It’s no wonder that many security professionals fall into the trap of adopting a variety of security tools to help them cope with these problems. In the hope of using the latest and seemingly greatest technology, CISOs think adding another security layer will reduce their risk exposure. If only it were that easy. Adding more technology can solve some of the issues, but it can also dilute team attention spans further, leading to more problems over time.
At the board level, a lot of confusion is brewing. Board members are overwhelmed with the many acronyms they are expected to know - Security Incident and Event Management (SIEM), Security Orchestration Automation and Response (SOAR) and Endpoint Detection and Response (EDR) and now there is another – Extended Detection and Response (XDR). How can they be expected to understand what is delivering value?
In reality, the problem isn’t with the tooling. Each tool - whether it be SIEM, SOAR or EDR - is valuable in its own right. However, with each new integration, organisations are facing greater data silos. Analysts then have to deal with a barrage of alerts from their range of solutions. And each dashboard reports its own metrics based on the visibility of its corner of the corporate network and tits specific use cases.
This leads to problems where the same alert can be flagged to multiple teams, or where issues can slip through the gaps. With security analysts already stressed, this can produce alert fatigue. To address this, XDR solutions are designed as the top layer, to investigate every potential incident in the digital estate, and enable real-time incident detection and response. Yet, not all XDRs are created equal.
Some current solutions regurgitate data to users, which just creates extra work for the analyst who still needs to interpret this data and make countless manual decisions about the required action. Current SIEM and XDR solutions passively and reactively collect disparate, unrelated logs, which creates an avalanche of notifications that place the burden of correlation and prioritisation on the security analyst. The emphasis is placed back on the user to sift through those alerts to detect threats, and prioritise response and remediation based on their analysis accordingly. This is a heavy lift for any team when you consider the quantity of alerts faced daily, particularly when dealing with false positives that waste time and affect staff morale.
This is where the value of insight in context comes in. In one tool, one log or alert might look a lot like any other. However, when combined with external threat intelligence and other security data, that innocuous request will suddenly take on new meaning and rapidly rise up the priority list. XDR is designed to break down data silos and help analysts achieve greater insight, by creating a unified view of the enterprise technology stack and its threats. Combining the tapestry of security solutions and functions together in one platform, analysts can understand exactly what is going on in their environment from a single view.
Analysts are able to use the noise of multiple alerts from multiple platforms and turn this into signals that provide a unified view of the enterprise technology stack. By correlating data from asset inventory and vulnerability information, network endpoint telemetry, high-quality threat intelligence and third-party log data, we can provide analysts with more context on what is taking place and drive more effective response to threats in real time.
Context is the difference between wasted time spent on manual tasks and more focused investigation where it is really needed. With understaffed and time-poor security teams struggling to support remote working and deal with more attacks, providing context using XDR is an effective route to providing what businesses need to improve their risk posture and security approach. Without this, teams will struggle to manage workflows and deal with potential issues in a timely manner.