LINEARSTACK
March 23, 2023

What is Extended Detection and Response (XDR)?

Forrester defines XDR as : The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time….a cloud-native platform to provide security teams with flexibility, scalability, and opportunities for automation.

XDR provides more broad visibility and insight into sophisticated attacks. In contrast to EDR and NDR, XDR is about more expandable and broad unified visibility to the enterprise corporate security landscape, including endpoints, servers, containers, remote users, and applications. XDR merged security telemetry data into a single AI-powered platform to better analyze threats coming into the environments through multiple attack vectors.  

EDR, NDR, and MDR Consolidation into XDR 

Endpoint detection and response (EDR) provides extensive protection for endpoint servers, laptops, mobile devices, and tablets. The EDR engine can detect and prevent attacks affecting the end-user attack surfaces. EDR also has several policy-based controls to capture attack telemetry behavior.  

Network detection and response (NDR) is a device or virtual sensor within the network architecture operating either inline or off a span port from the core and access switches. NDR has algorithms, advanced analytics, and contextual rules to analyze and stop network-based attacks. These attacks include ransomware propagation, lateral movement malware, Denial-of-Service (DOS), and brute force attacks. NDR also has extensive automation response capabilities to shut down an attack, centralized visibility of the network, and sophisticated threat intelligence data collection.  

Managed detection and response (MDR) are a service offered by MSSPs to help clients with the critical Security operations center (SecOps) and DevOps resources to support the XDR platforms. XDR has many benefits to an organisation, including providing the following: 

  •  Threat hunting - By capturing telemetry from several components within the enterprise, XDR provides a single front-end threat hunting capabilities for SecOps, along with reducing alarm and alert fatigue, all through a unified platform. Many XDR tools also leverage the MITRE ATT&CK framework to determine where within the enterprise is being attacked by which hacker APT group and threat vector tactic. 
  •  Triage - Consolidated Telemetry with XDR provides the SecOps teams the ability to prioritize all security events based on risk composite scoring with greater threat visibility to understand the impact on the organisation better and the number of users affected. The prioritization of events is based on the consolidation and correlation of all collected events, not from a single source like EDR or NDR. 
  • Investigation and Root Cause - SecOps spend countless hours determining root-cause analysis and attack understanding for cybersecurity attacks. Before XDR, organisations used SIEM tools to help correlate Syslog and other messaging formats into a centralized tool to help map out any kill chains. However, SIEM solutions lack AI and capabilities, along with connecting events from several telemetry sources and performing response activities, including comprehensive security orchestration, automation, and response functions across several devices and components simultaneously. 

XDR combines the best security technology within a merged cybersecurity platform, combining an innovative approach to cybersecurity leveraging AI and ML capabilities with the most comprehensive set of tools for security operations teams. It provides an end-to-end solution for detecting threats, delivering actionable insights into attacks, and detailed contextual content for forensic investigation.  

To maximize and recognize the benefits of XDR, organisations need to have highly qualified SecOps and DevOps engineers monitoring and responding 24 hours a day for XDR to be effective.  

Importance of the MITRE Framework With XDR 

The US Department of Homeland Security initially developed the MITRE ATTACK framework in partnership with the MITRE Corporation in 2015. It has been evolving ever since and now boasts over30 contributors from government agencies and private companies across the globe. 

The MITRE Corporation, an independent non-governmental organisation that works across governments, various industries, and academic institutes, created a global repository of documented APTs in 2013. 

The Value of the MITRE ATT&CK Framework 

The MITRE ATTACK is a set of tools that can help you assess the value of information, capture security incidents, define targets, and prioritize actions. It includes the followings: 

  • Each of the 14 attack types in the MITRE ATTACK framework includes a wide range of techniques that are seen being used by attackers in carrying out attacks against targets in the real world. These techniques represent how attackers use each attack to achieve their objectives. 
  •  There are currently just 14 tactics, but over 200 in total. Each tactic is further broken down into sub-tactics which add up to nearly 500 in total for detailed security analysis, security threats, and consistent approach to detection. 

Most XDR solutions leverage the MITRE framework to map the various attack vectors and identify visibility gaps and areas within the enterprise experiencing higher velocity of attacks and malicious activity. The SecOps team will extensively use the MITRE framework portal embedded within XDR portals for threat hunting and to evaluate current adaptive control solutions and their effectiveness. 

