Extended detection and response (XDR) have become a household (well, boardroom) name. Its fame comes from its ability to solve the point-solution problem and bring together disparate elements of cybersecurity at a time when the GCC is inundated with cyberattacks. But not all XDR is created equal, so deciding which XDR solution is right for you is worth considering four key security pillars.
You cannot detect what you cannot see. An obvious point, maybe, but one that has escaped the notice of many an organisation. If this was true before pandemic lockdowns pushed us into the cloud en masse, it is doubly so now. Many enterprises do not, or cannot, gather data from third-party environments or the personal devices of remote-working employees. Lack of data equates to blind spots. Whether at rest, in transit, or using data, the metadata it generates, must be captured. And this must happen wherever the data is — on-premises or in the cloud, on hardware or a virtual machine.
SecOps teams must be supported by processes, policies, and tools that give them unfettered access to all asset types, and this visibility must be maintained over time. If not, then analysts cannot be expected to monitor all possible attack channels effectively.
In addition to visibility, SecOps teams must also have access to threat intelligence. This can take many forms, from the diligent investigations of the analysts themselves reviewing data from compromised endpoints to the external intel made available commercially or as part of an open-source or threat-sharing initiative. The indicators of compromise (IOCs) that result from intel exercises can be shared with different security controls for the purposes of detection and response.
If a SecOps team can efficiently ingest, share, and leverage threat intelligence across its security solutions — endpoint, data, email, cloud, and network — it will have taken the first step towards robust XDR. The team should also be able to generate threat intelligence through day-to-day operations. It is the only way to guarantee the ability to identify an active intrusion. This brings us neatly to detection.
You cannot guard against what you cannot detect. Another obvious point that only stands because so many regional organisations find themselves with a detection shortfall. Organisations must review their tools and techniques across attack channels to ensure the SecOps team is covered for real-time action. We all know the GCC faces a skills gap in cybersecurity and that (apparently) cybergangs do not. This is a challenge. Since prevention is now all but impossible, well-defined detection and remediation tools, as are the procedures that govern their use, are critical. Field-tested, automated playbooks should turn the SecOps team into threat hunters capable of examining all stored, moving, or access data and determining whether a leak is happening.
The playbook should require alerts from the endpoint, email, network, or cloud solutions to be instantaneously shared with the centralised data protection dashboard for real-time visibility. This allows the XDR solution also to detect lateral movement. Taken together, these detection capabilities allow the reduction of dwell time, which according to some reports, can average as long as three weeks.
A strong XDR solution can link events to detect low and slow intrusions. This is where XDR proves to be more than the sum of its parts. Individual vendor solutions may not be capable of the same level of discovery. XDR, which brings these solutions together, garners more context and can tell analysts the full story of what happened during a contained breach. This allows them to search for additional context among other affected systems or credentials. Working like this means policy wins over technology. A point solution may identify a weak signal, but this may be a ploy by an attacker to slip under the radar. If several point solutions identify weak signals and pass them along to a central decision-making apparatus, XDR will combine several “weeks” to deduce a “strong”. And so, what would otherwise have been a stealthy attack with weeks of dwell time is thrown into the light where SecOps can decide what to do with it. And so, we come to a response.
Today, given the level of stress faced by security professionals in the region, cybersecurity response has as much to do with triage as anything else. Given limited resources, how do you decide what to go after? With the rise of supply-chain attacks and the persistent headache of software vulnerabilities, XDR platforms present a much-needed respite from the triage issue. First, XDR automates the critical, manual investigative tasks and endures all the associated tedium and false starts on behalf of analysts. Secondly, it automates the playbook in the event of finding an anomaly. When alerts reach the analyst, they are significantly less likely to be a waste of their time. In other words, XDR alerts are more actionable.
It starts with an investigation. Having detected something worth pursuing, the XDR solution identifies IOCs such as hashes, links, IP addresses, domains, and URLs. It goes on to validate these IOCs against trusted sources. Once a malware strain is confirmed, XDR tries to identify other IOCs by allowing the sample to run its course inside a sandbox. By allowing it to exhibit its designed behaviour, XDR can automatically sift out other important information, such as which network connections the strain tries to make and what registry modifications and file drops it performs. All this information allows SecOps teams to scope the incident and detect lateral movement.
At this stage, the XDR platform will have singled out endpoints that may have been impacted by lateral movement, thus supplying analysts with actionable alerts. The platform could also automatically scan the environment and perform updates such as endpoint security engines’ rulesets, policies, and network solutions’ IOC catalogues. XDR would search for more IOCs in endpoints, SIEM solutions, firewalls, proxy servers, and DNS logs. At the end of the investigation, the level of data leakage will be determined.
After the investigation, XDR moves on to containment and, if possible, eradication. It can automatically contain infections at the endpoint level and remove or shut down virtual interfaces. The platform will quarantine compromised endpoints in dirty VLANs or shut down switch ports. It can create prevention rules and policies in firewalls, proxy servers, and other solutions to render the malware useless for future campaigns. XDR can also enforce endpoint solution (or agent) installation on affected devices.
When the dust has settled, lessons must be learned. Reporting is also automated in XDR. Actions taken; hosts affected; URLs investigated; domains, IPs, files, and hashes probed. All are included, along with details of any data leakage and policy changes.
Safe at last?
XDR is not an install-and-forget technology. It is a way of life — a way of operating and thinking. Just as XDR empowers constant vigilance, it also requires it. Roles, processes, information sharing, and organic updating must come together to ensure that the digital environment and all those who use it are safe today, tomorrow, and for the foreseeable future.