The converging future of XDR and Threat Hunting

istock 1400359666 2
iStock

The cybersecurity challenge for organizations of all sizes continues to get more difficult. Complex threats and a growing cybersecurity skills gap is making life harder for often overworked IT teams. Without automation, they find it difficult to process and act on a steadily increasing flow of data and security alerts from across the network.  As a result, many organizations are considering extended detection and response (XDR) tools to make better sense of incoming threat information. The market is projected to reach $2.36 billion by 2027, and small to mid-size enterprises are leading the way.

What is XDR?

XDR provides visibility into all layers of the network and application stack, including endpoints, networks, SaaS and hosted applications and any network addressable resource. Using AI and machine learning, XDR provides advanced detection and automated correlation to reveal potentially dangerous events that might be missed by solutions that rely on humans to correlate events from disparate systems. XDR also helps security teams manage a flood of information and minimize alert fatigue; it allows them to quickly distinguish between threats that are significant and immediate, those that need to be monitored and those that can be easily remedied.

XDR in the era of Consolidated Security Platforms

In recent years, the once discrete elements of a cybersecurity framework – firewalls, endpoint detection and response (EDR), secure Wi-Fi and multifactor authentication (MFA) – have been brought together in centralized, cloud-managed security platforms. In addition to increasing the efficiency of security delivery and management, this approach also provides comprehensive visibility across the extended network. This unified cybersecurity can leverage XDR to provide the foundation for both automated detection and even automated response to threats. At same time, however, attackers are adopting automation to increase the scale, velocity and precision of their attacks; for instance, generating phishing emails with AI increases the chances that they’ll be opened.

XDR as complement to threat hunting

Professional threat hunters – cybersecurity experts specially trained to find patterns in large amounts of data and spot anomalies that might be the signals of an attack – are sometimes skeptical of the idea that artificial intelligence automation can be used to track down threats. They earnestly believe that AI and ML are nowhere near ready for primetime when it comes to identifying unique attacks, let alone remediating them automatically. But instead of seeing it as a poor substitute for a human-centric approach, organizations should re-think how XDR can make the job of threat hunting easier.

In fact, XDR can help threat hunting teams find and mitigate attacks in a number of ways, including:

  • More efficiently processing data collected from existing sources by transforming it with contextual information.
  • Leveraging machine learning to find hidden threats using sophisticated behavioral models.
  • Identifying and correlating threats through multiple layers of the network or stack.
  • Minimizing alert fatigue by automatically processing information to narrow down the alerts that require additional investigation.
  • Providing forensic beacons built from multiple signals so threat hunters can see the larger picture and quickly and confidently complete investigations.

As attack surfaces get larger and cybersecurity threats become more sophisticated and frequent, the volume of incident data is increasing exponentially. Wading through all of that information and finding the real threat signals in the noise is becoming too hard for humans to do without the assistance of automation.

How that automation is used is a key consideration, of course. Not all threats are unique and not all risks are equally serious. With consolidated security platforms from a single vendor, AI can take advantage of signals and responses at the lowest levels of codes, making for more robust automated detection and remediation algorithms that allow security teams and threat hunters to focus on what’s most important. In the not-so-distant future, security teams will be able to automatically triage threats, quickly surfacing those that are more serious and require human attention while leaving more basic threats to be remediated by smart systems.

The never-ending battle between cybersecurity professionals and threat actors goes back and forth as each side adopts new technologies and develops new techniques. Security teams can’t afford to let attackers have a monopoly on automation; XDR helps to level the playing field.

Related:

Copyright © 2023 IDG Communications, Inc.