Unravel the XDR Noise and Recognize a Proactive Approach

By on Nov 09, 2020

Cybersecurity professionals know this drill well all too well. Making sense of lotof information and noise to access what really matters. XDR (Extended Detection & Response) has been a technical acronym thrown around in the cybersecurity industry with many notations and promises. This can be intriguing and nagging for cybersecurity professionals who are heads down defending against the persistent adversaries. The intent of this blog is to clarify XDR and remove the noise and hype into relevant and purposeful cybersecurity conversations with actionsAnd observe the need for a proactive approach. 

Let’s begin with what does XDR refer to and its evolution. As noted earlier, XDR stands for Extended Detection and Response. “extended” is going beyond the endpoint to network and cloud infrastructure. You will find this cross-infrastructure or cross-domain capability is the common denominator for XDR XDR is the next evolution of a solid Endpoint Detection and Response (EDR). Ironically it was a term introduced by a network security vendor with aspirations to enter the emerging Security Operations market.  

A Look at the Industry Point of Views 

Industry experts have weighed in on this XDR capability for cybersecurity. Gartner’s definition, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” Gartner notes three primary requirements of an XDR system are; centralization of normalized data primarily focused on the XDR vendors’ ecosystem, correlation of security data and alerts into incidents and centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting. If you want to hear more from Gartner on this topic, check out the report. 

ESG defines XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection and response. In other words, XDR unifies control points, security telemetry, analytics, and operations into one enterprise system. 

Forrester views XDR as the next generation of Endpoint Detection and Response to evolve to by integrating endpoint, network and application telemetry. The key goals include empowering analysts with incident-driven analytics for root cause analysis, offer prescriptive remediation with the ability to orchestrate it and map uses cases MITRE ATT&CK techniques and chain them into complex queries that describe behaviors, instead of individual events. 

XDR Themes 

The common XDR themes from these XDR discussions are multiple security functions integrated and curated data across the control vectors all working together to achieve better security operational efficiencies while responding to a threat. Cross control points make sense since the adversary movement is erratic.  Emphasis is on removing complexity and offering better detection and understanding of the risk in the environment and quickly sorting through a possible response.  The range of detect and response capabilities also suggest that it cannot be done by one exclusive vendor. Many advocates an integrated partnership approach to unify defenses and streamline efforts across domains and vectors. This is not a new concept to connect the security disciplines to work together, as matter fact, McAfee has been professing and delivering on Together is Power motto for some time.  

Another common XDR theme is the promise to accelerate investigation efforts by offering automatic analysis of findings and incidents to get closer to a better assessment. This makes your reactive cycles potentially less frequent 

Integrating security across the enterprise and control points and accelerating investigations are critical functions. Does it address organizational nuances like is this threat a high priority because it is prevalent in my geo and industry and it’s impacting target assets with highly sensitive data.  Prioritization should also be an XDR theme but not necessarily noted in these XDR discussions. 

Net Out the Core XDR Functions 

After distilling the many point of views and the themes on XDR, it seems the core functions all focus on improving security operations immensely during an attack.  So, it’s reactive function. 

XDR Core & Baseline functions  Why? 
Cross infrastructure—comprehensive vector coverage  Gain comprehensive visibility & control across your entire organization and stop operating in silos 

Remove disparate efforts between tools, data and functional areas 

Distilled data and correlated alerts across the organization  Remove manual discover and make sense of it all 
Unified management with a common experience  From a common view or starting point removes the jumping between consoles and data pools to assure more timely and accurate responses 
Security functions automatically exchange and trigger actions  Some security functions need to be automated like detection or response  
Advanced functions—not noted in many XDR discussions  Why? 
Actionable intelligence on potentially relevant threats  Allow organizations to proactively harden their environment before the attack 
Rich context that includes threat intelligence and organizational impact insight  Organizations can prioritize their threat remediation efforts on major impact to the organization 
Security working together with minimal effort  Simply tie a range of security functions together to create a united front and optimize security investments 

 

Key Desired Outcomes 

The end game is better security operational efficiencies. This can be expressed in handy outcome check list perhaps helpful when assessing XDR solutions. 

Visibility  Control 
More accurate detection  More accurate prevention 
Adapt to changing technologies & infrastructure  Adapt to changing technologies & infrastructure 
Less blind spots  Less gaps 
Faster time to detect (or Mean Time to Detect-MTTD)  Faster time to remediate (or Mean Time to Respond-MTTR) 
Better views and searchability  Prioritized hardening across portfolio—not isolated efforts 
Faster & more accurate investigations (less false positive)   Orchestrate the control across the entire IT infrastructure 

 

A More Proactive Approach is Needed 

McAfee goes beyond the common XDR capabilities in the recently announced MVISION XDR and offers unmatched proactivity and prioritization producing smarter and better security outcomes. This means your SOC spends less time on error-prone reactive fire drills with weeks of investigation.  SOCs will respond and protect what counts a lot quicker. Imagine getting ahead of the adversary before they attack.  

Cyber Attack Lifecycle 

Solution or Approach?  

Is XDR a solution or product to be bought or an approach an organization’s must rally their security strategy to take?  Honestly it can be both.  Many vendors are announcing XDR products to buy or XDR capabilities An XDR approach will shift processes and likely to merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators. 

Is XDR for everyone? 

It depends on the organizations’ current cybersecurity maturity and readiness to embrace the breadth and required processes to obtain the SOC efficiency benefits. With the promise to correlate data across the entire enterprise implies some of the mundane and manual efforts to make sense of data into a better and actionable understanding of a threat are removed.  Now this is good for organizations on both spectrums.  Less mature organizations who do not have resources or expertise and do not consume data intelligence to shift through will appreciate this correlation and investigation stepbut can they continue the pursuit of what does this mean to me. Medium to high mature cybersecurity organizations with expertise will not need to do the manual work to make sense of data. The difference with mature organizations comes with the next steps to further investigate and to decide on the remediation steps. Less mature organizations will not have the expertise to accomplish this. So, the real make a difference moment is for the more mature organization who can move more quickly to a response mode on the potential threat or threat in progress.  

Your XDR Journey 

If you are a medium to high mature cybersecurity organization, the question comes how and when. Most organizations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace the XDR capabilities since their efforts are already investigating and resolving endpoint threatsIt’s time to expand this effort gaining better understanding of the adversary’s movement across the entire infrastructure.  If you are using McAfee MVISION EDR you are already using a solution with XDR capabilities since it digests SIEM data from McAfee ESM or Splunk (which means it goes beyond the endpoint, a key XDR requirement.)  

Hope this blog removed the jargon and fog around XDR and offers actionable considerations for your organization to boost their SOC efforts. Don’t miss the XDR session at our MPOWER conferenceEmbrace the X-factor: Where to Start Your XDR Journey. 

 

 

About the Author

Kathy Trahan

Senior Solution and Product Marketing Manager, Kathy Trahan has been in the cybersecurity industry for over 15 years working on network security, device security, threat intelligence, IOT security and cloud security with companies like Check Point Software, Cisco, Netapp, Trend Micro & Tripwire. She is responsible for content for McAfee’s management and collaboration story. She ...

Read more posts from Kathy Trahan

Categories: Endpoint Security

Subscribe to McAfee Securing Tomorrow Blogs