Cross-layered detection and response or XDR is a relatively new security strategy, which offers advanced protection by enabling complete security visibility and response automation. It does not only focus on endpoints but extends its functions into network and user activities.
Also, referred to as Expanded Detection and Response, XDR goes beyond endpoints to include network data, web data, email, as well as cloud instances. It broadens security visibility to allow security teams to see an entire attack lifecycle, from infiltration to exfiltration. It also enables visibility for the lateral movement of attacks.
Researchers from Enterprise Strategy Group say that XDR increases the efficiency and effectiveness of detection and response systems. It effectively addresses many challenges Endpoint Detection and Response (EDR) and other traditional systems encounter particularly the limited telemetry, time-consuming and expensive processes, and the overwhelming loads of information security teams have to work with.
Why do some security systems fail? It’s because of insufficient telemetry or automated security data transmission from various sources. Telemetry facilitates security visibility. It is what allows systems to detect and respond to attacks, the information that security teams examine to investigate problems and provide the appropriate solution.
EDR is excellent in obtaining security-relevant information from endpoints. However, it lacks the telemetry to provide broad visibility and facilitate agile response to problems. There are instances when EDR solutions detect the lateral movement of attacks, but this is not enough to attain rapid detection and response. It is not enough to generate an accurate depiction of an attacker’s behavior and goals.
A well-built XDR platform solves the telemetric limitation problem by enabling telemetry from multiple security layers and possible attack points. This makes it possible to monitor and manage incoming alerts continuously. At the same time, it employs mechanisms to minimize false positives and enhance accuracy. Additionally, with the help of threat intelligence feeds, XDR systems can proactively search for concealed threats.
Expanded telemetry supports faster security investigation by facilitating on-demand file analysis and providing validated attack details. Also, it aids prompt attack response by presenting a detailed list of endpoints, files, users, and networks that necessitate remediation. It is instrumental in guiding the whole incident response lifecycle.
“As collecting telemetry becomes a commodity, value is driven by security analytics combined with threat intelligence that can turn information into insight and action,” a Trend Micro whitepaper explained.
Tedious and costly data aggregation
Enterprises that have not discovered XDR yet tend to rely on multiple security solutions for cybersecurity. Such companies may employ EDR, enterprise-level antivirus, network traffic analysis (NTA), and other defensive measures. The problem with this setup is that it creates data aggregation problems. Different security solutions generate different kinds of information, which can cause siloing. It is difficult to achieve seamless integration.
To address this problem, companies put up security data lakes, which is notably expensive. Also, going over the multitudes of data obtained from different sources can be time-consuming. The establishment of a data lake itself also creates another possible cyber attack target and a host of other problems. As a blog post by one Gartner security specialist warns, there are many possible ways that a data lake and custom security analytics will fail.
Not many companies have the capabilities to use AI or machine learning to take full advantage of their data lakes or facilitate seamless telemetry integration. As such, many end up with mostly inefficient security systems that require more effort on the part of their security teams to achieve the intended results.
XDR efficiently addresses the information siloing problem while avoiding the high costs and excessive time and effort requirements of bespoke data integration arrangements. It provides a unified platform for preventing and detecting problems across key attack points.
Overburdened security teams
An ESG study in 2019 involving 372 enterprise cybersecurity and IT professionals found that security operations center (SOC) teams tend to be in perpetual “firefighting” mode. Around 36 percent of those surveyed said that they tend to spend more time addressing high priority or emergency issues instead of developing strategies or improving processes. Also, from the same study, 30 percent said that the addition of new networks, cloud servers, apps, and users make it difficult for them to keep up with the scale of their infrastructure.
Moreover, another 30 percnt said that they encountered one or several blilnd spots on their frameworks, which makes their tasks more challenging as they are unable to manage what they can’t measure. Also, some 26 percent reported that manual processes diminish their ability to keep up with the growing volumes of threats and the increasing size of their security infrastructure.
Cross-layered detection and response helps ease the load that most security systems, especially those that make use of multiple solutions, impose on their security teams. With XDR’s automation and the use of artificial intelligence to sort and contextualize telemetric data, security teams can focus on more important tasks. The use of pre-built remediation tools likewise takes away some of the tasks from SOCs, so they can spend more time on high priority goals or actions.
XDR serves as one of the most viable responses to the ever evolving nature of cyber attacks. It covers more security layers and expedites the handling of attacks, thereby improving threat detection and remediation significantly.
Advanced XDR platforms deliver concrete solutions for the problems encountered by EDR and the use of multiple security solutions. It addresses telemetry insufficiency, expensive and complicated security data integration, and the inability of security teams to keep up with the massive amounts of security information, attack volumes, and infrastructure expansion.
Brian Wang is a Futurist Thought Leader and a popular Science blogger with 1 million readers per month. His blog Nextbigfuture.com is ranked #1 Science News Blog. It covers many disruptive technology and trends including Space, Robotics, Artificial Intelligence, Medicine, Anti-aging Biotechnology, and Nanotechnology.
Known for identifying cutting edge technologies, he is currently a Co-Founder of a startup and fundraiser for high potential early-stage companies. He is the Head of Research for Allocations for deep technology investments and an Angel Investor at Space Angels.
A frequent speaker at corporations, he has been a TEDx speaker, a Singularity University speaker and guest at numerous interviews for radio and podcasts. He is open to public speaking and advising engagements.