Security operations (SecOps) leaders have the critical mission of identifying and resolving potential threats – and they need better agility and performance to do it. Over the past several months, Extended Detection and Response (XDR) has emerged as the latest buzzword in the cyber-lexicon. Gartner recently named XDR capabilities as the number one security trend for this year, stating that XDR solutions will “increase detection accuracy and improve security operations efficiency and productivity.” ESG Research defined the process as "a method for bringing controls together to improve security telemetry collection, correlation, contextualization, and analytics.”
XDR is designed to normalize multiple security telemetries, including endpoint, network, and threat intelligence sensors. The goal is to provide extended visibility between various data sources to accelerate detection and response and reduce security engineering headaches that plague SecOps teams today. But not all solutions are created equal; a vendor-agnostic approach meets the goal of XDR in the way it was intended to work.
Why add XDR to security operations
The majority of enterprises deploy best-of-breed network, endpoint, and threat intelligence solutions into the sensor grid as needed. Integration is difficult – nearly impossible – resulting in data siloes and limited visibility and detection to the individual tools instead of the entire environment.
The good news is that XDR solutions are emerging to remedy the situation. The bad news is that many XDR tools are single-vendor security controls, requiring a rip-and-replace of existing solutions. This approach can be expensive and time-consuming – and such a one-size-fits-all model doesn't work for security operations centers that use the best cybersecurity products for specialized functions.
Evaluating a vendor-agnostic approach
There are three qualities of a vendor-agnostic XDR solution that makes it attractive:
Intelligent: Think about a criminal investigation with many disparate pieces of evidence. A detective’s job is to figure out the relevant connections and determine the real threat. This is how a vendor-agnostic XDR works. It correlates huge amounts of rapid-fire data while automating three key elements: determining if events are malicious and actionable, grouping events that are related, and establishing a priority based on the severity and impact of the potential incident. XDR does all this with consistency, depth, and speed. It connects the dots and only presents results that matter to cyber-investigations.
Open: Security organizations are free to choose best-of-breed technologies while still enjoying improved detection and response. This freedom enables companies to keep their current solutions, then add a new layer to make sure their data is appropriately examined and correlated.
Simple: You don’t have to program the XDR with expert knowledge; it is already built-in. It shouldn’t require ongoing security engineering and maintenance, and it should be cloud-delivered. That’s what a modern platform should do for security operations. Choosing a solution that is built to integrate with SOAR, SIEM, threat intelligence, and EDR products on the market makes adding this layer even easier.
How to get immediate value
As it is designed to work with the tools you already have in play, a vendor-agnostic system can be up and running in a matter of hours, not days or months. Employing a vendor-agnostic solution will allow you to quickly make two key adjustments to a SOC.
First, you will be able to turn the volume up. Each security control produces a signal, which also produces a lot of noise. A vendor-agnostic XDR solution will algorithmically pull the signal out of the noise. What people have traditionally done is to tune their sensors way down. By turning up the volume, your best-of-breed tech can sing to its full potential. You’re getting more value from your sensors and from your detection and response program. With an XDR, there is no increased cost to examine more data.
Second, you will be able to transition your human resources to focus on more complex problems. Now, a machine is taking away the burden of “eyes on glass,” allowing humans to do what they do best: use their curiosity, their creativity, and their collaboration skills.
An integrated solution
The more you know about the threats you face, the better your chances of keeping your name out of the headlines. Time matters. XDR unifies data to truly detect threats in real-time and respond to them. That means less time staring at consoles, no time spent editing and maintaining playbooks, and more time investigating. Adding an open, intelligent, and simple layer that will increase your monitoring capabilities and will work with the solutions you already know and love – and allow you to easily integrate new ones – can be of huge benefit. Just be careful to vet your options, as some XDR solutions require vendor lock-in, which creates its own set of problems.
Mike Armistead is CEO and co-founder of Respond Software.