What is XDR solutions? Today, there are a large number of technologies of various classes on the market for monitoring and defending against cyber threats. On the one hand, this helps to close the main attack vectors. On the other hand, IS services have to simultaneously work with a huge number of products and analyse a lot of disparate data. As a result, they regularly lose the most valuable resource – the time allocated for response, and the risk of hacking business-critical systems increases. XDR (extended detection and response1) solutions are designed to solve these challenges. Let’s find out what the value of the XDR concept is, what products can be included in such solutions and how they can be used to quickly stop a hacker on his way to his goal.
Current SOC issues
Whether a company uses its own SOC2 or a SOC as a service (commercial SOC), it always includes three elements: technology, people and processes.
If we consider technology, the number of attack vectors equals the number of defence solutions. Attack vectors depend on the intruder model (an abstract description of a hacker who can cause damage to the business). A distinction is made between external and internal attackers.
External intruder – a hacker who does not have physical access to the target. Internal intruder – a company employee who can use the organisation’s resources for his or her own benefit.
There is next-generation firewall3 (NGFW) for perimeter defence, endpoint protection platform4 (EPP) to protect mobile users and workstations, and a combination of network detection and response5 (NDR) and sandbox6 products to protect against targeted attacks.
Every IS solution vendor has the expertise to detect hacker activity. Each IS tool only detects attacks within a specific vector. Subsequently, the detected events need to be processed. The question is who will do it and how. Collecting a multitude of events from different IS solutions into a single attack chain is a labour-intensive, one might say, impossible task for a human being. Even if he or she can do it, the process cannot be called fast and efficient.
So we come to the second important element of any SOC – people. First of all, it matters how many specialists are in the team, what competences they have and what specific tasks the SOC operators are engaged in.
The first generation of SOCs looked like this: several people with different competences analysed IS events. The SOCs may have had knowledge of, for example, networking, operating systems or administration, but they did not yet have any specialised knowledge. Modern SOCs take threat monitoring and response more seriously: there are L1-L37 lines, threat hunters, reverse engineering, malware research, forensics experts, and a manager who explains the results of the SOC’s work to the business. And this is where the first difficulty arises – staffing shortages. It’s not enough to hire one person per position, because SOC is a 24/7/365 job, which means you need a minimum of three people per line.
To understand where the second part of the modern cybersecurity problem lies, consider what the average L1-L2 analyst does. He or she works with the IS toolkit available in the SOC: typically SIEM (security information and event management8), NDR, UEBA (user and entity behaviour analytics9), sandboxing, WAF (web application firewall10), NGFW, EPP and EDR (endpoint detection and response11). Consequently, analytics has to look across multiple consoles and monitor a huge number of alerts from defences. Of course, there is integration between the systems. For example, the results of file analyses from sandboxes, as well as events from NDR and UEBA, are passed to SIEM. However, each IS product performs
- Check all logs and collate them together.
- Prioritise security events.
- Manually compare data against threat feeds12.
- Search for events using IoC13.
- Gather context: assets, network activity, and related files.
- Build a timeline and determine the initial point of attack.
- Respond to the incident and escalate it to L2
As you can see, it’s not a quick process. The longer it takes an analyst to understand what’s going on and respond to the threat, the greater the chances of a hacker gaining a foothold in the infrastructure. According to IBM’s Cost of a Data Breach Report 2021, the average time a hacker is in the infrastructure is 212 days.
It turns out that companies are already armed with the right set of IS tools, but are understaffed and have trouble handling unrelated security events. Consequently, they need a solution that can gather events and context from IS tools and offer SOC analysts the necessary tools to respond. There is such a solution, and it is XDR.
EDR + IS tools + business tools = XDR
There is no unambiguous definition of XDR. For one vendor it is an approach to IS, for another it is a separate product. Forrester defines XDR as an evolution of endpoint threat detection and response (EDR) technology that encompasses security and business tools. An EDR solution is a product for detecting and blocking malicious activity on network nodes only. It is installed on computers, servers, virtual machines and mobile devices. It is typically a two-tier architecture consisting of agents and a management server. The management server collects data from the devices where agents are deployed, finds dangerous activities, and provides the operator with tools to block them. The operator, in turn, blocks the threat where the EDR agent is deployed. Thus, the definition of XDR can be simplified to three components: EDR + IS tools + business tools.
XDR is a product that does two things: detects threats and blocks them. EDR seems to do about the same thing, but there is a difference: unlike EDR, XDR looks for and blocks threats not only where EDR agents are installed, but also where there are no EDR agents. XDR gathers information from EDR, SIEM, sandbox, NDR, UEBA, WAF, VM (vulnerability management14), and the set of products that make up XDR is variable.
The role of XDR in achieving effective security
Like any function in a company, security can and should be effective. For a business, the main result of effective information security should be the inability to realise events that could cause unacceptable damage to the company. The probability of an attack on a business-critical system cannot be reduced to zero, but it is possible to create conditions that make it impossible to break in. And this can be measured.
Unacceptable events should be defined by top management, not by the IS service. For example, for a financial company theft of money or database leakage may be unacceptable, and for an industrial enterprise – turbine shutdown at a hydroelectric power plant.
From a technological point of view, XDR solutions allow to effectively detect and respond to attacks. But to make XDR work and its results measurable in terms of importance for the company, products capable of operating with the concepts of unacceptable events are required. So far there are only a few such solutions, but the need for them will definitely grow from year to year against the background of growing business involvement in IS issues.
- Identifying and responding to cyber threats.
- Security operations centre is a cyber threat response centre. Its main task is to detect IS incidents at the early stages of an attack.
- Next-generation firewall.
- A solution for preventing and blocking known threats and detecting malicious activity.
- A solution for identifying and responding to threats.
- Network sandbox.
- The first line of the SOC is staffed by analysts who perform initial processing of cyber incidents and screening out obvious false positives from defence systems. The second line of the SOC handles incidents for which playbooks have not been developed or that require deeper analysis by the team. In addition, second line analysts monitor incidents involving critical assets and known hacking campaigns and proactively search for threats. Third-line SOC analysts proactively search for and block sophisticated threats and stealthy activity not detected by the company’s existing defences.
- Security information and event management system.
- Behavioural analysis system for users and entities.
- A security screen for web applications.
- Endpoint threat detection and response solution.
- Open data streams with indicators of compromise that can be used to enrich defences. Helping to better detect threats.
- Indicators of compromise.
- Vulnerability management system.
- Erroneous detection of an event that did not actually occur.