Extended?detection and response (XDR)?has?transpired?into a market?description that, in my not so humble opinion, proves to be as?troublesome?as?the phrases?¡°next gen¡± or ¡°machine learning¡± were?from 2016 to 2020.
I¡¯ll?quote myself from??from my time at?Gartner:
?¡°The phrase does more to confuse clients and end-users than it does to describe anything useful.??It takes longer to try and understand what people are looking for when they say?Next-gen??XDR¡± and?more often than not?it does not mean what anyone thinks it means.¡±?
Naming aside, the one thing that all InfoSec commentators agree on is that XDR is an evolution of the endpoint-centric approach pioneered by legacy?security?vendors.
What Does XDR Bring that EDR Does Not? Has the Threat Landscape Changed?
The?main objective?of adversaries remains owning the endpoint and/or?acquiring credentials that grant them access to business-critical data that they can monetise in some way. Usually this is done through ransom demands, but increasingly?it occurs through the?threat of extortion.?So, if the?endpoint and the credentials?are still the target,?you probably wonder?why XDR?
Are XDR detections?more accurate than EDR???Does XDR lead to faster?response?than EDR?
The answer to both is, ¡°Not necessarily, and?definitely?not easily.¡±
As with all things in?cybersecurity, there is no one-size-fits-all?solution, and this is no ¡°easy button¡± approach that will solve all your security woes.?However, when implemented as part of?a?modern?security operations framework,?XDR?can?bring broader coverage, better context, and boosted?confidence, meaning security analysts?using the tool?can?make faster and more accurate decisions in security investigations.
One?of?the primary?benefits?that?the?X in?XDR?hopes to bring?to?EDR is that security visibility and control remains constant when?applications are moved to the cloud.?With the endpoint becoming more akin to a terminal connecting to a mainframe (again), a managed client approach to security will?eventually?fail.?Often, high-confidence detections can be made without any endpoint data whatsoever,?for example?using telemetry from a?business?application such as Microsoft Exchange and an identity provider like Duo or Active Directory.
Another?benefit, of course, is the?additional data and added security?context.?This?extra telemetry brings more fidelity and confidence to detection engineering,?helps to reduce?false positives or known-good behavior, and drastically increases the scope and depth of incident response guidance.
While the consensus is that the greatest benefit is derived from?writing detections against the correlated security event data from endpoint, CASB, identity,?network,?and application sources, you still need to ask yourself a question:
In an EDR/XDR world, will your organisation have the people with the skills and the experience to use the data sources effectively?
¡°In the past, adding more tools to detect the new threats has been the approach for many. If you don¡¯t have a detect signal for the attack you are concerned about, buy a new tool. This is not sustainable, and even today many clients complain of tool overload, vendor management challenges and integration complexities.¡± –?
¡°?¡° by?Eric Ahlm, Jon Amato, Gartner, 11/3/21
¡°XDR is not a straightforward convergence of product categories. It¡¯s a convergence of capabilities and components that span multiple products,¡±?says?Gartner in its November 2021 XDR research.?This aligns?with our view that?XDR?capabilities?can?provide?the?basic building blocks of?a modern security operations center (SOC):
1. A?cloud-based?platform that?ingests,?normalises,?correlates, and enriches?security-relevant?events?from any?data or log?source.
2. The?analytical?capability to derive high-confidence detections across any integrated control point or?infrastructure:?endpoint, cloud, application, and?identity.
3. The ability to perform containment and?response capabilities in real time and at scale.
How Does?Arctic Wolf¡¯s?Security Operations Cloud Instrument?XDR?
Our?customers?already speak to?the benefits of XDR because?those same?principals?are the core of?our?platform.?It¡¯s been almost a decade since the?Arctic Wolf ºÚÁÏÉç?was developed?to remove the?complexity involved in integrating?and operating?the myriad security tools?that?organisations use.?This vision began with?a?vendor-agnostic approach to security.
With Arctic Wolf, customers are never locked in to one set of products or one single vendor?ecosystem¡ªand they?aren¡¯t?forced to rip and replace?existing?products?to get?the full value of the Security Operations cloud.
Our?universal?data?pipeline?ingests security relevant?data from vendors and products spanning endpoint EDR/AV, Active Directory, authentication, first- and third-party network devices, IDS/IPS, email security, VPN, UTM, and, in fact, almost any security source that can ship to Syslog is a candidate for ingestion to our platform.
We pull telemetry from AWS and Azure infrastructure, from Microsoft 365 applications, Cisco¡¯s Umbrella DNS service, Salesforce, Box, and more. The list of telemetry sources goes on and on.
