How XDR Solves Key Challenges Facing Security Teams

The arrival of 2022 brought with it a wave of new threats and a host of new attack surfaces for them to target. As Gartner puts it, “Security and risk executives face a critical juncture, as the digital footprint of organizations expands and centralized cybersecurity control becomes obsolete.” 

As the threat landscape and attack surface continue to evolve, they leave us open to new attack sequences both from within and from outside of our networks. President Biden’s recent Executive Order to improve the cybersecurity stance of critical national infrastructure corroborates the urgency of the situation.

While the ransomware threat is rampant and growing, there are several issues that complicate the mission of Defenders: hybrid environments, supply chain threats, tool sprawl, a lack of talent and alert fatigue continue to challenge security operations. 

“These… don’t exist in isolation; they have a compound effect,” Peter Firstbrook, VP Analyst at Gartner explains. “To address the risks, CISOs need to transition their roles from technologists who prevent breaches to corporate strategists who manage cyber risk.”

And how do you manage cyber risk? By deploying solutions that are as innovative as the threats themselves. For that, look at the advent of Extended Detection and Response (XDR). 

Ransomware: More Complex and More of It

While continually improving defenses has done a lot to decrease the impact from attacks for some organizations, it certainly has not stopped the adversary from innovating further to stay ahead of the Defenders. 

Take China’s zero-day factory for example: “The scale of China’s offensive cyber capabilities will be front and center in 2022 as new zero-day disclosure rules take effect and Chinese <attackers> continue to show off technical brilliance at exploiting the most modern software products,” Security Weekly notes.

Add to that, the fact that today’s threat landscape is made up of a wide array of both custom and commodity attacks, they require a solution that is widely applicable and can scale. "By the end of 2022, financially motivated cybercriminals will join the nation-state APT operators in the supply chain malware free-for-all. It will be a long, painful slog,” writes Ryan Naraine of Security Weekly.

Hybrid and Cloud Environments

Greater use of cyber-physical systems, public clouds, private clouds, hybrid environments and all the VMs, containers and executables that run on them (along with a myriad of identities) creates the perfect conditions for attackers to hide in the network seams. This change is largely a consequence of the remote push, with 60% of knowledge workers now being remote, Gartner notes. 

While the urgency to move operations to the cloud is clearly understandable, we may see a resurgence of the “DevOps problem” in which network evolution outpaces our ability to stay secure. Gartner therefore suggests security leaders “look beyond traditional approaches to security monitoring, detection and response” to manage the risk to a more diversified network makeup.

Supply Chain Risk

According to Gartner, by 2025 there will be a three-fold increase in supply chain attacks from just last year. The 2022 Cybersecurity Outlook says we can “expect a few more SolarWinds-type supply chain mega-hacks to dominate the headlines as more and more threat actors take aim at the open-source software ecosystem.” 

The convenience, availability and flexibility of open-source models is a sword that cuts both ways, and it’s important to both vet upstream vendors and have tools that can catch bugs downstream. 

Alert Fatigue and Tool Sprawl

In an effort to gain visibility into cloud environments, companies are switching to more proactive ways of monitoring their ecosystems. While this is good, it often requires a host of new technologies. Without the proper training, people or time, those tools could just collect dust (shelfware), wasting your investment. 

Tool sprawl is a sure way to make your cyber strategy cluttered, confused, and ineffective.  hen shopping around for a security solution, clearly define your needs and search for a tool (or SaaS solution) that can do more with less. 

Gartner states that “While it may introduce new challenges such as reduced negotiation power and potential single points of failure,” consolidation in itself is “a welcome trend that should reduce complexity, cut costs and improve efficiency, leading to better overall security.” 

Key here is ensuring your organization is investing in better security outcomes, not just “more alerts.” While consolidating features into platforms can help address some stack complexity issues, it’s even more important to ensure that the alerts generated by the stack are correlated and offer context. More alerts never helped any SOC defend better, but fewer alerts that highly actionable will.

Still a Talent Shortage?

The great resignation hit cybersecurity with a vengeance, and recent figures indicate we could be short some 1.8 million skilled cyber personnel. “Weary and overworked from all the major cybersecurity crises, skilled practitioners will continue to resign en masse, leaving security programs struggling to fill important positions,” Naraine notes. 

In the absence of more skilled security pros to fill the ranks, organizations need to look to solutions that offer the ability to automate a good deal of the low-level manual tasks of the SOC. This means less alerts to generate higher fidelity detections and the option to implement automated response actions in real-time. 

This is what XDR was designed to do - assuming your vendor’s offering has the ability to consume all available telemetry from multiple point solutions, process it without the need to “filter out” important intelligence, and then operationalize it in an automated fashion so you can turn data into decisions at machine speed.

XDR as a Force Multiplier

AI-driven XDR extends continuous threat detection and monitoring, along with automated response beyond endpoints, to provide deeply contextual correlations with telemetry from applications, identity and access tools, containerized cloud workloads and more. 

AI-driven XDR also ingests threat intelligence streams to allow organizations to defend against known attacks and uses AI and machine learning (ML) to automatically correlate telemetry from across these different assets to deliver the complete attack story in real-time. This functionality frees security analysts from needing to triage every generated alert, enabling them to address actual threats faster.

What’s more, XDR can enable security teams to cut through the noise produced by a constant flood of threat alerts, allowing security professionals to spend less time triaging and chasing false positives and more time working to improve the organization's overall security posture.

AI/ML technologies excel at analyzing large-scale data sets with a high degree of accuracy to identify suspicious events at a speed and volume that manual human analysis can never match. The advantage here is in automating the detection of events that previously required human analysis and relieving security teams of the tedious task of sorting the signal from the noise.

AI-driven XDR also leverages behavioral analytics and Indicators of Behavior (IOBs) to provide a more in-depth perspective on how attackers conduct their campaigns. This operation-centric approach is far superior at detecting attacks earlier–especially highly targeted attacks that employ never before seen tools and tactics that evade traditional endpoint security software.

With an AI-driven XDR solution, finding one component and being able to quickly ascertain relevant chains of potentially malicious behavior allows Defenders to see the entire operation from the root cause across every impacted user, device, and application. This is where AI-driven XDR is essential to automatically correlating data at a rate of millions of events per second versus analysts manually querying data to validate individual alerts over several hours or even days. 

Such visibility enables security teams to respond to an event before it becomes a major security issue and introduce measures designed to increase the burden on attackers going forward.

XDR is not a silver bullet, and for the foreseeable future there will undoubtedly need to be a blend of humans and AI-driven solutions working together. Nonetheless, AI-driven XDR will enhance the efficiency of every member of the security team and amplify the efficacy of the entire security stack.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven  XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed