Extending detection and response -- why context is needed for security
The threat landscape is becoming more challenging from every angle. Security teams are understaffed and overworked and are still catching up after the wide-ranging effects of the pandemic. There’s unfortunately no end in sight as the skills gap widens and the complexity around IT management continues to grow with remote work programs going from sticking plaster to get through the initial lockdown to 'business as usual.' Bad actors are becoming more sophisticated each day. It has never before been this hard to keep your organization secure.
It’s no wonder that many security professionals fall into the trap of adopting numerous security tools to help them cope with these problems. In the hope of using the latest and seemingly greatest technology, CISOs think adding another security layer will reduce their risk exposure. If only it were that easy. Adding more technology can solve some of the issues, but it can also dilute team attention spans further, leading to more problems over time.
Conversely, at Board level, a lot of confusion is brewing. Board members are overwhelmed with the bounty of acronyms that surround security - Security Incident and Event Management (SIEM), Security Orchestration Automation and Response (SOAR) and Endpoint Detection and Response (EDR) to name a few that all clamor for investment, and that all seem to cross over. Now there is Extended Detection and Response (XDR) as well, so how can they understand what is delivering what value?
In reality, the problem isn’t with the tooling. Each tool -- whether it be SIEM, SOAR or EDR -- is valuable in its own right. However, with each new integration, organizations are facing greater data silos. Each dashboard reports its own metrics based on the visibility of its corner of the corporate network and its specific use cases. Analysts then have to deal with a barrage of alerts from their range of solutions.
This leads to problems where the same alert can be flagged to multiple teams, or where issues can slip through the gaps. With security analysts already stressed, this can produce alert fatigue. To address this, XDR solutions are designed as the top layer, to investigate every potential incident in the digital estate, and enable real-time incident detection and response. Yet, not all XDRs are created equal.
Some current solutions regurgitate data to users, which just creates extra work for the analyst who still needs to interpret this data and make countless manual decisions about the required action. Current SIEM and XDR solutions passively and reactively collect disparate, unrelated logs, which creates an avalanche of notifications that place the burden of correlation and prioritization on the security analyst. The emphasis is placed back on the user to sift through those alerts to detect threats, and prioritize response and remediation based on their analysis accordingly. This is a heavy lift for any team when you consider the quantity of alerts faced daily, particularly when dealing with false positives that waste time and affect staff morale.
This is where the value of insight in context comes in. In one tool, one log or alert might look a lot like any other. However, when combined with external threat intelligence and other security data, that innocuous request will suddenly take on new meaning and rapidly rise up the priority list. XDR is designed to break down data silos and help analysts achieve greater insight, by creating a unified view of the enterprise technology stack and its threats. Combining the tapestry of security solutions and functions together in one platform, analysts can understand exactly what is going on in their environment from a single view.
Analysts are able to use the noise of multiple alerts from multiple platforms and turn this into signals that provide a unified view of the enterprise technology stack. By correlating data from asset inventory and vulnerability information, network endpoint telemetry, high-quality threat intelligence and third-party log data, we can provide analysts with more context on what is taking place and drive more effective response to threats in real time.
Context is the difference between wasted time spent on manual tasks and more focused investigation where it is really needed. With understaffed and time-poor security teams struggling to support remote working and deal with more attacks, providing context using XDR is an effective route to providing what businesses need to improve their risk posture and security approach. Without this, teams will struggle to manage workflows and deal with potential issues in a timely manner.
Paul Baird is Chief Technical Security Officer, Qualys