Have you ever wondered, why during the outbreak of war it’s not just one of the armed forces that are deployed, whether it’s the Army, Navy, Air Force or Intelligence, but all of them? It’s the classic case of “the whole is greater than the sum of its parts”. The same analogy applies to cybersecurity too, making it pertinent for enterprises to fortify their cybersecurity posture across all possible vectors to avoid an impending breach. That’s why governments, enterprises, and other organisations would do well to re-evaluate their cybersecurity strategy.
With the increase in the investments made in cybersecurity by organisations in last five years, today’s stark reality is that while the threat landscape is burgeoning, the mean time to identify a breach has increased to 197 days and containing it to 69 days across the industry vertical, according to a report by Verizon.
Traditionally, endpoint protection platform (EPP) was considered “THE” solution to protect your organisation, however, this philosophy has drastically changed with the assumption of very real possibility “I will be breached”. This leads to the next question of effective detection and response strategy to deal with the threat once the network is compromised. EDR (endpoint detection and response) strategy has helped organisations to identify and respond to attacks they believe would have gone unnoticed. With the volume and sophistication of modern attacks, does it still hold good?
EDR an eye-opener: Starting point in detection and response strategy
EDR was definitely an eye-opener to the industry and a must-have starting point to redefine enterprise-wide threat detection and response (TDR). EDR gives a lot of visibility on what is happening on endpoints by capturing activity data, using which we can detect and respond. However, in an enterprise, an endpoint is just one piece of information technology or IT infrastructure and there could be EDR blind spots like the internet of things (IoT), printer, contractor/guest endpoints etc.
While 94% of attacks start with phishing, email becomes an important vector to consider. With the increasing cloud adoption and serverless platforms, it has become pertinent to have effective detection and response strategy for cloud infrastructure. Add to this, there is an entire IT/OT (operational technology) convergence underway, where OT is increasingly becoming part of the IT infrastructure that’s connected to the network. So, with this scenario, the effective detection and response strategy has to be extended beyond endpoint to email, network, cloud and IIoT.
Going back to the analogy; to be victorious in war, enemy threats and attacks need to be confronted vehemently at all fronts (i.e., air, land, water) to avoid penetration and siege. You don’t go to war with the Army alone; you usually need the assistance of Air Force, Navy, and Intelligence side-by-side to complement your overall combat strategy. If we were to juxtapose this analogy to cybersecurity, then endpoint in XDR is our Army in the field; Air support is the cloud security; network visibility is the Navy at sea; threat research is the Military Intelligence and centralized console is your Unified Command.
Emergence of XDR
If you can record what happened on the endpoint, why couldn’t you record everything on the intrusion kill chain for later review? XDR (extended detection and response) expanded the EDR idea. XDR platform would give you complete visibility at every phase of the kill chain including the endpoint, giving enterprises the ability to monitor and account for compromise, no matter where it originates.
The dwell time (MTTD/MTTR) is adequately addressed by XDR through:
- Full visibility – a complete picture
- Speed and confidence to respond
- High fidelity alerts
- Vendor consolidation
- Correlation and collaboration
Choosing the right XDR solution
An attack that resulted in alerts on email, endpoint and network can be combined into a single incident. The primary goals of an XDR solution are to increase detection accuracy and improve security operations efficiency and productivity. Effective XDR solution should have:
- Multi-prevention techniques and not rely on AI/ML only.
- Complement existing SIEM/SOAR by sending consolidated high fidelity alerts, which minimizes the level of noise and raw information.
- Managed services to address skill shortage.
- Solution/platform to break silos and tell a story of attack life cycle.
The XDR approach delivers faster detection and response across the multiple security layers, because it breaks down the silos, and it tells a STORY instead of making noise.
When you have incomplete threat data, you see an incomplete security picture. Or worse, you may see the wrong picture. And in cybersecurity, the price to pay for seeing the wrong picture is hefty.
Vijendra Katiyar, director - enterprise business, India and SAARC, Trend Micro. The views in this article are his own.