What is Extended Detection and Response (XDR)?
Over the last few years, we’ve seen a few categories of security technologies and services evolve to defend against advanced threats:
- Endpoint Detection & Response (EDR)
- Network Detection & Response (NDR)
- Managed Detection & Response (MDR)
- Extended Detection & Response (XDR)
So, what is Extended Detection and Response? XDR is the latest evolution of security solutions to help IT and security team identify advanced or stealthy threats, improve threat detection and response times, investigate threats more thoroughly, efficiently and effectively, and to be able to track threats across multiple systems and system components.
Gartner, define Extended Detection and Response (XDR) as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
Earlier this year IBM Security published their sixth annual Cyber Resilient Organization Study based on research from the Ponemon Institute’s survey of more than 3,600 IT and security professionals around the world in July 2021.
According to 67% of respondents, “both the volume and severity of cybersecurity incidents increased or significantly increased in the past 12 months…of the respondents surveyed, 51% sustained a data breach over the last 12 months and 46% experienced at least one ransomware attack over the past two years.”
The study is detailed and worth reading: IBM Security
IBM also asked respondents to “rate their organizations’ cyber resiliency on a scale of 1 to 10, 23% of respondents rated themselves as 9 or 10. This subset of respondents are referred to as “high performers.” High performers identified the following top investments for their improvement:
- 65% reported the ability to have visibility into applications and data assets
- 62% reported the use of automation, AI and machine learning
- 45% reported secure migration to the cloud
- 39% reported timely assessment of vulnerabilities and application of patches
What’s interesting to note is that a mature Extended Detection and Response (XDR) solution can help deliver a number of these capabilities, e.g. visibility into applications and data assets, automation and machine learning, as well as with timely assessments of vulnerabilities and application of patches.
Why was XDR developed?
Over the past 15 years, cybercrime has exploded and malicious actors have adapted significantly, developing new malware, innovating delivery mechanisms, their techniques and tactics. Collaborating amongst each other, utilising legitimate offensive security tools, using tools developed by law enforcement and even other legitimate tools inherent in the Windows operating system. Cybercrime has become big business and is now a multi-million dollar criminal industry. The groups are well practised and well funded. Because of this it has driven the need for cyber-defense and endpoint security to evolve.
Without the correct monitoring or detection capability in place, it is difficult for organisations to detect when they are under attack.
How is XDR different from anti-virus/anti-malware?
An XDR platform will correlate activity, indicators of compromise and indicators of attack across the environment. Essentially, they are more accurate at detecting advanced threats, than a more traditional anti-virus solution. They’re also very good at detecting the early stages of an attack and providing IT and security teams the necessary to investigate and triage an event to determine whether it is a security incident that needs shutting down, remediating or responding too.
Attacks are now multi-phased, utilising several different cybercrime teams and crime organisations. They communicate and organise themselves on the Darkweb and through other channels, bidding and reselling services and recruiting new developers and ‘pentesters’ into their teams. This means that one part of the attack, credential harvesting, may be completed by one person or one team. Following a successful outcome those credentials are then sold onto another crime group. That group may then escalate the privileges with those credentials and gain further access to the organisation before reselling them to the final group. This whole process may take a number of months, with the final group only being involved for a few days. Often this means, without a holistic view of an environment and different attack techniques, stages of an attack would likely be missed without a quality monitoring or detection response solution in place.
How is XDR different to EDR and NDR?
EDR and NDR are narrowly focussed in their visibility and capability within an environment. EDR is focussed on the endpoint and NDR is focussed on the network.
Whilst both tools are useful, and have their use cases independently, for smaller organisations, when used in isolation these tools tend to generate greater volumes of alerts, which also means more time to investigate and respond to events. There is also a greater operational overhead as more time is required for maintenance, management, deployment and training. In contrast, XDR consolidates capabilities, visibility across the environment, and enables security teams to work more effectively and efficiently.
Why is XDR Important?
As active incident responders, over the last five years we have started to see a significant increase in the number of advanced attacks, leading to ransomware, as well as against organisations that have requested our assistance following an incident. With the vast majority of these attacks a well-tuned, XDR platform would have mitigated most of the damage and even in some instances prevented the attack from even happening. Of course, one solution should not be considered a silver-bullet, and each organisations environment is different but XDR can be a highly cost-effective, preventative measure for SMBs and SMEs.
The criminal groups orchestrating these attacks are organised and operate as businesses. With networks that utilise the Ransomware-as-a-Service model the original malware author receives a percentage of every successful ransom the affiliate receives. These networks are established to disable business operations and extract money from them. Over the past few years ransoms have increased from a few thousand dollars to hundreds of thousands dollars.
“The University Of California Pays $1 Million Ransom Following Cyber Attack”
“Ransomware attacks skyrocketed in 2019, with BBR Services reporting a 131% increase in the number of ransomware attack notifications against clients compared to 2018.”
This makes the already complex and challenging task of managing an organisations IT environment even more difficult. Throw in false positives, alert fatigue, poorly integrated solutions, lack of comprehensive visibility across the environment, time taken to manage and navigate security tools – it’s little surprise Gartner named Extended Detection and Response (XDR) as a key trend for Security and Risk Managers for 2020.
“The primary goals of an XDR solution are to increase detection accuracy by correlating threat intelligence and signals across multiple security solutions, and improved security operations efficiency and productivity.
IT and Security teams gain efficiencies from the ability to investigate, manage, and respond to incidents from a single interface. Increased detection and protection accuracy through the correlation of incidents across multiple security solutions, as well as from the use of automation and machine learning to prioritise and automate the response of incidents.
The use of machine learning, automation and consolidation of security into a single platform, drastically reduces the time to respond to critical incidents, as well as mitigating the likelihood of a threat maintaining persistence. Comprehensive visibility is provided across the environment through one UI, allowing for efficient forensic analysis as well as enabling and simplifying IT hygiene.
As you review your security program, if you wish to look at and test any of the XDR platforms we have reviewed or even if you would like to consider some of the managed services that we offer, email: firstname.lastname@example.org
We can conduct a free threat assessment for your organisation which will, highlight critical, exposed attack surfaces and provide actionable knowledge of attacks that are currently live and active in the environment.
The assessment includes:
Indication of live attacks – Active malware, connections to C&C, data exfiltration, access to phishing links, user credential theft attempts, and others
Host and app attack surfaces – Unpatched vulnerabilities rated per criticality
Benchmark – Comparing the organisation’s security posture to the industry average
Weighted risk score – Built from all findings and activity
User identity attack surface – Risk scoring for each user account
Other ways we can help:
If you are concerned about the threat of a ransomware attack, or are interested in how cybersecurity monitoring and management could benefit your organisation, call or email us now for a discussion about your requirements for a more secure environment.
Further information on our Managed Cyber Security Services is available here.