I just had an article published in Solutions Review outlined a major challenge for SOCs trying to implement response – slow onboarding.
By “slow” I mean that organizations buy security response tools but spend literally months of time and effort trying to onboard them, not always successfully. According to a poll we did with SecurityBrew over 90% of respondents said it take them over a month to implement response, and over 50% said it takes them over four months!
The fault lies in the way vendors approach response playbooks. A predefined playbook needs the SOC team to adapt it according to the needs and requirements of the organization. This task can only be successfully undertaken by skilled cybersecurity specialists who specialize in cyber threats and incident response and are also familiar with their organization’s network topology and policies. The shortage of skilled security analysts in the market, and the complexity of this task, means that even if you buy the best response tool out there, it will be months before you will see real value from it.
Not only that, but every time you need to integrate a new tool (Email Protection, EDR, TI, etc.), or updating the playbook policy to support additional use cases, the party starts all over again – configuration, manual playbook writing… the lot. Good luck.
empow’s i-XDR adaptive playbooks
empow’s intent-based XDR platform supplies another level of automation. 16 patents form the basis for these automated response capabilities, utilizing a number of technology approaches including: Artificial Intelligence (AI) Natural Language Processing (NLP) and Belief and Bayesian Networks (BBN) algorithms, and reinforced with User Entity Behavior (UEBA), Network Traffic Analysis (NTA), and Threat Intelligence (TI) engines. Together these algorithms and technologies enable i-XDR to find attacker “intent” before the full attack is carried out and execute predictive response to prevent it.
These automation capabilities focus on only a few top at-risk entities, identify the techniques needed to respond, and enable quick and adaptive response. This whole process is done automatically, without the need for manual configuration or lots (or any really) expert analyst hours. Not only that, an adaptive playbook considers the confidence and risk of an entity, and it won’t start running on irrelevant entities. This is what makes the platform smart, efficient and scalable.
In this clip we take you through the response workflow as it is displayed in the i-XDR dashboard:
What to ask XDR vendors
Whichever response solution you end up looking at, make sure to keep a few questions in mind when doing your research. Here are some questions that can help you better assess XDR tools and vendors:
- How long does it generally take to onboard your response tool?
- How much manual configuration is required to onboard the tool?
- How much time and effort is required to integrate it with new applications?
- What tasks are automated, and which still require manual configuration?
- What automation algorithms form the backbone of the solution (look for technologies such as: AI, NLP, Belief and Bayesian Networks (BBN) algorithms, UEBA, NTA, and Threat Intelligence (TI) engines).
- Can the playbook run on an “entity” (multiple threat types), or on “attack campaign” at once, rather than per alert?
- Does the playbook adapt to the context of attack that triggers it, or just to the statically defined rules in the playbook?
- Does the playbook include preventive response actions?
The answers to these questions will help you reach those few response tools that bring real value, quickly.