No matter the technology platforms being paraded through the Security Operations Center (SOC) in recent years, humans still aren’t meeting data in the right place. “Extended detection and response” (XDR), however, may finally allow cybersecurity professionals to become proactive investigators rather than eyeballs staring at consoles.
Most SOCs are not detecting every threat they need to while also grappling with a high number of false positives. Analysts simply can’t keep up the volume and velocity of alerts generated by an overabundance of tools and user-generated trouble tickets. Having more tools, sensors, telemetries, and tools in the SOC is counterproductive without any integrated reasoning being before a human is brought in to help remediate the problem.
XDR adds a missing layer so the point at where people meet data is one that enables them to make smarter decisions to proactively defend the organization.
People must meet data in the right place
Today’s SOC is ingesting so much data and sorting through so many alerts as well as trouble tickets from end users that analysts are being driven crazy. The current thinking behind technology platforms today is more is better.
Some organizations try to solve this problem by outsourcing to a Managed Security Service Provider (MSSP), but because those analysts don’t work in their customers’ environment, it’s hard for them to know if exceptional activity is a real threat or not. Standard operating procedure is to tell the customer, but because it happens so often the organization still ends up with a constant flood of false positives. The MSSP becomes the boy who cries wolf, even if their motivations are sound—they’re passing everything on out of abundance of caution.
What the SOC really needs is the ability to catch the things that matter by reducing the false positives, so analysts aren’t running around doing unnecessary investigations. Security Information and Event Management (SIEM) rules can only correlate a small number of events, Security Orchestration, Automation and Response (SOAR) playbooks are not intelligent and bottleneck at high volume, and both are costly and difficult to build and maintain. Overwhelmed security analysts must conduct manual investigations even as alert volumes are rising exponentially, resulting in unattended alerts and events everywhere.
The value of XDR is that you can go beyond endpoints as source of threat intelligence without adding to the overwhelm because there’s a layer of integrated reasoning before humans need to get involved.
The machine always remembers
XDR is what Gartner describes as emerging solutions that “automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability.”
This means an SOC can add telemetries and meld them together in an XDR, so they corroborate each other. By creating multiple opportunities to detect from multiple perspectives you can reduce the information overload for analysts because you have the right engine doing the integrated reasoning.
XDR is an outgrowth of MDR—managed detection and response—and EDR—endpoint detection and response. The “X” recognizes that the managed piece isn’t working because analysts’ eyes are on screens rather than algorithms. It lets machines do what humans can no longer do in a modern SOC—store a great deal of information learned from logs and act on it quickly to support an active defense posture.
Even the smartest human working in a SOC has a limited short-term memory. But a machine can learn a lot and acquire the equivalent of 180 days of short-term memory at a rapid pace from multiple sources. An analyst is never going to remember that a single packet went out to a newly registered domain three weeks ago, but a machine will pay attention to these patterns and events over time remember them in such a way they become analytic elements that can be pieced together. Software and mathematics allow for constant and iterative improvements using data science and observing things in the real world.
This is a much better way to accumulate knowledge than relying solely on an analyst, who will get smarter and accumulate some knowledge intrinsic to the organization but is also going to be changing jobs every 18 to 24 months.
XDR is a vendor agnostic engine
The XDR is category is still in flux—the research analyst community is still hammering out what the characteristics and capabilities are. What it shouldn’t be is yet another tool that generates alerts.
Rather, an XDR is a vendor-agnostic engine that should allow an SOC to integrate their chosen best-of-breed and open source tools into a single interface. It should function as an “intelligent investigation platform” that connects heterogenous and siloed alerts and events and scales to high volumes. Rather than people trying to create context around the streams of data coming from the network, endpoints and the cloud, the XDR engine makes determinations of what is malicious and actionable, scopes together and maintains related evidence, and prioritizes based on attack severity and impact.
From an engineering perspective, an XDR leverages the existing best-of-breed solutions without adding time or costs but because it’s able to quickly put everything in context while massively reducing false positives. By doing all the data wrangling, the XDR speeds up the investigation and only escalates what needs to be seen by a real person because it’s connecting evidence through automation. It’s also learning and retaining more institutional knowledge than humans can, which allows the SOC to develop suppression rules, custom enrichment and integrations, and remediation actions over time because the XDR has a better memory.
An XDR can ultimately be seen as middleware that integrates the best of everything—platforms, sensors and agents—to become the interface that allows people to meet data where it makes sense for them so they can be the cybersecurity investigators they’ve always wanted to be. They can make better decisions because they have every piece of the puzzle without having to look at every alert on a console.