LINEARSTACK
March 23, 2023

Extended Detection and Response (XDR)

XDR - What it is and how it speeds up cyber threat detection, investigation and response

Extended Detection and Response (XDR) is a security product category designed to collect and analyse telemetry from across an organization's IT environment including network, cloud, email, endpoints and servers; and use this data for better and faster threat detection and response. XDR products have evolved from EDR or Endpoint Detection and Response, and go beyond the endpoint to include the ingestion and analysis of data from all data sources. Stellar endpoint protection, detection and response capabilities, however, remain key to the effectiveness of any XDR solution.  

Siloed, single-purpose security products (like firewalls, antivirus solutions, network traffic analysis tools, user behaviour analysis, intrusion detection and prevention tools and threat intel platforms) may excel at specific tasks but fail at detecting and handling advanced threats and multi-vector attacks because of limited visibility and not enough response options. EDR tools and agents are powerful but incomplete in that they are focused on endpoints and the data generated from them needs to be supplemented by other point products for networks, servers, email, web, cloud, threat intelligence etc.  

In the absence of a tool to unify alerts generated from different sources, security analysts need to pivot from console to console to get the full picture of an event and lose precious hours separating true positives from false positives. It is an uphill task to derive relevant information from the good data that is buried under a deluge of alerts.  

XDR integrates and correlates cross-telemetry alerts, and offers powerful behavioural analytics and automation capabilities to improve and speed up threat detection, investigation and response, and reduce analyst fatigue and false positives.  

Gartner’s definition:

“Extended detection and response is a platform that integrates, correlates and contextualizes data and alerts from multiple security prevention, detection and response components. XDR is a cloud-delivered technology comprising multiple point solutions and advanced analytics to correlate alerts from multiple sources into incidents from weaker individual signals to create more accurate detections”.

SecOps challenges that XDR solves  

Product sprawl  

Is it estimated that an average security team today uses more than 40 products for visibility, threat intel, threat prevention, detection and response/remediation. These may include network traffic analysis tools, intrusion detection and prevention, user and entity behaviour analysis, next-generation antivirus solutions, firewalls and proxies, email gateways, and more. Together these products generate an unmanageable number of alerts, many of which provide no value to the analyst. Additionally, if these products do not inter-operate, it takes a huge amount of effort and console switching for the security analyst to build a full picture of an incident (from finding the initial access point, to discovering the systems affected and the extent of the attacker’s control, to the end goal), manually.  

How XDR solves this

XDR solves product sprawl by integrating, correlating and analysing data from various telemetry sources across the enterprise environment, and providing a single pane of glass to the security team to make sense of and act on a threat or an incident. XDR products stitch together the alerts generated from different sources to build a complete timeline of a threat or incident, thus reducing detection and investigation time for analysts.  

Alert fatigue  

An expanding attack surface and multiple siloed products together lead to a deluge of alerts, many of which are false positives and not worth the analyst’s time. It isn’t possible for analysts to manually investigate thousands of alerts every single day, which means that no matter how productive a security team is, there are going to be threats that go un-investigated because of the sheer volume of alerts.

How XDR solves this

XDR solves the related issues of alert fatigue and too many false positives by automating a good part of the Tier 1 analyst’s repetitive work and triaging, adding context to data with threat intel, and using analytics to correlate and group together alerts by incident. This significantly reduces the number of alerts that analysts have to investigate manually, reduces false positives and speeds up detection and analysis.  

Gaps in visibility

The average organisational attack surface today isn’t clearly demarcated and is composed of multiple interacting elements. With many organisations relying increasingly on cloud services for computing, data storage, processing and sharing, and a big proportion of the workforce operating remotely, organisations need to defend an environment that extends far beyond the traditional on-premises network perimeter. Visibility into the complete attack surface has become a challenge, and it is impossible for organisations to defend the parts of their networks that they can’t see.  

How XDR solves this

XDR platforms provide visibility into not just the endpoint (end user devices like laptops, PCs, phones, tablets), but also the network, the cloud environment, email servers, and the web components that together make up the complete IT environment of an organisation. They ingest and analyse data from multiple sources, thus providing a complete, constant, real-time view of activity within the extended enterprise environment. XDR platforms also store data for a significant amount of time to aid the investigation of persistent threats and attacks.

