “What is it doing?” the ideal platform will ask. What networks is it trying to reach? What registry settings is it modifying? What files is it dropping, reading, or modifying? What processes or services has it initiated? Has it scheduled any tasks? If so, for what purpose?
From here, additional IOCs often emerge, and lateral movement can be detected more quickly, and attackers’ dwell times can be subsequently reduced. Apart from straight analysis of detected IOCs, the ideal platform is capable of updating endpoint and network security rules and policies and can call on resident EDR tools to find further IOCs in endpoints. It can do the same with SIEM platforms, firewalls, proxy servers, and DNS logs. Areas of concern, including possible data leaks and their source, become flags for the appropriately skilled SOC team members, who can conduct targeted analysis.
Containment
With all appropriate groundwork done, the ideal platform now moves to automatically contain all affected endpoints and take a series of measures to stop the spread of the incident or, if possible, to shut down its operation. The best XDR solutions can even create their own rules — either autonomously or as part of a workflow that requires approval — in firewalls and other security solutions to prevent the same incident in the future. If the incident’s success was predicated on the absence of EDR solutions on infected endpoints, the ideal XDR would be authorised to install the missing protections.
Reporting
The SOC team is only as strong as its ability to learn from incidents. Reports from the ideal XDR will include not only the actions taken and a list of affected hosts; it will include investigated URLs, domains, IP addresses, files and hashes, as well as details of data leaks, and notifications of any updated policies.
And beyond
After incidents have been dealt with and adequately documented, SIEMs may be updated with new detection rules, or EDR solutions with new IOCs. Every point solution should be included in this post-incident overhaul.
XDR is speed and effectiveness
Faster and more accurate response. That is what an XDR gives to every event lifecycle. SOC teams are more coordinated and more agile. And more thorough after the fact. For example, if malware execution occurred when a user was the admin or root of a machine, physical systems must be wiped, and virtual ones deleted. And XDR can give SOC team members more targeted advice on how they act, ensuring overkill does not occur. For example, if the malware execution did not take place when a user was the admin or root of a machine, it may be enough for IOCs to be cleaned from endpoints.
As we can see, a well-implemented XDR platform has workflows in place to cover everything — prevention, detection, and response. All of them are more effective, which reduces dwell time and the time between detection and containment. Putting together your own XDR from legacy point products supplied by multiple vendors is possible but calls for prohibitively expensive and unnecessarily labor-intensive commitments. A more practical approach is to scour the market for an all-in-one solution that meets the standards described here.
The current threat landscape waits for no-one. Threat actors are already capitalising on the mayhem and complexity that run riot in the modern SOC. This status quo must be reversed. And it can be.
