Albert Einstein said, “We cannot solve our problems with the same thinking we used when we created them. “
In the security orchestration, detection and response arena, for the past twenty or so years, vendors have been doing essentially more of the same, while promising different results.
SIEM, SOAR, EDR then Next Generation SIEM – the marketing and the names have changed, but the basic fatal flaw in each of these types of products remained: they all require heavy lifting and manual ongoing maintenance - SOC teams still need to manually write correlation rules in order to find “bad” connections between logs that are coming from different products, applications and network environment. These same manual rules, when triggered, come back full force to the unsuspecting analyst with a flood of information and false alerts, making all of these security products simply too noisy, too heavy and too difficult to manage to be effective. The thinking was that ‘more is better’ but in the security world, this can yield confusion and chaos.
Why did all of these approaches fail? Essentially the problem is that everyone involved was too heavily invested in trying to right an old
technology rather than tearing down the foundation and building a new one from scratch. I know that many “glass-is-half empty” security engineers and security vendors will say that incremental changes are better than major disruptors. “This will never work” is a statement we hear again and again, which we cannot live with anymore, and certainly not in this case!
The result of this baby-step approach is overwhelmed and frustrated SOC teams at the breaking point.
What is XDR?
Enter XDR – Extended Detection and Response. Though some perceive XDR as an evolution of Endpoint Detection and Response (EDR) and this could be argued, but I believe if you look carefully, it is not really the case. XDR finally offers the promise of a truly new approach, rather than merely incremental improvement, that brings effective automation to make it possible for organizations to respond effectively to attacks – across all touchpoints.
Gartner, in their March 2020 report “Innovation Insight for Extended Detection and Response” defines XDR as follows: Extended detection and response describes a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.
The report identifies three elements that need to exist for a solution to be considered XDR: Centralization of normalized data, correlation of security data and alerts into incidents, and a centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting.
How XDR works
So what is it that makes XDR XDR, and what makes is different from the laundry list of previous security orchestration, detection and response solutions?
The answer is a unifying language. An effective XDR must utilize ONE abstract and unified language that merges ALL the security signals, data and security control functions. This language must clearly show the potential security correlations (or in other words, “attack stories”) that the SOC should focus on. This language would de-duplicate information on one hand, but would emphasize the truly high-risk attacks, while filtering out the mountains of noise. This language would not require manual work, and SOC analysts can stop serving as an army of “translators” and focus on the real work – mitigating attacks. This language would be aware of context and content, be advanced technologically but simple for analysts to understand.
So how do we bring this language into being and why wasn’t it a reality before? The fact is that the technology simply didn’t exist or wasn’t mature enough five or ten years ago.
The advanced technologies that are available today and make effective XDR possible are:
- Threat intelligence data which is now richer than ever and usually current.
- Natural Language Processing (NLP) algorithms which can be trained to reach conclusions from threat intelligence, security alerts as well as security rules which can reveal the security controls in the organization.
- Multi-dimensional behavioral algorithms (vs. UEBA and NTA which are narrow in the type of inputs they can digest), which take into account signals from multiple, unrelated data sources.
- Cause-and-effect (reasoning) algorithms that can connect the dots and create the attack story based on all of the above, AUTOMATICALLY, NOT MANUALLY , AND NOT BASED ON A SET OF PRE-DEFINED RULES (like most SIEMs, which provide cross correlations - an approach that is reactive, with many security “holes”).
The key to an effective XDR is the ability to use this language to decipher attacker intent and identify cyberattacks on-the-fly, and not after damage has occurred. Today’s data streaming technologies allow us to enrich the data immediately and spontaneously, so it will reach the presentation layer in near real time, already abstracted and presented in the designed unified form.
Communication has been important throughout the ages to accelerate progress, and language has been the foundation of our communication. With XDR we are entering a new security era, where a unified language will be able to break through the noise and finally provide effective protection for networks.