With more than 2,000 security vendors catalogued and organisations reporting an average of 45 security solutions deployed, why aren’t we any closer to solving the threat detection gap?
To answer this question, we first need to ask, what are we trying to achieve? For years now, we have known that the “whack-a-mole” approach of detecting discrete threats is at best a stopgap for the next inevitable attack. At a high level, most would likely agree that the always-shifting nature of adversaries, emergence of new vulnerabilities and exploits, and the all-menacing “zero-day” leads to the continued proliferation of incidents ranging across data breaches, ransomware, and cyber espionage.
As soon as we close one door to attackers, they find and open another. This has always been the case. There’s more to this though. We think some of the answer can be found in the failure to fully optimise and connect existing tools, processes, and people to give them broader visibility over traffic and threats moving in and out of their networks while layering in detection and response capabilities.
An industry analyst said recently: “We’ve reached an inflection point. Enterprises know that the resources needed to greatly improve their security operations exist, they are now hungry to start using them to their maximum potential.”
In other words, we know the goods are available, how do we start using them to better find and neutralise the bad actors?
Enter extended detection and response (XDR)
Lately XDR has become the white-hot name in the security world. Scores of vendors are entering the fray, ranging across from small start-ups to established 500kg gorillas. Dozens of industry analysts are quickly validating XDR as more than just a buzzword, with Gartner adding XDR to the ‘innovation trigger’ on the newly-created Security Operations Hype Cycle.
As a long-time member of the security technology community, I can add that while we have certainly seen enthusiasm for trends at different periods, the level that XDR is generating reminds me of three other significant movements that changed the course of computing and security.
The first was for Security Information and Event Management (SIEM). The second was during the ‘big data’ era. The third was for ‘cloud’, which in many ways has been reinvigorated due to COVID.
XDR: What is it?
Multiple definitions exist. We think of XDR as an architecture and in terms of how enterprises can leverage it to maximise the performance of their overall security investment (people, technologies, services) to take action against threats at the fastest possible speed.
As leaders in the threat intelligence market and with deference to the essential role that global threat intelligence plays in accelerating detection and response, we offer the following working definition: “Organisations that run on top of XDR architectures are able to move closer to managing their security infrastructure as an integrated, unified platform. With XDR, security operations centres (SOCs) can break silos to converge all security data and telemetry collected and generated by security technologies they’ve deployed (tech that includes firewalls, EDR, CASB, SIEM, SOAR, and TIP).”
With this information, they can generate strategic threat intelligence that empowers immediate threat detection, streamlined investigations, and high-performance, automated-response capabilities that isolate and mitigate threats before they escalate into costly and disruptive incidents.
Certainly, there are deeper and more technical discussions to be had, specific to each of these capabilities, which we’ll save for another time. For now, we think this definition works, although we also expect it will evolve as new lessons are learned and innovations introduced.
XDR: The early days?
XDR is perceived as new (added to the hype cycle just over eight months ago). Although there is hype, it is a very real and tangible movement within the security market with a level of momentum we haven’t experienced in close to a decade.
We’re intrigued by the emergence of attention and excitement around XDR. Not only because it is ushering in acceptance of an available leap forward when it comes to closing the gap between information gathering, detection, and response, but also in many ways because it validates what Anomali has been delivering to the market all along.
Seven years ago, we recognised that organisations needed a way to collect, aggregate, analyse, and operationalise threat intelligence, which led to the development of Anomali ThreatStream, an early enterprise threat intelligence platform (TIP).
Shortly after, we introduced Anomali Match, opening new opportunities for our customers to further optimise intelligence by immediately matching internal threats against external threats.
As it turns out, these innovations were supporting a key XDR layer—threat intel. Before XDR was XDR, we were extending the ability to collect and manage unlimited levels of threat data, making it available for investigations, enabling internal threat detection by matching it against all telemetry, and helping to power faster response by operationalising intelligence across security infrastructures.
XDR, COVID, and the Cloud
No future vision of any technology can be presented without acknowledging what impact the cloud is going to have on it, and the same can now be said of COVID. Any enterprise that wasn’t a cloud operation prior to the pandemic is certainly one now. Organisations that have made it through this past year aren’t going to descend from the cloud—ever.
The cloud provides consistent access in a world characterised by uncertainty. People may not be allowed into the office, but they can always connect from remote locations. Sales reps may not be able to travel to customer locations, but they can always meet virtually. Marketers may no longer have access to trade shows, but they are finding ways to keep their organisations relevant through virtual events. For businesses, leaders, and employees, the cloud has become essential to survivability.
The ability to scale fast enough for millions of workers and processes to shift from the office to a remote reality could be handled only because of the cloud. For security operations, the cloud has created new challenges.
Overnight, millions of endpoints connected to corporate networks via at-home WiFi, meetings started taking place over vulnerable video and chat applications, data became cloud-native, patching and vulnerability scanning backlogged. This sea of change wasn’t missed by adversaries, which are taking advantage of it all.
To meet the present and keep pace with the future, XDR has to move into the cloud as well. It’s the only way it will be able to scale alongside the new IT infrastructure reality.
Remember when Big Data burst onto the scene? As it quickly became part of the Silicon Valley vernacular, everywhere we turned there were vendors “differentiating” by claiming that their solutions were “Big Data Ready.” As it turned out, this wasn’t all hype. Security technologies that could handle massive data volumes ended up in the winners’ column.
In that same vein, soon we are certain to see vendors start differentiating their XDR by marketing around terms like “Cloud Native.” Although much of this will be marketing, enterprises should demand that vendors can do XDR in the cloud before investing.
XDR: The end game
Gaining the ability to holistically manage a security infrastructure, extend a unified set of tentacles across it, ingest every bit of security data available, apply analytics to it, and then use it to automate threat detection and response has always been a goal of security.
Unattainable? Maybe not. Established players are committing huge resources to bringing XDR solutions to market. Disruptive start-ups are eager to contribute. Enterprises have everything to gain from the efficiency and risk reduction benefits it promises to provide. It’s worth keeping an eye.