Andrew Hollister, VP, LogRhythm Labs and Deputy Chief Security Officer (CSO) for EMEA, IMETA, and APJ, discusses one of cybersecurity’s most recent trends which is gaining traction across the board. He explains how XDR technology can be useful for organisations and the benefits it can bring.
Extended Detection and Response (XDR) has burst onto the scene in recent times. In a short period, it’s gained such interest that Gartner named it the number one security trend to come out of 2020.
As with many new trends, the exact definition for XDR is still maturing, but I’d describe it as a technology that has a narrow and deep focus. This is opposed to the typically broader focus of, for example, Security Information and Event Management (SIEM) technologies. There is much discussion about what the ‘X’ either stands for or implies, but I’d suggest that the ‘D’ – detection in XDR is the place that business leaders should focus. That is to say, look beyond the buzzwords – what business problem do I have today that XDR is going to solve for me? What will deploying XDR change for my business in terms of risk, resources and ability to respond to an increasingly hostile and ever-changing cyber environment?
Evolving solution technologies
Detection and response technologies have evolved via a couple of routes simultaneously – logging and prevention.
Logging technologies have a long history. Leveraging the collection of a high-level telemetry from a very broad range of technologies has given rise to the ability to demonstrate compliance using the telemetry. This is later followed by using the telemetry to directly detect both compliance control failures as well as direct threat detections.
Prevention technologies, such as endpoint protection, have developed detection capabilities over time based on the very deep level telemetry that they have access to – this is typically leveraging the presence of an agent on an endpoint.
Evolving threat landscape
Saying the threat landscape is becoming more hostile is almost a cliché today, so let’s examine that statement a little. Reviewing just the last 12 months of industry press demonstrates the persistence and skill of threat actors, with a number of very high-profile attacks which have leveraged vectors perhaps previously thought to be more theoretical. Attacks have become more kinetic in nature (i.e. they have real world as well as digital impacts) and the attention of world leaders have been firmly captured by these real world impacts, resulting in a raft of statements and directives this year alone.
Evolving business environment
Alongside the technical developments in the cybersecurity threat and solution space, the business environment itself is of course continually evolving. The crucible of the pandemic has driven an enormous Digital Transformation that otherwise would likely have taken years to evolve – the dramatic and almost overnight shift to remote working being the poster child for this change.
Alongside the Digital Transformation, the challenge in recruiting and retaining sufficient skilled staff to operate securely in the current landscape also remains.
The vision of XDR
XDR is really all about helping organisations address these evolving business challenges. By blending deep telemetry from selected sources, hybrid analytics most suited to that telemetry can be applied to surface the most important threats – irrespective of the motives of the attacker, and of whether the targeted asset is located on the company premises, in the cloud or a remotely deployed laptop. Leveraging detailed telemetry from the endpoint, network and cloud, combined with user context provides a powerful insight into the organisations activity, and the basis for very high-fidelity alerts, reducing the pressure on security teams. Alarm fatigue has been a big challenge for security teams and the promise of XDR is to surface those things that represent most risk, so the focus can be in the right place.
In some senses, XDR is seen as the ‘easy’ button as much as anything in cyber is ever easy. XDR differentiates itself by focussing very clearly on detection and response and not straying into the much wider landscape that, for example, a SIEM would address.
High fidelity detection provides the basis for automating response with much more confidence than perhaps businesses have dared to hope for in the past, and the ‘R’ in XDR will enable organisations to respond in an effective and timely manner to threats, whether partial or total automation is the goal.