Automating The “R” In Your XDR Strategy


The advent of Extended Detection and Response (XDR) offers an edge against advanced attacks, but many of the so-called "XDR approaches" available today are actually little more than extensions of current EDR solutions that rely on known Indicators of Compromise (IOCs) to find and block known threats. While they can deliver more visibility across network assets, they don't deliver the correlation necessary to weed out novel attacks where known IOCs are not available.

In contrast, Advanced XDR leverages artificial intelligence (AI) and machine learning (ML) to automatically correlate telemetry from across disparate network assets to reveal attacks that have never been seen before. Advanced XDR detects earlier based on the more subtle chains of potentially malicious behavior to allow Defenders to remediate faster, and here's why.

Advanced XDR incorporates the two main priorities of Endpoint Detection and Response (EDR)—continuous monitoring and detection as well as automated threat response—across endpoints, but XDR also monitors for threats across an organization’s entire infrastructure, including user personas, application work suites, cloud workloads and more. Such critical functionality explains why XDR is often referred to as the future of cybersecurity.

Analyst research and strategy firm ESG estimated that more than two-thirds of organizations will invest in XDR by the middle of 2022. That spending will factor into the expected Compound Annual Growth Rate (CAGR) of 19.9% by which the global XDR market is predicted to grow between now and 2028, per Grand View Research.

Automating Is Key

According to the Computing Technology Industry Association (CompTIA), one of the most important benefits that’s helping to drive XDR’s growth is the ability to automate security operations in order to break down data silos and speed up threat responses. Advanced XDR provides the necessary visibility over an entire attack chain wherever it happens to reveal exactly how the attack progressed and which assets and users were impacted. It also offers automated and/or guided response options that Security Information and Event Management (SIEM) solutions cannot and Security Orchestration, Automation and Response (SOAR) solutions struggle to deliver at scale without a tremendous amount of manual intervention by security analysts and incident response teams.

One of the key strengths of an Advanced XDR solution is that it frees security teams from needing to investigate a barrage of alerts individually from a variety of point solutions to quickly answer the question “are we under attack?”Advanced XDR does this automatically by correlating telemetry to reveal attack timelines from root cause to enable security teams to respond faster and more efficiently.

Breaking Down Data Silos

Many organizations’ IT infrastructure is more complex today than it ever has been, with decentralized networks that have all traditionally relied on their own specific security tools. The issue is that attacks have evolved to traverse these environments, allowing attackers to hide in the network seams because traditional security tools cannot correlate telemetry across all elements of a modern network.

They can’t identify attacks that leverage these diverse elements in one attack progression, limiting a security team’s visibility into an ongoing attack chain and thus complicating the task of piecing together an incident in its entirety.

Advanced XDR doesn’t rely on a flood of non-contextual threat alerts from across disparate assets, but instead automatically delivers deep context and correlations between these assets, sparing team members from the tedious task of constantly triaging and investigating unsubstantiated alerts manually.

In this manner, Advanced XDR breaks down information silos that would otherwise prevent security teams from obtaining a unified view of their organization’s security posture. It does this by integrating the functionality of firewalls, antivirus solutions, EDR, Identity and Access Management (IAM), Cloud Workload Protection (CWPP) and other security technologies into its detection and response approach.

Automation Speeds Up Response Times

MSSPs can turn to SIEM tools, SOAR platforms and other disparate solutions in an attempt to increase their visibility, but in the absence of automated correlations, security teams would still need to manually go about investigating alerts one at a time, and then attempt to correlate the alerts with one another in order to identify an attack chain.

This manual process means they can (and often do) easily miss something in the process that leaves customers exposed, even when they believe that they have already remediated an incident. And if they do manage to identify all the different components of an operation, security teams would have spent a lot of time on their investigation instead of on launching an earlier response to arrest the activity.

In its Cost of a Data Breach Report 2021, for example, IBM found that it took an average of 287 days for an organization to identify and contain a breach. This dwell time gives malicious actors nearly a year to hide out in a victim’s systems, conduct reconnaissance, move laterally to different parts of the network, and exfiltrate sensitive information.

It’s therefore no wonder that data breaches with a dwell time of over 200 days cost organizations an average of $4.87 million, whereas those with a dwell time of less than 200 days cost $3.61 million. It’s also worth pointing out that the price tag for the former exceeded the average cost of a data breach at $4.24 million, damages which are already 10% higher than they were in 2020 and the largest cost ever in the history of IBM’s report.

Advanced XDR drastically reduces attacker dwell time through an operation-centric approach that focuses on Indicators of Behavior (IOBs) that make up an entire attack sequence, allowing security teams to end the attack as whole instead of remediating isolated elements of the operation.

For example, detecting and removing a piece of malware on an endpoint does little to prevent compromised user credentials from being abused again, and does not address attacker persistence on a targeted network.

Automation Impact On XDR Service Opportunity

XDR represents an enormous opportunity, and challenge, for MSSPs. The opportunity is pretty straight forward, the customer XDR experience is going to be delivered by an MSSP. This represents the potential for highly valued services that support strong margins for service providers. MSSPs are already providing security asset management and monitoring for customers with access and visibility to many areas of the attack surface. XDR is a natural extension of that service for MSSPs that are leaning into detection and response.

The challenge lies in bringing in all these telemetries from a variety of security vendors and platforms, into a rapidly searchable data lake from a single user interface for threat hunting and detection and response. Being able to draw lines indicating malicious behavior across this expanding attack surface is no small feat.

MSSPs need to be able to incorporate security telemetry from end points, cloud, network and identity and integrate this into a detection and response methodology that is focused at indicators of behavior to mitigate future threats. XDR services will only amplify the need for automation to deal with a quantum increase in the sources of security telemetry and the MSSPs need to respond, rapidly, across a larger attack surface.

Behavioral based detection and automated response are critical to reducing the operational overhead of managed security services and improving security effectiveness for the customer. Leveraging these capabilities can dramatically reduce operational overhead, deliver high security efficacy for customers and importantly - provide solid service margins to the MSSP.

Visit and subscribe to the Cybereason blog to learn more on XDR, ransomware, and the latest cyber security news and trends.

Guest blog courtesy of Cybereason. Read more Cybereason guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.