The shortfall of skilled security professionals and the exponential growth of security-related data means greater risk for companies. Security teams at organizations of all sizes have limited resources and must filter alerts to match analysis capacity. When this happens, clues to potential threats remain hidden and attackers achieve longer dwell times, increasing the likelihood and impact of a security incident.
To help address this challenge, eXtended Detection and Response (XDR) has emerged–a new category geared to provide technology integration between data sources and security operations to accelerate detection and response. XDR solutions integrate a set of products unifying control points, security data, analytics and operations into a single enterprise solution. Gartner noted recently that “security and risk management leaders should consider the risks and advantages of an XDR solution.”
Industry information for this eWEEK Data Points article comes from Chris Calvert, CTO and co-founder of Respond Software, an emerging leader in the automated monitoring and triage software sector. Calvert discusses five questions to consider when evaluating whether XDR would be a useful addition.
Data Point No. 1: How effective is your SIEM?
Security Information and Event Management (SIEM) systems are popular these days, but they require rules to reduce the number of events security teams analyze. SIEM rules are based on logic that’s too simplistic to isolate and analyze real attacks. In addition, SIEM rules and the people who write them vary in terms of quality, resulting in inaccurate or incomplete analysis. What’s more, most organizations lack the time and budget to deploy and maintain their own SIEM infrastructure.
Data Point No. 2: Are you getting the most out of your SOAR?
Some organizations are using Security Orchestration Automation and Remediation (SOAR) platforms, which security engineers code to automate analyst tasks, i.e., data collection, correlation, enrichment and response to low-level security events. The problem is that SOAR tools can choke on the volume of data that needs to be analyzed, dramatically lowering their remediation capability. SOAR solutions are commonly tuned down to reduce the volume of alerts, which effectively takes a powerful (and expensive) tool and decreases its efficacy.
Data Point No. 3: Can you weed out false positives?
Endpoint detection and response (EDR) has a reputation for generating lots of false positives when used on its own. EDR is great at collecting that data, but when you’re trying to determine whether or not something malicious is happening in real time, it’s overwhelming. However, when EDR is integrated into an XDR engine, it can process vast amounts of sensor data at machine speed. And that’s not just data from the endpoints. It includes network telemetries and other sensors, information on vulnerabilities, threat intelligence, and specifics about accounts and individual systems.
Data Point No. 4: Do you like simplicity but fear vendor lock-in?
XDR is a valuable addition, but it does have its limitations. For instance, most XDR solutions are limited to a vendor's proprietary technology stack, reducing the volume of security data that can be correlated, scoped and triaged, while locking customers into expensive tools. In addition, detection capabilities are limited or require customization from professional services or security engineers.
Data Point No. 5: Can you choose best-of-breed solutions?
An alternative is to select a vendor agnostic XDR engine, which gives security teams the best of both worlds: the capability to find incidents in real time and analytics that work across a broad range of security technologies. Sensors in the environment generate disparate data and evidence that need to be correlated and analyzed at scale. Agnostic XDR solutions can work with multiple vendors, telemetries and threat intelligence to effectively escalate only malicious and actionable incidents.
If you have a suggestion for an eWEEK Data Points article, email [email protected].