Ask the Expert: What is XDR and how is it changing cloud security?

The security industry has been witness to many technological revolutions over the past decades.

Notable recent milestones were the introduction of the web application firewall (WAF), user and event behavioral analytics (UEBA), next-generation antivirus (NGAV), and endpoint detection and response (EDR).

While each of these, and many other technology innovations, helped security teams protect better against emerging threats, they also made the security stack cumbersome and complex to operate, with a multitude of security tools managed by separate teams, data locked away in separate silos, and no way to assemble a complete picture of threats facing the organization.

eXtended Detection and Response (XDR) is a new technology that, instead of adding one more tool, aims to change this security landscape and enable more effective operation of the security stack.

What problem does XDR solve?

Historically, endpoints have been a preferred entry point for attackers. But the definition of “endpoint” has become much broader in recent years, with the advent of containers, IoT devices, mobile devices, and many other types of connected systems. 

Attackers target other layers of the IT environment as well—the corporate network, email servers, cloud systems—and may jump between layers, or hide in the interface between them, avoiding detection. 

In addition to these security challenges, modern security teams are facing operational challenges. According to Gartner, the two main challenges are:

• Hiring and retaining security staff
• Building a security toolset that enables effective detection and response of security threats

These two problems are in conflict, because the more tools an organization adopts, the more difficult it is to find and train relevant staff. Most SOCs are facing a severe shortage of skilled analysts.

XDR kills two birds with one stone, helping resolve both security and operational challenges. It is a security solution that:

• Pulls together data from all layers of the security environment—endpoints, network, email, cloud systems, and more
• Provides one interface for security personnel to learn and manage
• Automates triage and investigation to save time for security analysts
• Reduces cost of ownership of the entire security stack

How does XDR differ from SIEM?

Security information and event management (SIEM) are a key element of the modern security operations center (SOC). Log data is pulled from dozens or hundreds of security tools and correlated to generate meaningful alerts.

On the face of it, this sounds similar to XDR. SIEM pulls together data from the entire environment and provides one interface for security analysts. 

However, the downside to SIEM is that it only provides a summarized view of security data. It gathers information from various systems, but applies the lowest common denominator, resulting in a very low level of detail.

SIEM cannot request additional information from security tools to further investigate a specific incident. In addition, SIEM’s has a limited ability to process new types of security data from tools like endpoint detection and response (EDR) and endpoint protection platforms (EPP).

Most importantly, traditional SIEMs don’t have built-in response capabilities. SIEm is a detection tool that can identify security incidents, but cannot contain or eradicate threats.

XDR can complement existing SIEMs and add some of its missing features:

• Interact with security tools, not only to retrieve data about an incident, but also to activate defensive measures in order to deal with that incident.
• Offer a unified view of data drawn from multiple security layers, in addition to the shallow data provided by SIEM
• Enable querying and manipulation of in-depth data from security tools, such as cloud system entitlements or endpoint configuration data
• Store everything in a central data lake that holds all the raw data from the integrated security systems, as well as the aggregate data from the SIEM
• Use advanced machine learning and AI capabilities to improve alert quality and merge data in new ways to create complete attack stories

How does XDR relate to AWS and other CSPs?

Organizations running workloads on a public cloud like AWS are facing numerous security risks, including misconfiguration, unauthorized access over public networks, unsecured APIs, and a magnified risk of insider threats.

XDR can help in three ways: 

• Securing identity management—XDR can monitor human users and service roles, collecting data from multiple cloud systems, on Amazon and other cloud providers. XDR identifies anomalous activity on privileged accounts and alerts security teams.
• Cloud log analysis—workloads on Amazon and other cloud providers generate large volumes of logs, which are difficult to manually analyze. XDR can process this data and apply artificial intelligence techniques to identify security risks.
• Analyzing network flows—the complexity of cloud networking on a public cloud like AWS makes it difficult to monitor and identify threats. Often, the best analysts can do is monitor NetFlow for specific cloud machines. XDR can go beyond this, looking at network traffic holistically across the entire cloud environment. XDR can identify network security incidents, and automatically respond, using network APIs to isolate infected systems.
  

Key features of XDR

Now that we understand the difference between XDR and the more familiar SIEM, let’s look at some of the key capabilities of XDR platforms:

• Unified analyst interface—XDR provides a common management workflow across the entire organization’s security infrastructure. Analysts can view attack stories and investigate incidents across all security silos in one place. This reduces training requirements and allows Tier 1 analysts to investigate complex incidents, without escalating them to overworked Tier 2 and 3 analysts.
• Unified visibility—XDR provides security visibility across the network, endpoints, cloud infrastructure, mobile devices, and any other part of the IT environment. This allows security analysts to gain context about potential security incidents without needing to learn and use other platforms or coordinate with other teams.
• Unified management—security teams have one centralized location to manage security configurations and policies across the entire IT environment.
• Integrated platform—XDR provides off-the-shelf, integrated, pre-tuned detection mechanisms for many types of security data. Once integrated with existing security tools, it immediately starts delivering value, without requiring complex training and on-boarding of security staff.
• Faster detection and response—XDR allows analysts to identify a threat, investigate it, and respond, all in a short period of time and from one interface. This can allow organizations to dramatically shorten response time.

