Yonatan Striem-Amit, Chief Technology Officer and Co-founder at Cybereason, tells us how a strong XDR solution can enable us to regain the upper hand with the ability to detect, correlate and stop attacks in real-time, even across complex, ever-evolving enterprise environments.
For businesses across the UAE, and the globe for that matter, one of the realities of the new world we live in is the hybrid workforce. According to a recent study from Aetna International, two-thirds of UAE employees want to return to the office, with the balance preferring to work from home, once the crisis has abated.
Against this backdrop, companies must ensure that all employees are connected to their company network at any time and from anywhere, while doing so securely. This is a particularly arduous task as cybercriminals are also taking advantage of today’s unpredictable environment to execute their malicious schemes. From a spike in ransomware attacks to data exfiltration and cryptomining, cyberattacks have escalated in volume as well as in their potential scope of damage.
The case for XDR
Many existing endpoint protection (EPP) tools are simply not equipped to manage today’s threat landscape. If threats emerged as single, isolated attacks on a single company device, then organisations would have defences in place to mitigate the attacks. Unfortunately, attacks are not being carried out in this manner. They are coordinated across user identities, devices and endpoints. As such, organisations need solutions that can roll with the punches, enable real-time response, and better yet, anticipate – in order to prevent – the adversary’s next move.
In the world of cyber defence, the key question is can we respond to an attack with accuracy? Can we fully remove the adversary without creating undue friction on the business? Put simply, we need to be able to respond with the right response and nothing but the right response. Unfortunately, technologies that send alerts when a suspicious activity is detected put the onerous task of determining the full and correct response on the operator. A partial and incomplete handling of these activities may slow down the cybercriminal’s efforts but may not halt the attack as a whole. In bad cases, it could be akin to putting a plaster on a bullet wound.
Organisations need a new approach to threat detection and response. The approach needs to understand and adapt to the modern enterprise: this includes devices, identities, network and SaaS. They need Extended Detection and Response, coined as XDR. But what should they be looking for in an XDR solution?
Choosing the right XDR solution
There are three key elements to consider before committing to one. Firstly, check that the technology can help you find the threats that are relevant to your business. A foundational step in security is knowing your attack surface: what does your network look like to an attacker, and what needs to be protected. An adept XDR solution should connect across your remote workforce, SaaS, IaaS and even critical on-premises infrastructure to protect your enterprise network. Ensure the XDR solution aligns well with your overall IT strategy and can support critical systems with important protections (e.g. anti-ransomware for Windows Servers).
Next, you will want to test if the solution can speed up your threat detection and response capabilities. The best solutions are operation-centric, which means instead of an alert on a single event, you’re presented with a highly correlated, intuitive view of the malicious operation. The technology should support machine readable threat intelligence, such as Indicators of Compromise (IOCs), or metadata associated with known-bad activity. In other words, evidence of the tools and artifacts of a breach.
More importantly, however, is the identification of Indicators of Behaviour (IOBs), or the actual actions and behaviours that take place. This might include a change of privilege or an application that instigates a process, perhaps an injection from one process to another. Hackers increasingly execute attacks with new and unique code tailored to an individual target environment. Therefore, there may not be any old indicators to suggest a compromise, offering an inaccurate assessment of your company’s security posture. Indeed, cybercriminals are using existing software already deployed across your environment for their schemes; that is, they are ‘living off the land’. With an XDR solution that can identify IOCs and IOBs across endpoint, email, identities and cloud activity, you get a clearer picture of any malicious activity and are closer to a complete remediation.
Finally, an evaluation of the technology’s response to threats should be made. As soon as an attack is identified and understood from a macro-level, the ideal XDR solution should automatically deploy remediation actions; or at least, it should have the ability to guide you through the best response. For example, kill a process, block a user, quarantine an asset or remote shell, which can all be accomplished remotely with one simple click. In short, seek solutions that offer flexible options and automation that aligns with your security workflows.
With a strong XDR solution, we, the defenders, can regain the upper hand with the ability to detect, correlate and stop attacks in real-time, even across complex, ever-evolving enterprise environments. Unlike SIEM or log management tools, XDR promises an experience focused on security value – better detection, easier investigation, faster response. In order to defeat an adversary that can weave between data silos and understands detection alerts, it requires an operation-centric approach. Implementing an XDR solution means faster detection, which means faster remediation, thereby ending attacks before they become breach events.