5 things to look for in an XDR solution

About 18 months ago, I first wrote about XDR (eXtended Detection and Response) in this post on CSO.  Since then, it seems every security vendor—major security vendors and small companies alike—has jumped on the XDR bandwagon and embraced the concept.

Some vendors have approached XDR from the endpoint in and others from the network out. Either approach is valid as the premise of XDR is that security shifts from a series of point products to a single platform for threat visibility across the enterprise.  Data is collected from the various enforcement points and then analyzed so threats can be detected faster and, more importantly, can be responded to quickly to contain the blast radius.

Traditional security tools, such as EDR (endpoint detection and response), often find threats but aren’t able to understand where the threats emanated from so corrective action can’t be taken. This is why most detection and response tools are much better at the “D” than they are the “R.” XDR corrects that.

5 key capabilities for XDR solutions

XDR cuts across all the security layers, which is why so many vendors have thrown their hat in the ring. This has created a situation where there are a dizzying number of vendors to choose from, some of which are true XDR solutions and some that are XDR by name only.  To help with the decision process, below are five key criteria for XDR solutions:

1. Visibility across the security spectrum. The “X” in XDR is “eXtended” so by definition XDR tools need to have broad visibility, but it’s unrealistic to expect any vendor to have security products at all points in the threat landscape.  At a minimum, the XDR vendor should offer endpoint, cloud, and network and then ingest third party data feeds for areas like e-mail and application-specific data. Ideally the XDR vendor would own the three pillars but could deliver the capabilities via a partnership. Tying response together across systems could be a challenge, but it is feasible.
2. Machine learning-based analytics. Security systems are generating massive amounts of data—far too much for even the best forensic expert to analyze manually. Machine learning (ML) algorithms can spot even the smallest anomaly that could indicate breach. Despite the need, some security pros are reticent to cede visibility to machines, but it’s the only feasible way to accomplish XDR at scale. The healthcare industry went through this years ago when doctors were uncomfortable having ML systems look at MRIs, but doctors quickly found ML enabled them to spend more time treating patients and less time looking at data.  The same is true with security and XDR.
3. Automated response. Similar to ML-based analytics, using automation to respond to security incidents requires a leap of faith. Some might consider it risky to automate threat response, but the fact is manual processes slow down responses and can cost companies millions if there is an active breach. A good interim step would be to have the XDR system recommend a change but enable the security team to validate and execute the change. This is similar to autopilot in a Tesla where the driver needs to keep their hands near the wheel, but the car takes control.
4. Coordinate responses. The inability to coordinate responses across the network, endpoint, and cloud has been an Achilles heel for security teams since the birth of cyber security. The network might notice a threat and shut it down but does not inform the team responsible for endpoints, causing some malware to run amok within the company. XDR requires an integrated response system that enables security teams to eliminate network, cloud, and endpoint threats from a single dashboard. This will enable fast response and contain the blast radius of a threat and keep it manageable.
5. Simplified workflows. There’s an axiom in security that “complexity is the enemy,” and that’s certain true for XDR. Today’s siloed security tools provide a seemingly never-ending stream of alerts that are too noisy to make sense of. A proof point of this comes from the fact that the security vendors in many of the major breaches we have seen over the past decade all claim to have seen the incident, but the security teams didn’t act. Too many alerts are as useful as no alerts. XDR systems must provide a complete picture with simplified investigations making it easy to find the root cause, sequence of events, and threat intelligent details from the various sources.

One final note for companies considering an XDR deployment:  While there are many strong solutions available, they are only as effective as the team that’s using them. A winning XDR strategy will require breaking down the silos between the various security groups, such as cloud, endpoint, and network. The deployment of XDR must be driven from the CISO down with a mandate that the security groups be willing to work across their silos. XDR has come a long way since the term was first introduced two years ago, and people and processes must evolve as well.