XDR in 2023: Cybersecurity’s Knight or Another Castle in the Cloud?

3 Key Questions when Investing in XDR offerings

In today's cybersecurity landscape, security teams are in dire need of a unified detection and response platform. However, even with the advent of XDR, the outcomes often fall short of expectations. We strive for effective prevention, attack emulation, improvement, and positive ROI reporting. No doubt, the realm of remote engineering adds complexity, making it crucial to protect our employees, data, and maintain uptime. Against a backdrop of mounting business pressures, we need to understand how XDR can help with vendor consolidation and Managed Detection and Response.

It's essential to acknowledge that there isn't a single product that can "Protect it All" (except maybe the 6 module Vizzerdrixes that continue to challenge us long after deployment). The reality is that we are witnessing a surge in automated cyber attacks targeting not just workspaces, but also identities and cloud infrastructures.

Amidst this evolving landscape, XDR has been positioned as an "expansion" for detection and response, leveraging key capabilities from EDR, NDR, SIEM, SOAR, ITDR, CDR, and more. In short, it remains a somewhat confusing space, but it has propelled us forward, forging vendor alliances, promoting threat sharing, and refining indicators of behavior. Not to mention the exciting advancements such as MITRE ATT&CK Round 5 testing.

So, the question remains: Can XDR bring value to your security team? In this post, we delve into three crucial questions that can help determine if XDR can be a shining knight on your cyber battlefield.

Does the “X” actually integrate with what’s important to me?

An avalanche of XDR solutions exist, some haphazardly stitched together like Frankensteins, others exclusively providing analytics without prevention and guided response. The first checkpoint is evaluating how well it integrates with your existing security tools. Where do you need improved visibility and faster detection? Which tools are already generating effective alerts that could benefit from an XDR boost?

Is my team ready to take on more alerts?

XDR solutions differ from first-gen detection systems, primarily by reducing alert noise while honing on malicious activities. Triaging low-quality alerts in outdated interfaces leads to fast burnout. And, how do you report on effectiveness? 

Modern security stacks often resemble a tangled mess of tools, making effective management an Achilles’ task. MDR providers are increasingly covering more data sources and must grapple with EDR/SIEM context switching and SOAR playbook mayhem. This is precisely why XDR has stepped up to the plate, excelling in correlation, context, prioritization, and guidance.

Can we test attack emulation to show impact in our environment?

If you have compliance requirements or attack emulation exercises planned, seize the opportunity to test XDR and measure its impact. Assess its effectiveness in preventing ransomware, detecting blocked and suspicious events, and enabling swift response controls. Additionally, delve into the managed services offered by XDR vendors, including Incident Response, Risk Assessment, and Threat Intelligence. These services can provide invaluable support to your security operations.

XDR can provide unified visibility, automated analysis, and guided response capabilities. But in most cases, it is not replacing effective point solutions, highly-tuned SOAR workflows, or even SIEM. Bringing XDR to reality, focus on ease-of-use and challenges it can solve across areas like Managed Detection and Response, Incident Response, Mobile Threat Defense, Ransomware, and DFIR use-cases. And, by testing these core use-cases, you can ensure you’re valued as a cybersecurity partnership, and not just a data stream to another cloud castle.

Originally published in Informatique News: Le XDR en 2023: Chevalier servant de la cybersécurité ?

Eric Sun
About the Author

Eric Sun

Eric Sun is a Product Director at Cybereason, focused on helping security teams measure and improve their resilience against modern threats. Eric works closely with the Nocturnus research team and global SOCs to understand emerging attack campaigns and evolving best practices. He brings a layer of behavior analytics and risk management from his many years in Asia as a professional poker player.

All Posts by Eric Sun