Extended Detection and Response, shortened to XDR, is enabling Security as a Service providers and organisations to keep pace with the demands of the digitally transforming organisation by adapting to the needs of cloud services. But just what is XDR and how is it helping organisations successfully take up Threat Detection and Response services from a SOC?
What is Extended Detection and Response (XDR)?
Gartner defines XDR as: “Extended detection and response describes A unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components”
It continues, “Security and risk management leaders should consider the risks and advantages of an XDR solution.”
To put it simply, it is several security products that allow for detection and response, from a single vendor that integrates for greater visibility, coverage, and performance. Collectively they create the ability to be much more pro-active with cyber security and reduce the noise, generated by other solutions. This is an emerging market amongst security vendors with offerings from Palo Alto, McAfee, Fortinet, Sophos and Microsoft to name just a few.
So what are the benefits of XDR?
As mentioned briefly above, choosing to invest in Extended Detection and Response means consolidating vendors and investing in a reference security architecture. According to the “SANS 2018 Security Operations Center Survey”, the average SOC had over 40 tools, so naturally consolidating these drives a number of benefits.
Firstly, reducing the number of vendors brings down the operational overhead of managing many tools. The overhead is usually surpassed by ensuring that the business has sufficient skills to use and integrate up to 40 tools. Secondly, the consolidation of tools and vendors offers commercial benefits driven by savings.
The common scenario we found was that although there were a large number of security technology tools in operation, there was little integration, overlap and gaps in the coverage that these tools offered. A well-configured set of security tools provided coverage but drove many alerts that were false positives or benign, leading to fatigue and alert blindness.
Vendors such as those mentioned above have a SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation and Response) which are tightly integrated with more than one technology for threat detection and response technology, usually an Endpoint Detection and Response (EDR), Email Security, Cloud Access Security Brokers (CASB), Identity and Access Management (IAM) and an element of Network Detection and Response (NDR).
This tight integration brings an extended visibility that didn’t previously exist within security tools and delivers information and insight where there used to be data and noise from security events. Sharing threat intelligence immediately along the security architecture to provide effective and efficient blocking of threats across all components. The combined signals, which independently are weak can help identify more advanced persistent threats that would normally be unseen.
Adding to this SOAR security solution are enabling automation to be applied to these alerts. This could come in the form of automating repetitive tasks such as further enrichment with third-party tools, triggering safe and approved remediation automation within the remit of the vendor’s security architecture and orchestrating other tools and ticket systems for improvements stretching into process management.
Quite simply, Extended Detection and Response delivers:
- Fewer blind-spots driven by a wider, integrated security coverage
- Improved protection, threat detection and response capabilities
- Improvements to overall security and staff productivity
- Lower total cost of ownership to create effective threat detection and response capability
Bridewell's Recommendations for XDR
We have seen increased use of security measures over the last two years such as EDR and CASB, so, the market is shifting because of the benefits of increased security posture and ability to rapidly contain and respond to threats during the incident response cycle. Thus, we see that XDR is the trend that all Security Operations teams and Security as a Service providers will transition to. So, what should you be looking for when evaluating your technology choices?
Review your wider IT and digital transformation agenda
Develop a gap analysis that follows your technology trajectory for the next few years and identify the security tools that allow you to keep pace and protect your organisation
Review your gap analysis in conjunction with the vendor choices available to you. Look at vendors of which you already have significant investment in order to improve the ROI of the overall solution
With a small number or preferred vendors, conduct thorough product evaluation and proof of concept that could be quickly put into production and tested to ensure outcomes meet the promises of the solution
Develop or adopt an internal architecture and purchasing policy that is in line with your XDR strategy.
Outsource to a managed security service provider (MSSP) that can build, deploy and manage an XDR solution, overlaying threat detection, threat intelligence as part of a Managed Detection and Response (MDR) security service.
At Bridewell, we have strategically chosen the Microsoft Security Reference Architecture on which to build our MDR service. The security architecture included Azure Sentinel SIEM and SOAR capabilities at the centre which is tightly integrated into the Defender XDR security suite. We have found it to be the strongest and most integrated suite on the market that continually extends and improves and includes technologies such as Endpoint Detection and Response, Cloud Access Security Broker, Email Gateway, Identity and Access Management and Data Loss Prevention to name just a few.
The fantastic thing is that all of these features are included in the E3 and E5 licensing, so companies that are already investing in the Microsoft collaboration suite can take full advantage of the security capabilities at no extra cost.
With access to the personnel and processes of a highly accredited Security Operations Centre, who is a leading Microsoft Gold Security Partner with extensive experience of deploying, securing, and managing the full reference architecture, you are in exceptional hands when choosing your security partner.