What value does Extended Detection and Response (XDR) bring to the cybersecurity market? [Q&A]
As organizations adapt to hybrid working models and modernize business practices, so too must cybersecurity programs.
We talked to Rupesh Chokshi, VP at AT&T Cybersecurity, to discuss key challenges and how XDR is becoming an important framework, helping organizations consolidate and improve security operations across the entire network, from endpoints to the cloud and beyond.
BN: What is XDR?
RC: XDR stands for Extended Detection and Response. It addresses the need for broader visibility of threats in near real time by extending threat detection and response capabilities to reach every layer of the security stack, including endpoint, email, cloud workloads, server, and network. XDR takes the collective data from these historical 'silos' and automatically correlates it -- revealing important context behind threats and allowing security teams to detect and remediate security issues more rapidly.
With traditional approaches to threat detection and response, security analysts receive alerts from various point solutions, making it difficult to sort through the 'noise' and prioritize alerts effectively. XDR brings these pieces of the puzzle together through automation, tying perceived lower priority events together across the security layers to create a more informed picture of the threat and the immediacy required to mitigate it.
BN: Why is now the time for this technology?
RC: A combination of skills shortages and the high number of security solutions that an average enterprise has built up to tackle cyber threats has made it necessary to bring cohesion and simplification to detection and response capabilities. In addition, digital transformation and the shift to remote working during the pandemic have led to an increased number of endpoints accessing the network. Having comprehensive network visibility is the key to being able to defend against mounting cyber threats.
BN: What gap is it filling?
RC: XDR fills in the gap between point security solutions, all of which collect their own unique data. By integrating all of this collected information into one pane of glass, security analysts can see more clearly where their efforts are needed and can better prioritize security events. XDR also applies machine learning, threat intelligence and analytics to enhance investigations with the context needed to assess the impact a cyber threat may have across the organization.
BN: How can XDR help organizations manage dispersed workforces?
RC: The increasing complexities that come with evolving architectures needed to support a hybrid workforce and securing new business initiatives in edge computing are driving new security requirements and are expanding attack surfaces. At the same time, cybercriminals are turning to highly evasive and more lucrative strategies to exploit and profit from network vulnerabilities.
Using a legacy approach to threat detection and response will no longer suffice. Security teams are struggling with too many alerts, too much data, and not enough context. This is even more challenging with limited staff and expertise. An XDR approach can help overburdened security teams to improve protection, detection, and productivity.
BN: Can you explain XDR's importance for security analysts?
RC: XDR gives security analysts expanded capabilities, including:
Enhanced visibility and context: Oversight of an organization's environment, including where sensitive information and critical assets are located, is pivotal to effectively detecting and responding to threats. Security monitoring platforms need to ingest as much data as possible, across on-prem, multi-cloud, OT, and all connected endpoints (including IoT). With XDR, this stream of data is continuously updated so analysts can act upon it immediately to address potential security incidents.
Automated threat intelligence: The threat landscape is always changing, with adversaries quickly evolving their tactics, techniques, and procedures (TTPs). New variations of malware are easily created which are used to attack organizations repeatedly. Furthermore, threat actors are regularly modifying the infrastructure used in their campaigns. XDR provides organisations with continuously updated threat intelligence that is automatically fed into an XDR platform. This added context aids in the ability to easily detect deviations from known baseline activity and investigate events.
Analysis and correlation of data for better response: With increasing amounts of data being sent to threat monitoring platforms, SOC teams today must make use of automation, analytics, and machine learning for analysis, correlation, and to support response. For example, if a system or device has been infected, they can automatically isolate it as needed, proceed to mitigation or remediation, and then to recovery -- ideally back to a normal state -- within a single dashboard.
Ease of reporting: After an incident has occurred, having detailed, easy-to-consume reports is key to understanding what happened, how the team responded, and the overall outcomes of the team’s efforts. These reports are also essential for compliance mandates and communicating to executives. XDR gives analysts enhanced reporting capabilities because the information can be at their fingertips, already contextualized and automated.
BN: Are there any specific challenges related to XDR and how can these be managed from the outset to avoid?
RC: XDR's appeal is that it can deliver improved outcomes within security operations, including creating greater efficiencies and improving security monitoring, investigation, response, and proactive threat hunting. That being said, many XDR solutions require replacing existing technologies and investments so enterprises should look for open XDR solutions that leverage deep integrations with existing investments. Without specialist knowledge, it can be complex to deploy and fine-tune the platform, particularly when seeking to integrate legacy solutions already in place in the organization. Therefore, enterprises lacking in the specialist knowledge or expertise in-house may find that looking for a managed XDR solution will help them with 24/7 support and deriving the most value from an XDR solution.