A focus on response

A key element of the XDR promise is faster, more automated responses to security incidents. XDR can automatically identify incidents based on one of the following triggers:

• AI-driven analytics—XDR continuously collects data from across the security environment, and can identify anomalous behavior or multiple events that, when combined, have security significance.
• Human-led analysis—security analysts can use XDR-provided data to identify additional security incidents, and gives analysts the opportunity to record their discoveries as part of the attack story.

Once an incident is identified, either human analysts or AI determine the appropriate steps to take next. This may include automated responses, or collaboration with other security staff or other parts of the organization—for example, operations or development. 

Responses can include:

• Alerting—XDR can integrate with alerting tools to involve additional parts of the organization in a newly-discovered security alert. Beyond IT and security staff, an incident may require bringing in senior management, legal teams, or others. XDR can help determine the escalation chain for each type of incident.
• Configuration changes—XDR can integrate with firewalls, EDR, intrusion detection systems (IDS), and other tools to change access and perform network segmentation to immediately contain the threat.
• Remediation—by integrating with EDR and cloud systems, XDR can automatically fix serious security vulnerabilities, for example by wiping and reimaging an endpoint, or shutting down a vulnerable cloud VM.

Threat hunting with XDR

Another impact XDR will have on the security environment is promoting and enabling threat hunting. Threat hunting is a network security practice that involves actively searching networks, data assets, and infrastructure for advanced threats that have bypassed existing defensive measures.

XDR always assumes that the environment has been breached, and threats exist within the environment. With traditional event correlation and aggregation solutions, it is extremely difficult to identify such threats. XDR can do this much more effectively. 

XDR solutions can collect data more comprehensively, and analyze it more deeply, on behalf of an analyst conducting threat hunting. This includes deep analysis of log files, access requests, application events and endpoint-related events. 

XDR facilitates threat hunting by checking three types of inputs.

• Machine learning analytics—assigns risk scores to anomalous events and uses them to determine whether high-risk patterns are occurring.
• Situational data—analyzing unusual behavior of high-value objects, such as data, IT systems or employees.
• Threat intelligence—connecting threat patterns, threat intelligence, malware signatures, and identified vulnerabilities information to draw conclusions.

Based on these inputs, XDR solutions can help analysts find targets for threat hunting faster and more effectively than ever before. 

However, XDR is not enough for successful threat hunting. It must be supported by other security tools and organizational practices:

• Risk assessment, intrusion detection and other defensive tools are up to date and can be used normally. Failure of these systems puts the first line of defense at risk, and also brings into question the data they collect. Remember that XDR relies on the organization’s existing security tooling.
• It must be possible to reliably associate sources using user accounts and host names. For example, constantly changing IP addresses due to DHCP can throw off results. You need to trust the raw data, and a properly functioning infrastructure is a prerequisite.
• Sensitive assets, accounts and datasets should be identified and watched closely—when, how, and by whom they are used.
• Business risks must be identified and assessed. Security teams need to understand what are the biggest risks affecting the environment and what are the real-world consequences of a breach.
• Critical information such as network maps, business process descriptions and asset inventories must be available to security teams. Otherwise, analysts may not fully understand how a threat originated and how to eradicate it.
• The workflow for responding to threats—for example, asset isolation or firewall configuration—must itself be secured, so that attackers cannot use it against the organization.

Considerations for evaluating XDR solutions

Now that we have covered the significant value XDR can have for a security organization, let’s review some key considerations when evaluating and selecting an XDR platform:

• Integration complexity—integration of an XDR solution with an existing security solution can be complex, which can increase the total cost of ownership. The cost of maintaining these integrations is also high, because integrations need to be tested and fine-tuned each time a security tool is upgraded, or a new tool is added.
• Automation level—some XDR solutions are not fully automated. Evaluate if the solution of choice provides only basic incident response functions, without fully utilizing AI to apply advanced analytics to security data. 
• Operational complexity—the main benefit of XDR is to increase productivity, so if an XDR solution is complex to use, it will affect your return on investment. Evaluate how the XDR solution aligns with your team’s current skillset.
• Cohesive solution—XDR should be a true integrated platform. Some vendors take a variety of existing tools, package them together and label them “XDR”. This can reduce the effectiveness of the XDR solution, because it is based on the premise of one holistic platform that provides all-in-one detection and response.
• Cost—XDR technology is a new technology and requires a new operating model. To reduce risk and enable on-boarding of the technology in stages, prefer a tool that does not require a major upfront investment. Some XDR solutions provide subscription-based pricing models that support gradual adoption.

I hope this will be valuable in helping your organization consider how XDR can help create a more effective, cohesive and responsive security environment.

About the author

Eyal Gruner is Co-Founder and CEO of Cynet. He is also Co-Founder and former CEO of BugSec, Israel’s leading cyber consultancy, and Versafe, acquired by F5 Networks. Gruner began his career at age 15 by hacking into his bank’s atm to show the weakness of their security, and has been recognized in Google’s security Hall of Fame.