The Enterprise Dream:?Automated?Security Analytics and Detection Engineering
By centralising?additional security telemetry and visibility, as well as automating the analytics and detection pipeline,?our customers¡¯?IT and security teams?are presented with intelligence, automated investigations, and?easy-to-action response and recovery?guidance for everything that matters.
Automated analytics and analysis?capabilities?are?how we can highlight suspicious and anomalous behaviors at unprecedented scale, while holding true to the no one-size-fits-all philosophy.?Arctic Wolf?threat research and?detection engineering teams?use?crowdsourced?data to build?the protection?and detection?technologies?that?allow?us to deliver our unique personalised protection for?each of?our?customers.
Organisations?are no longer forced to continually ramp up investments in SIEM?storage?subscriptions. They avoid the ¡°security by chance¡± approach of hoping they have enough coverage in the logs they can afford to consume,?and now enjoy the luxury of?security?choice¡ª and can determine which avenues of?cybersecurity? they wish to own for themselves.
We combine platform capabilities in the cloud with human triage and SOC teams who take?trillions?of weekly observations before turning?them into stories and investigations?worth following.?This is where?many of?the?legacy?endpoint-focused?vendors?stop and?wash their?hands of?further?responsibility for your organisation’s?security?posture.
Concierge:?Finally, the answer to the decade-old industry?promise?of ¡°an extension of your security team¡±
The past ten years of overinflated AI and ML claims have shown that to deliver a highly effective?security program,?you need experienced?people?with hands on keyboards?to?make?good use?of technology¡ªessentially analyst augmentation, not analyst replacement.
From?the very first iteration?of Arctic Wolf¡¯s Security Operations Cloud, we?knew?that to scale and?operate?as?effectively?as threat actors and adversaries,?we had to layer-in?the best human analysts?using the best technology,?who could properly validate alerts,?suppress noise, and remove?false positives.
While the EDR/XDR vendor¡¯s?ability to assist your security posture general stops once?their tool is ready for you to install,?Gartner analysts agree with us,?XDR?is?only one part of?security operations.
Our concierge approach to orchestration, escalation,?and response,?make ambiguity and alert fatigue a remnant of the past. Our customers are assigned a dedicated team of analysts who are responsible for investigating and triaging all?incidents?and activities that look suspicious.?This ensure that everything our customer¡¯s security team?works?on is meaningful and comes complete with full remediation guidance and?support.
Tools alone aren¡¯t the answer. There¡¯s no escaping the need for humans in security, and the already well documented ¡°skills gap¡± or ¡°talent shortage¡± means that a security tool like XDR is unlikely to?bring the success and security it promises unless it is paired with a dedicated, human-driven security analyst model.
Unfortunately, there¡¯s been an uptick in endpoint vendors delivering incomplete managed alerting services.?For?most?organisations,?hiring?the best humans?and buying, deploying, and using?the best technology is a stretch too far and involves tradeoffs that lead to ¡°security by chance.¡±?As a result, XDR tools alone?do not come close to matching the vendor-agnostic?SOC model delivered by?Arctic Wolf¡¯s?well-established,?human-driven,?concierge?security?methodology.
Modern Security Operations are Essential Today
When Arctic Wolf unveiled it platform and product vision to customers?almost a decade ago, the term EDR didn¡¯t even exist¡ªlet alone XDR.?As?it turns out,?our focus on security outcomes then led to early design decisions that?solve real-world problems?today¡ªlike alert fatigue¡ªthat?are the bane of every IT and security organisation.
The underlying unification of technology and telemetry is what we¡¯ve believed in and built since our inception, and our vendor-agnostic approach delivers the best of all types: It can be described as an open XDR architecture.
As a security leader in today¡¯s climate, your time is best spent getting the best out of the tools and the people you have. Alas, too many organisations spend their time thinking and worrying about buzzwords,?or wondering if they should move from vendor A to vendor B.
Modern security operations?is a human-driven overlay?that uses XDR-like outcomes to unify your?existing security?technologies,?no matter which vendor, platform, or location.?Arctic Wolf has led the charge to?combine the open XDR approach that underpins our security operations cloud with?a?human-driven triage and concierge security?practice. It¡¯s how?we?are able?deliver the?security?outcomes that are right for your organisation, for every step of your security journey.
Additional Resources?
- Join the conversation with Arctic Wolf on?,?,?, and?
- Visit?arcticwolf.com?to learn more about our?security operations solutions?
- If you¡¯re ready to get started,?request a demo?or?get a quote today
