Cyberseer Blog

XDR - What is the benefit?

Written by Elizabeth Gladen | 1:11 PM on August 12, 2021

Let’s face it, it’s a tough gig for CISOs and security teams right now. With an explosion of traffic from new and evolving sources; corporate estates that are sprawling and fragmented; and hackers who have upped their game – it’s not a surprise that most Security Operation Centres (SOCs) are overwhelmed. We’re all familiar with the headlines of eye-watering amounts companies have paid to recover their data, and while this has helped get security to the top of the agenda, it still leaves many teams grappling with how they improve their security posture alone. 

What are the current problems?

  • The rise of the malicious insider.

  • Demands from the digital workplace and providing safe access to a remote workforce.

  • Security and operations teams running in silos.

  • SOCs have too many tools and struggle to get clear visibility of threats in a centralised platform.

  • Legacy SIEMS are complicated.

  • SecOps & SOCs lack standard methods.

  • Better telemetry is required.

  • Data ingestion at scale is difficult.

Does this sound familiar?

  • By default, and regardless of security value, all log sources are dumped unfiltered into the SIEM.

  • Manual alert prioritisation means analysts are forced to pick alerts of key interest and ignore others.

  • Lack of context with no clearly defined workflow when an alert triggers.

  • Manual pivot and search back into the raw logs and multiple consoles to ask basic questions.

  • The SOC struggles to recreate a timeline of events, taking hours or days.

  • Inconsistent and manual approach to repetitive tasks leading to missed and incomplete remediation.

What is XDR?

XDR is designed to deliver intelligent, automated, and integrated security across domains to help security teams connect disparate alerts and get ahead of attackers. Crucially, it provides visibility across many important data sources — including endpoint, network, cloud, and others — to find threats missed by individual point solutions.

Gartner1 defines XDR as follows: “Extended detection and response (XDR) describe a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components. Security and risk management leaders should consider the risks and advantages of an XDR solution.”

As a SaaS-based turnkey solution, security teams can switch XDR on and immediately focus on threat detection and response. Offering powerful automation across all touchpoints, it provides a path forward for security teams looking to rapidly increase efficiency and reduce complexity.

      “XDR is a path for organisations helping them detect, identify, and understand complex attacks across the kill chain.

Key findings from Gartner:

"Security and risk management leaders are struggling with too many security tools from different vendors with little integration of data or incident response."

 

"Extended detection and response (XDR) products are beginning to have real value in improving security operations productivity with alert and incident correlation, as well as built-in automation."

 

"XDR products may be able to reduce the complexity of security configuration and incident response to provide a better security outcome than isolated best-of-breed components."

 

"XDR products have significant promise but also carry risks such as vendor lock-in. The XDR market is immature, and capabilities vary widely across products from different vendors.”

 

Native XDR vs Open XDR

Native XDR is a closed ecosystem that offers both the front-end solutions that generate data as well as the back-end capabilities of analysis and workflow. Whereas Open XDR vendors offer a solution predominantly focused on the back-end analytics and workflow engine. Open XDRs integrate with your existing security and IT infrastructure, correlate and analyse all relevant data, and automate and optimise Threat Detection, Investigation, and Response (TDIR) workflows.

Native XDR vendors can be EDR vendors expanding their portfolio to include more sensors and back-end capabilities such as efficient advanced analytics. Alternatively, they can be platform vendors with a wide portfolio of multiple security products they are trying to integrate more tightly to provide XDR-like functionalities.

Why do many security implementations fail?

Many security implementations fail because of one of the following:

  • Inconsistent processes - Subpar investigation and response processes lead to subpar outcomes.

  • Customisation required - long implementation cycles consume resources and time

  • Project overload - Security teams struggle with how to manage and prioritise large projects.

Where are You on the XDR security path?

We can help you assess where you are on the path of XDR security and it’s more than likely you are further down the path than you think. To help you understand your current status, we would assess the following:

  • Determine current state: security products, data sources / SIEM, MITRE capabilities, and metrics

  • Define desired use cases, in priority order

  • What data sources (& visibility) do you have for each use case on the MITRE ATT&CK framework?

  • Identify what additional data sources are required.

What is the benefit of XDR to my business?

  • Improved operational efficiency and accuracy.

  • Reduced security and business risk.

  • Derive more value from your security stack.

  • Reduce wasted time.

  • Improve attrition rates and morale.

  • Cohesive security operation systems.

If you have any questions, wish to experience #XDR for yourself, engage in a POC with Cyberseer, understand your capabilities with a use case MITRE mapping session or discuss our SOC offerings. Please do get in touch.