Slow threat detection and response

Advanced, stealthy threats can penetrate networks and remain undetected for several weeks to several months. According to IBM’s 2020 Cost of a Data Breach Report, organisations take an average of 280 days to detect and stop sophisticated threats. After detection, investigations can be slow and response actions delayed or incomplete because of inadequate people-to-people and product-to-product coordination and lack of options for remote response.

How XDR solves this

XDR leverages machine learning and behavioural analytics to detect both known and unknown threats quickly and includes functionality to automatically block known threats, and alert the SecOps team to the presence of unknown threats or anomalous activity. Automatic correlation of alerts, root-cause analysis and alert grouping facilitate quick investigation and bring down detection and response time to seconds and minutes. XDR platforms also provide response recommendations and the capability to execute response actions remotely (run scripts, quarantine files, isolate systems, etc.).  

  • Orchestration & Automation - XDR platforms either incorporate orchestration and automation or integrate tightly with a SOAR tool to orchestrate and streamline response processes via playbooks, and automate many of the straightforward response steps to speed up threat resolution.
  • Threat hunting – Regular threat hunts reduce the time between adversary intrusion and threat discovery, often preventing serious financial damage. This is especially useful in finding stealthy, persistent threats that are not detected at the initial access stage. By automating repetitive tier-1 tasks, XDR platforms free up analysts’ time for proactive threat hunting. Most platforms facilitate threat hunts by providing strong search capabilities to prove hypotheses, integrating threat intelligence to provide more context and instances of similar activity in the extended network, and including functionality to easily convert hunts into detection rules.  

Read more about threat hunting here.

Unknown threats going under the radar

Traditional signature-based detection methods often miss unknown threats and zero-day attacks that aren’t on any threat intel feeds and blocklists. Attackers are constantly looking for new ways to evade detection, and traditional approaches to blocking malicious activity cannot detect threats hiding behind legitimate apps or living off the land.  

How XDR solves this

XDR comes with powerful behavioural analytics capabilities to quickly catch even the most sophisticated threats based on attackers’ behaviour patterns that remain consistent regardless of the specific payloads or malware being deployed. XDR platforms use machine learning to baseline routine user and system activity, and spot anomalies based on changes in expected activity patterns.

Read about the difference between signature-based detection and behaviour-based detection here.

High deployment time and effort

Security tools designed for data integration and a single console for viewing and acting on telemetry from different tools, are usually difficult and time consuming to set up, tune and deploy. It can take several weeks to several months for the more complex tools to become operational and show results because of the finetuning needed prior to that. Additionally, tools deployed on-prem are difficult to scale, update and manage.  

How XDR solves this

XDR is a cloud-deployed technology that can be set up and made operational within days rather than weeks and months. Agents can be easily installed on endpoints and operating systems, and cloud deployment allows scalability in addition to providing seamless updates and ingestion of new threat intel as soon as it becomes available.  

High costs of security operations

With organisations using dozens of security products to effectively detect and stop cyber attacks, the total cost of ownership of the entire security toolstack can be exorbitant. Add to this the costs of 24/7 monitoring and maintenance and constant technology upgrades to meet new threats, and the price to remain secure can start seeming unaffordable to a significant percentage of businesses.

How XDR solves this

XDR platforms integrate a number of cyber security capabilities and significantly reduce product sprawl, bringing down an organisation’s overall security operations expenses significantly. By outsourcing XDR management and 24/7 monitoring to a Managed Detection and Response Provider (MDR) like LinearStack, organisations can further reduce costs while getting the benefits of round-the-clock availability of security expertise, access to industry-best technology, incident response support and a stronger security posture.  

What to look for in an XDR platform

According to Gartner, more than 40 percent end-user organizations will be using XDR by the end of 2027, up from only 5 percent organizations today. The technology is already helping many organisations reduce product sprawl and alert fatigue, get greater visibility into their environments, and significantly reduce threat detection and response time, while keeping overall SecOps costs relatively low.  

However, before jumping on the XDR bandwagon, organisations must assess their specific IT infrastructure and choose a solution that meets their unique requirements and provides real value. A number of vendors who provide SIEM or EDR solutions are rebranding these as XDR, which may be misleading.  

