Making the Case for Extended Detection and Response (XDR) for Cybersecurity and IT Operations

Within the past two years, threat actors have leveraged more sophisticated tools to deploy cyberattacks on organizations globally. In addition, the recent shift to work-from-home has driven cybersecurity analysts to the brink of burnout and challenged how cybersecurity teams operate. As a result, cybersecurity and IT teams are responsible for protecting their organization’s expanding IT environment, but this task is much easier said than done.

Extended Detection and Response (XDR) exists at the nexus of several cybersecurity domains, including SOAR/SIEM, detection and response, Security Operations (SecOps), IT operations, and vulnerability management, and helps address many of the challenges and shortcomings of the traditionally siloed approaches. However, the “XDR” label is new, resulting in quite a bit of confusion in the cybersecurity marketplace.

To help bring some clarity to the subject, Dustin Hillard, eSentire’s Chief Technology Officer, recently served as a panelist on the Detection and Response for Security Operations: Extended, Managed, Evolved? panel at 451Nexus to discuss the adoption and key aspects of XDR and Managed Detection and Response (MDR).

The discussion brought forth multiple unique perspectives on the subject that were entirely complementary:

• Visibility into all the assets that make up an organization’s IT environment
• The need to address complexity of the cybersecurity market given that IT teams are already overloaded with tools and technologies, and are not particularly excited about introducing yet another cybersecurity solution
• The importance of threat detection in seconds and containment within minutes is essential for managing business risk and the right XDR solution enables these outcomes

All three perspectives are correct, and this is why XDR is seen as a giant leap in cybersecurity: it simultaneously addresses a number of problems that have plagued cybersecurity practitioners for years.

XDR provides visibility across your cyber threat surface

Today’s IT environments are expansive and diverse:

• Hybrid—a mix of on-premises applications and cloud workloads/services/applications—is becoming the norm
• The mix of devices has never been greater, with bring-your-own-device (BYOD) and the Internet of Things (IoT) added into the mix
• Widespread adoption of remote work models have introduced new complexities within cybersecurity
• The lines between information technology (IT), operational technology (OT) and platform technology (PT) are blurring

The result is a threat surface broad enough and complex enough to keep any CISO up at night. So how does XDR help?

By aggregating multi-signal telemetry across the cybersecurity stack, including endpoint, network, log, insider, cloud, and email signals, XDR provides more actionable visibility into the threat surface than any siloed solution. This visibility can also be used to proactively inform vulnerability management programs by highlighting cyber risks and helping to prioritize patching and other risk management strategies.

If an XDR platform has visibility into more than one customer environment, then the proactivity extends even further, because observations and experiences from one organization can be applied across other organizations as well by way of Security Network Effects.

The ultimate result is a detailed view of your own cyber threat surface, augmented by visibility into the cyber threats seen elsewhere that may potentially impact your organization in the future.

XDR simplifies a complex domain

Cybersecurity is a complex domain, and it’s only become more complicated in recent years. With the introduction of new tools and technologies, there is too much noise for IT cybersecurity teams to deal with.

The 451 Research team explained that there have been two approaches to cybersecurity analytics traditionally:

• Tooling-centric, characterized by having a long list of separate tools (e.g., endpoint security, network security, content security, etc.) with their own specific purpose, and
• SIEM-centric, built on the premise that centralizing telemetry within a SIEM represented most of the work needed to secure an environment

However, the shortcomings of these approaches have become readily apparent in recent years. One of the largest drawbacks for many organizations is the realization that both approaches increased complexity: more agents, more alerts, more data crunching, more specialty skills needed, and so on.

According to Dustin, the most frequent questions from potential customers relate to managing complexity and delivering cybersecurity outcomes:

• How do I consolidate my signals in one place and make sure we can get the outcomes we need?
• What breadth of coverage do you provide?
• How do you see threat signals within the noise of everyday activity?
• How do you turn all of that into an effective response?
• What does that response look like and how is it executed?

The answer to these questions is XDR, since it easily integrates multiple telemetry sources, infuses domain and local knowledge into the integration, minimizes (or eliminates altogether) the big data analysis problem, and optimizes cybersecurity workflows. Additionally, it more cost-effective in the long run.

Unlike the traditional approaches, both of which are known to create more work for IT and security teams, XDR reduces complexity and operational needs by equipping cybersecurity analysts and IT professionals with the clear insights they need to direct their efforts in the most effective and efficient ways.

XDR enables fast, effective responses to cybersecurity threats

None of the visibility or simplicity matters if the end result—managing business risk—isn’t achieved. XDR is especially beneficial in this regard–just as the XDR platform can pull in telemetry from multiple data signals, it can enable the strong response capabilities of MDR to contain and remediate threats.

Although not every response action can be automated, the right XDR platform will include integrations that allow cybersecurity analysts to manually act to contain cyber threats.

Similarly, it will enable SOC Analysts and Threat Hunters to deeply explore the environment, gather threat intelligence, assess the scope of an incident, track down backdoors, beacons and other persistence mechanisms, and determine the root cause of an intrusion—thereby ensuring cybercriminals can be conclusively kicked out.

XDR: The Secret to Highly Effective MDR Services

Organizations need to prioritize threat containment and rapid response capabilities via 24/7 cyber threat detection, investigation, and response. As a result, a growing number of organizations are engaging MDR providers to help them meet their cybersecurity needs. XDR serves as the technology foundation that makes highly effective MDR service possible by enhancing the operational effectiveness and making it easier to find and remediate cyber threats at speed.

Download our latest e-book, XDR: The Secret to Highly Effective MDR Services, to learn more about XDR and how it works, why MDR and XDR work better together to deliver seamless results, and what to look for in your next MDR provider.

To learn more about how eSentire can help your organization eliminate noise, enable real-time detection and response, and automatically block known and unknown cyber threats with the eSentire Atlas XDR Platform, book a meeting with a cybersecurity specialist today.