In any organization, the capacity to detect and respond to threats makes or breaks its overall security posture. Threat detection and response are responsible for identifying malicious elements within the network and stamping them out. According to the Cybersecurity Framework established by the National Institute of Standards and Technology (NIST), detection and response make up two of the five core functions: identify, protect, detect, respond, and recover.
A brief introduction to detection and response
Threat detection and response are achieved by deploying endpoint detection and response (EDR), network detection and response (NDR), and security information and event management (SIEM) solutions. However, while these solutions work on different parts of the threat detection and response process, they may be stand-alone solutions that do not integrate. The SIEM acts as a central repository where all log data from EDR, NDR, and other security solutions is fed, aggregated, and correlated. Even though SIEM, EDR, and NDR are beneficial to organizations, their efficacy is limited by the boundaries of their designs. EDR and NDR are point solutions—only solving specific problems—while SIEM is limited in its ability to generate context from the log data it receives. Furthermore, security teams have a hard time correlating the data they receive from these solutions and are forced to do many things manually, taking away productivity from higher-order tasks. As a result, security teams suffer from sub-optimal detection and remediation times, usually measured as mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR).
XDR combines the strengths of EDR, NDR, SIEM, and more
Extended detection and response (XDR) is an emerging security solution that amalgamates several functions of SIEM, EDR, and XDR into a single platform. It adds advanced analytics, user entity and behavior analytics (UEBA), and automation into the mix. By doing so, XDR promises to break down the aforementioned siloes and improve the functionalities of the three core components that comprise it.
Visibility like never before
One such improvement is the degree of visibility XDR could potentially give security teams on their organization and their users. Based on a survey conducted by Frost & Sullivan on C-level executives in the United States and Singapore, only 31% of C-level respondents in both countries said they had full visibility of their organization’s IT environment. Unlike traditional SIEM, which only collects log data, XDR can collect, normalize, and correlate more granular data from the network and endpoints, such as metadata. This is especially crucial as the number of endpoints has exploded over the years. From the same study on C-level executives, 62% of respondents currently manage more than 10,000 endpoints. Organizations can expect to see improvements in their detection and response capabilities as the new contextually enriched data from XDR breaks down the known knowns and known unknowns of their organization’s environment.
Automation improves the efficiency of detection and response times
Another major aspect of XDR with regard to response actions is automation. XDR can automate various processes in the response workflow, alleviating the need for constant human attention. This functionality is especially crucial for organizations to maintain the effectiveness of their responses during workplace shortages. According to the survey, 20% of large organizations in the United States and Singapore say their biggest cybersecurity challenge is the inadequacy of cybersecurity professionals to investigate and respond to events; 63% outsource at least some of their security management.
Why XDR matters
XDR presents companies with an opportunity to revamp the way they approach threat detection and response. In short, its benefits to organizations can be summarized as:
- Unmatched visibility into the enterprise environment.
- Contextualization of data and enhanced decision-making.
- Automated responses and streamlined workflows.
- Companies should already be thinking about how they will navigate the evolving enterprise and threat landscape and whether XDR could fit into those plans.
For more information on Frost & Sullivan’s research on XDR, please visit https://frost.ly/6e8