XDR Challenges 

XDR brings several benefits to an organisation. However, this next-generation SecOps strategy also poses many challenges, including: 

  • Lack of Integration: Integration between the XDR platform and components is critical to the strategy's success. Endpoint devices, next-generation firewalls, and host-based intrusion capabilities must be integrated for XDR. Devices also share telemetry and report their events to a centralized AI engine. Without the integration, SecOps teams will need to troubleshoot individual adaptive controls and manually correlate these events with the other security tools.  
  •  Insufficient Automation: SOAR automation is a significant component of XDR. The organization benefits greatly by having all security telemetry events correlated into a unified AI engine. However, SOAR automation only works if the centralized console can execute blocking and preventing controls from stopping attack propagation from happening.  
  • Operational Complexity: XDR is a very complex strategy. Integration, automation, and human capital time expenditures all play into the complexity. Without direct integration between XDR components, the solution produces more false positives and negatives for SecOps teams to research and respond to. Without automation with SOAR, SecOps will spend many hours attempting to block the propagation of a ransomware attack across disparate devices and vendors. With experienced SecOps and DevOps engineers to deploy and maintain the XDR platforms, even with advanced artificial intelligence, the solution will meet organization and security operations prevention expectations.  

MSSPs Supporting the XDR Strategy 

MSSPs play a critical role in an organisation's XDR journey. Many organisations need help to find global talent with experience in NDR, EDR, and XDR capabilities. MSSPs have access to international engineers with expertise in SecOps incorporating an XDR strategy and proven security processes.   

Another critical success factor with MSSPs is the ability to manage an XDR deployment with their clients jointly. Many organisations may manage all threat-hunting activities internally while accessing the MSSP's instance of the MITRE ATT&CK framework portal. Some organisations may have in-house resources to address the automation component with workflow experience of XDR, and MSSPs could be staff augmentation services to bring additional help in this area. 

Ultimately, MSSPs partnering with their clients provides the much-needed expertise and resources to ensure a successful XDR strategy, deployment, and ongoing operation.  

The value of a managed security services partner (MSSP) 

Organisations need qualified talent to execute the incident response steps no matter which framework they align with. Knowing how to tune the appropriately tailored security controls while aligning them to the overall security objectives is critical for the organisation to implement an effective incident response successfully. Having qualified security teams with expertise in security tools to deal with a high volume of malicious attacks, including ransomware threats, is critical for the organisation. 

MSSPs like LinearStack have the expertise and resources to help organisations execute their incident response playback. LinearStack has access to global talent 24x7x365 to help organisations respond to future incidents, assist with preparation, and provide additional incident responders. 

For example, an MSSP like LinearStack would be the resource team focusing on NIST framework-level incidents. In contrast, the in-house SecOps and incident responses will respond to the more complex attacks leveraging the SANS model. 

About LinearStack 

Founded in 2013, focusing strongly on world-class cyber security services, we built LinearStack from the ground up in Auckland, New Zealand. Our passion for making information security simple and accessible for all organisations is the fuel that fires our engine. 

We’re a growing team of certified Cyber Defence Analysts, Threat Hunters, Incident Responders, CTI specialists, Malware analysts, security architectures, and engineers with two geo-redundant operations centres across the globe. 

Managed Services Offering to Align With XDR 

Complete Visibility, 24-hour Vigilance 

We monitor your environment for threats 24x7, strengthen your existing security controls, and optimise detection rules and policies to prevent, detect and block advanced threats quickly. 

Fast Containment and Removal 

Avoid delays between threat discovery and response with our fully managed service. 

Orchestration and Automation 

We use orchestration and automation to streamline the investigation and response process with playbooks customised to your environment and automate repeatable tasks, reducing response time significantly.  

Culture 

We’re 100% privately held, grown with a family mindset. When working with clients, we’re well-integrated within their teams and act as an extension of their operations. Augmenting existing teams is a transition we manage smoothly, empowering our customers to prioritise cybersecurity strategy while we protect their business from cyber threats 24x7. 

Maintaining thriving IT systems and assuring data protection are fundamental needs that all businesses deserve. 

Contact Us 

Want to know more about what we offer? We'd love to hear from you. 

Get in touch with us today:

Phone: 0800 008 795

Email: info@linearstack.co.nz

Website: https://linearstack.co.nz

Blogs

Start Reading

Our latest blogs and news are here for you

When to Leverage the Negative vs Positive Security Model

Ransomware is a threat all organisations face however, it is preventable. Read what you can do to prevent
Read More

What are Quantitative and Qualitative Risk Assessments?

Understanding cybersecurity challenges in 2023 with Quantitative and Qualitative risk assessments.
Read More

What is the ACID Compliance Framework?

Elements of the ACID framework, risks, and help.
Read More
Are you experiencing a security issue? Call us now.