Defining XDR from an MSSP Perspective
If you’re not entirely clear on what Extended Detection and Response (XDR) is, you wouldn’t be alone. Most understand it as the evolution of Endpoint Detection and Response (EDR) that covers the areas of the attack surface beyond the endpoint, including assets like cloud workloads, containers, and user identities.
Some believe it to be a technology overlay that supplements existing security controls and SOC technology by collecting, processing, analyzing and acting on security telemetry from numerous sources or controls. Some believe it to be a new technology tuned to detect sophisticated attacks, and some think this all sounds great but are still confused as to what XDR actually is.
Funny thing is, none of these folks are wrong.
There’s no ignoring XDR though. According to analyst firm ESG, more than two-thirds of organizations expect to make XDR investments in the next 6 to 12 months. XDR should correlate attack telemetry from multiple sources into one incident or malicious operation. It should instantly deliver root-cause analysis and response recommendations, and enable proactive threat hunting by analysts with diverse levels of experience.
Much of the confusion comes from the way vendors refer to XDR. There are really two varieties of XDR today, as I see it: Hybrid (or Open) XDR and Native XDR. Looking at it this way helps us put it into context and help define an MSSPs strategy for adding XDR to their service portfolio.
Forrester Research prefers the term Hybrid XDR, as “Open” could imply open-source technologies, which is not the case here. Hybrid XDR leverages multiple security tools, vendors and telemetry integrated into a single detection and response platform that centralizes behavior detection, incident notifications, prioritization, response strategies and threat hunting in a single pane of glass.
Compare this to Native XDR, which tightly aligns with other tools in the vendor portfolio, and integrations with their own tooling first and foremost. This can offer tighter development and pre-built integrations between security tools under the banner of a single vendor, but likely is a result of acquisitions as opposed to in-house development.
It has an advantage in terms of a straightforward buying process with tight integration, but it is not a good fit if partners are wary of vendor lock in, or the vendor hasn’t done a good job of integrating the acquired tools.
The benefit of Hybrid XDR is that it gives security teams the opportunity to choose best-in-breed vendors across the attack surface and be able to swap them out if necessary, leveraging DevOps and API integration to bring together multiple tools and sources of telemetry.
XDR vs. EDR, SIEM and SOAR
XDR can extend SIEM capabilities in the near term. SIEM is important, but few are getting the outcomes they desire from it. XDR can help modernize, integrate and automate security operations processes.
Rather than nebulous analytics, endpoint data is the basis for correlation. XDR enriches detections with other telemetry, and correlates attack telemetry into one incident, which we call a malicious operation, or Malop™. XDR automates root cause analysis and expansion of these telemetry sources to add context for full understanding of the full scope of an attack.
XDR can automate response, based on EDR recommended actions without a human by implementing predefined playbooks. XDR utilizes hypothesis-driven threat hunting based on the MITRE ATT&CK Framework as the common language. and doesn’t work without native response actions on the endpoints, whereas SOAR requires integration with other tools for response.
XDR and MSSPs
XDR as part of an MDR (Managed Detection and Response) service offering should match key outputs like behavioral detection, incident prioritization, recommended response actions, and single click response capabilities to analyst capabilities. While XDR is rooted in EDR, it is more than just the evolution of EDR because it can take in more types of telemetry and offers a broader range of response actions.
Modern attacks are complex and multi-faceted, and traditional EDR solutions lack the necessary telemetry that security teams need to stop sophisticated threats that focus on the attack surface beyond the endpoint. XDR extends visibility and detection capabilities across the larger enterprise IT environment and streamlines correlation and analysis of Indicators of Behavior (IOBs) more holistically.
XDR correlates endpoint detections with telemetry from other security tools which gives analysts greater context into endpoint detections beyond what they are able to see on the endpoint alone. XDR can automate root cause analysis and enable analysts to detect threats and respond much faster than with manual alert triage and investigation required by SIEM and SOAR tools. XDR lowers the barrier to threat hunting across tools and puts them in a single place.
These are just a few of the highpoints around XDR and the advantages this solution approach can provide MSSPs and their customers in contrast to more established but less comprehensive tools like SIEM, SOAR and traditional EDR.
XDR breaks down data silos and unifies device and identity context for faster, more effective threat detection and response, and can be an extremely effective technology to enable organizations to reverse the attacker advantage and end malicious operations by extending detection and response capabilities across the entire enterprise environment.
Learn more about Cybereason XDR here and get even more details here, or you can reach out to the Cybereason MSSP Team to see how Cybereason XDR can benefit your organization. And stay tuned for the next blog in this series where we’ll explore market drivers for XDR and how MSSPs can take advantage of the enhanced detection and response capabilities XDR offers and how they can leverage XDR to expand their service offerings.
Stephan Tallent, CISSP is the VP for MSSP North America at Cybereason. Read more Cybereason guest blogs here.