In my last article, we looked at how to define Extended Detection and Response (XDR) solutions from an MSSP perspective and where it fits in as part of an overall Managed Detection and Response (MDR) service offering.
We covered how key outputs like behavioral detection, incident prioritization, recommended response actions, and single click response capabilities should match to SOC analyst capabilities. We also looked at how XDR, despite being rooted in Endpoint Detection and Response (EDR), is more than just an evolution of EDR because it can ingest more types of telemetry and offers a broader range of response actions.
We also looked at how XDR compares and contrasts to more familiar offerings like EDR, SIEM and SOAR. In this article, we’ll look at some of the market drivers for XDR adoption, what potential consumers of XDR are looking for and how MSSPs can take advantage of the enhanced detection and response capabilities XDR offers to expand their service offerings.
Considerations Driving XDR Adoption
Cloud deployments and containers are high-impact technologies that require specialized prevention, detection and response -and there is certainly a gap with detection coverage for cloud assets today.
Organizations are considering XDR because they aren't satisfied with their security outcomes from SIEM, or legacy EDR, or even MSSPs. Companies are looking for better transparency and more effective cybersecurity, and the MITRE ATT&CK Framework and other vendor evaluations have done a great job of revealing "what's inside" and providing independent validation of XDR tools.
Essentially, organizations primed for XDR adoption are seeking a unified solution that fuses endpoint telemetry with behavioral analytics to swiftly detect and end attack operations on the endpoint, in the cloud, on mobile devices and across user identities.
Consumers of XDR want simplified visualization of complex attacks and an understanding of how they progress across a kill chain. They want advanced analytics that can detect and identify complex attacks, and they want automated response capabilities that can end attacks in progress and improvement of mean time to detect and respond (MTTD and MTTR).
As well, customers are looking to consume XDR as a business outcome, and MSSPs are in an ideal position to provide this through service offerings that integrate multiple tools and telemetry to defend the entirety of the customer attack surface.
XDR should also be addressable for a range of experience levels. The goal is to empower new analysts and help them learn how to be more effective. For more experienced analysts, automation of the mundane provides more freedom to leverage strengths and creativity to solve more complex incidents. This allows the MSSP to grow the required skill sets needed for effective defense, while growing the capabilities of less experienced analysts.
The XDR Services Opportunity
Most companies do not have the skills or resources internally to manage cybersecurity effectively, which is why MDR is key to successful XDR for customers. According to ESG, in a recent survey of almost 400 medium enterprise businesses, 50% of customers were interested in fully-managed XDR.
Most organizations can see value in combining data from multiple threat vectors to provide context and accelerate detection and response; however, most lack the expertise and tools to correlate data, often leading to the reactive elimination of point threats without understanding broad attack campaigns.
Organizations have a variety of sources of valuable data - firewall logs, EDR data, network flows, threat intelligence, email telemetry, web proxy logs, container and container orchestration log data and more. Data ingestion is a major challenge, and collecting, processing, analyzing and acting on security data across vendors and tools can be challenging. XDR must be anchored by a modern data pipeline that can collect and process security data at scale across vendors.
The top priorities driving XDR investment are improved detection of advanced threats like ransomware, supply chain attacks and use of legitimate business applications for nefarious activities. There is also a desire for increased automation of remediation tasks without involving IT Ops, and improved mean time to respond to threats.
Finally, organizations are also looking to gain better visibility into cyber-risks, especially those that could impact critical business systems and applications, and a threat detection and response tool that integrates multiple security products and threat telemetry into a unified cross-correlation response platform.
As an MSSP, this is a question that is important to come to grips with: “What is XDR to you, the security service provider?” MSSPs should focus on building a relationship with an EDR vendor with a strong XDR strategy: cloud-based with strong visualization capabilities, and an ability to correlate telemetry across the MITRE ATT&CK framework tactics, techniques, and procedures (TTPs).