Not all threats originate from the endpoint. According to IBM’s 2023 Cost of a Data Breach Report, phishing and stolen or compromised credentials were the two most common initial attack vectors. XDR can be used to detect email threats, such as a compromised account sending an internal phishing email. Upon detection, XDR can scan the mailbox to identify other users who received the email so it can be quarantined or removed to prevent it from spreading.
Additionally, network detection and response (NDR) fills EDR’s blind spots. Real-time activity data collected about traffic flows and behavior, as well as perimeter and lateral connections, allows analysts to discover how threats are communicating and moving on the network. With this knowledge, security professionals can block hosts and URLs and disable Active Directory accounts to limit the scope of attacks.
Cloud workloads, servers, and containers are critical to business operations, so monitoring activity at this layer is essential to reducing critical incidents. XDR collects and correlates activity data such as user account activity, processes, commands executed, network connections, files created/accessed, and registry changes to tell the full story beyond alerts. This allows security teams to take a closer look at what happened within cloud workloads and how attacks propagated.
Operationalizing threat intelligence from XDR
According to ESG’s report on SOC modernization and the role of XDR, the top initiative for SOCs in 2022 is “improving threat intelligence operationalization.” In the face of increasingly sophisticated and successful cyber attacks, incorporating threat intelligence is an essential part of SOC functionality. The more we understand attacker tactics and objectives, the more resilient and accountable our organizations will be.
The MITRE ATT&CK framework is extremely useful for mapping specific attack campaigns, threat groups, and individual attack activities, but despite its widespread adoption, many organizations are still struggling to find ways to leverage this framework consistently.
From an XDR solution perspective, TTPs can be used to develop detection rules and models that allow threat intelligence to be injected directly into event investigations, uncovering the identity of specific attack campaigns and providing visibility into the entire campaign lifecycle.
TTPs can also be used to develop threat hunting baselines and provide a proactive view of identified TTPs in your environment, serving as a starting point for targeted investigations.
Finally, the MITRE ATT&CK framework can help you identify security gaps and prioritize activities to reduce risk and improve resilience.
Key Considerations for XDR
While sensor coverage is important, there are many other things to consider when selecting an XDR vendor to ensure you have the best threat detection and response capabilities. Ask yourself the following questions:
1. Is your product API friendly? Some vendors don’t integrate their APIs with SIEMs or SOARs. The more integrated your XDR is, the greater your ability to automate and orchestrate tasks, enabling workflows across your ecosystem. And vendors that offer XDR solutions that integrate into their cybersecurity platforms provide security professionals with a much-needed single-pane-of-glass view across the entire attack surface.
2. Does the product provide end-to-end visibility into an attack? Some XDR solutions may only provide a snapshot of an attack. Security teams need visibility into managed and unmanaged assets and encrypted network traffic to understand where an attack originated and how it spreads. Extending network telemetry and correlating with network events via NDR allows teams to establish the complete attack chain and improve their security posture.
3. What about the user experience? Finding (and retaining) skilled staff remains a challenge. Avoid security solutions with steep learning curves and poor support. Vendors who want you to succeed, not just sell you a product, will build in in-app tutorials, online help centers, and even direct feedback loops and feature requests.
4. Are they forward-thinking? Make sure the vendor is committed to improving their product to not only address the evolving threat landscape, but also to making it easier for your team to do so. Does the vendor have a strong strategy for using AI to significantly reduce the burden on your security team? Don’t be afraid to ask the tough questions to make sure it’s not a false ploy. Bonus points go to vendors who have a strategy for safeguarding the use of AI tools in your organization.
5. Are the alerts actionable? As mentioned earlier, traditional SIEMs spit out a ton of alerts, and they’re often useless. To make them work, you have to do a lot of detection engineering. A proper XDR solution should provide actionable alerts with out-of-the-box cross-layer correlation and detection models. It should also prioritize alerts based on risk score and impact severity to speed up response times.
6. What is the pricing structure? Look for a vendor that offers a pricing model that fits your changing business trends. Most vendors charge by bundle or seat-based subscription, which means you end up paying for unused sensors if an employee leaves or is fired. Consider more flexible licensing options that let you adjust allocations on demand, eliminating fixed costs and losses from underutilized licenses.
7. Do you offer managed services? Staffing shortages and budget constraints can hinder your threat detection and response efforts. Vendors who can provide managed services to your existing teams that provide specialized threat hunting, 24/7 monitoring and detection, and rapid investigation and mitigation are invaluable. You can gain expertise and capabilities while relieving overworked teams to work on higher priority programs.
8. Has your product received positive reviews from industry analysts? Everyone wants to say they’re number one, so be sure to check trusted industry analyst reports to verify vendor claims. We’re not afraid to advertise, but see how Trend ranks in the industry:
Board to board with XDRStatistics show that cybersecurity spending continues to rise, but there’s no guarantee that budgets will grow accordingly. Getting approval for cybersecurity investments can be difficult, so it’s important to be clear about the benefits of XDR from a financial and risk perspective. Here are some things to consider when considering implementing XDR:
Investing in security solutions = investing in your business. According to IBM’s “Cost of a Data Breach 2022,” organizations using XDR reduced breach costs by approximately 10% on average and shortened the breach lifecycle by 29 days. Reduced downtime and financial impact is good news for executives.
Reduced cyber insurance premiumsUnderwriters want EDR, but demonstrating that you’re leveraging XDR beyond the endpoint to mitigate cyber risk can help lower high cyber premiums.
Next steps
To learn more about XDR and cyber risk management, check out our next series or click here to read Trend Vision One™ – How XDR Leaves Attackers Nowhere to Hide.