Here are some of the things to look for when choosing an XDR platform:

Stellar threat prevention

The tool should have the capability to automatically stop a vast majority of threats before initial access or outside the perimeter, with little to no manual intervention. This will allow the security team to focus on investigating the stealthier, unknown threats that may evade detection at the initial stage.  

Deep visibility into endpoint activity

A good XDR platform must provide deep visibility into endpoint activity without relying on a third-party. It must include strong endpoint threat prevention with next gen anti-virus and endpoint protection capabilities.  

Cloud-delivery and scalability

True XDR is cloud-delivered and scalable, which makes deployment and management simpler and allows new updates to be delivered to all users as soon as they are available.  

Data integration from multiple sources

Data ingestion and integration from multiple sources is one of the core capabilities of an XDR platform. The better the ability to ingest data from other tools and sources in the environment, the greater value the platform will provide in terms of visibility and threat detection.  

Threat intelligence integration

Good XDR platforms simplify the integration and operationalisation of threat intelligence to automatically add context to alerts, stitch together related alerts and speed up the threat detection and investigation process.  

Behavioural analytics-based detection

Most XDR tools feature strong TTP and behaviour-based threat detection. This depends, to a great degree, on the platform’s machine learning and automation capabilities to first baseline routine user and system behaviour, and then find anomalies based on user behaviour aberrations and attacker tactics and techniques.

Remote response capabilities

Existing XDR platforms have varying degrees of native response capabilities, with some allowing immediate neutralisation of the threats detected, blocking access, isolating systems, quarantining malicious files, and so on. Others may require integration with third-party tools to initiate response actions. Look for a solution that meets your specific needs.

Customisable dashboards and report generation

Also look for customisable dashboards to view and easily understand and act on security data, along with multiple options to generate reports with varying categories of data and formats.

Continuous improvement of operations

While XDR platforms can be deployed quickly and take security operations to the next level relatively fast, they provide even greater value over time as they learn from the environment, patterns of user behaviour, and already detected and neutralised threats and incidents. Orchestration and automation, in particular, need time and effort to set up and really shine.  

Working with a Managed Detection & Response (MDR) provider to get the most value from your XDR investment

“MDR services are a credible overlay for detection and response technologies. They are designed to remove complexity for the consumer and add a layer of human intelligence and interpretation to what is commonly a very complex set of technology-driven findings”. – Gartner’s Market Guide for XDR, 2021

Many organisations do not have the cyber security expertise, resources and skillset needed to operate an XDR platform in-house. While many XDR solutions are designed to make it easier for analysts to triage and act on alerts, setting up the tool, implementing automation use cases, 24/7 vigilance, and responding quickly to detections that require human intelligence - all need a level of expertise that may be difficult to find or build internally.  

By engaging Managed Detection & Response (MDR) providers to set up and manage XDR, organisations are assured of advanced threat detection and incident response expertise and 24/7 threat monitoring and response without having to spend time and resources on building an in-house team for detection. Even larger organisations often choose to augment their internal security teams by partnering with an MDR provider specialising in detection and response. This not only helps them achieve the outcomes promised by XDR platforms, it also reduces stress on internal teams and frees them up to work on other business-critical functions.

LinearStack’s XMDR Service powered by Cortex XDR

LinearStack is a Palo Alto Networks XMDR Specialisation Partner. We combine the power of industry-best Cortex XDR with our cyber security expertise and 24/7 monitoring to deliver a world-class detection and response service. In February 2022, we became the first cyber security service provider in the JAPAC region to achieve the XMDR partner specialisation. If you are in NZ or Australia and are looking to augment your cyberdefence capabilities with XDR, get in touch with us. Our expert security consultants will walk you through the entire service deployment and delivery process, outcomes, and business benefits so you can make an informed decision on whether XDR is the right solution for you.  

Call us today at 0800 008 795 or email info@linearstack.co.nz to book a consultation

Read more about our MDR service here: XMDR with Cortex

Blogs

Start Reading

Our latest blogs and news are here for you

An Introduction to Cyber Threat Hunting

What threat hunting is and how it helps security teams find advanced threats faster
Read More

Incident Response Planning and Preparation

Why every organisation needs an incident response plan and what to include in your IR plan
Read More

Incident Response Best Practices

Common mistakes to avoid when responding to a cyber incident
Read More
Are you experiencing a security issue? Call us now.