What is Extended Detection and response (EDR)?
You’ve probably read an article, watched a talk or listened to a webinar about what the term XDR, also known as extended detection and response, is. The cyber security research firm, ESG, in an article defined XDR as:
“… a method for gathering controls to improve the collection, correlation, contextualization and analysis of security telemetry. There is also an operational side of XDR to help coordinate response and remediation across multiple controls simultaneously.”
As organizations globally continue to expand and evolve their digital footprint, security personnel struggle to adapt operations fast enough to ensure effective monitoring and response to incidents in their environment. This becomes even more challenging with limited staff and expertise.
Organizations moving into the next era of digitization cannot use the same “old tools” for threat detection and response. They need better analytics and improved automation to analyze the flood of data coming into their dashboards (big data is here) so they can quickly and accurately detect, investigate and mitigate incidents before those incidents turn into a full-blown disaster.
We believe that from a security analyst’s perspective, the XDR can help them be more successful at the job by improving the following:
1.Visibility and context. Clearly, you need information about the environment and the assets you are protecting, which requires incorporating the appropriate data about that environment – endpoints, mobile and IoT devices, network assets and flows, applications, SCADA/ICS systems, etc-. This requires that the data be continuously updated and deposited in a central location where it is standardized, so that it can be used for correlation, research and more.
2. External information and context. You need information about the adversary’s behaviors and tactics. Understand what exploits are active in the wild and who is targeting a particular industry or, specifically, the organization you are protecting. That way you can answer questions such as how are criminals changing their tactics or infrastructure and what variations are there in the malware they are using? Ideally, this information should be continuously and automatically updated on whatever system is being used.
3. Correlation for detection and investigation. You need to be able to combine information about your organization with what you know about adversaries and their behaviors accurately and efficiently. Today, it is impossible to be effective on a large scale with manual processes, especially as you are monitoring a diverse environment that is undoubtedly increasing in complexity every day. Analytics and machine learning are essential. In addition, machines can update the rules and signatures that drive correlations and detections.
4. Automation or orchestration for response. Once the manager in charge has been alerted to an incident, quick action must be taken to respond, to mitigate or remediate and recover (ideally back to a normal state). To do this, you need to collaborate and communicate with multiple stakeholders. For those actions, it is ideal to have “push-button” capabilities within the dashboard to: isolate infected endpoints, change security policy or rules to block threats, block a user with suspicious activity and more.
5. Easier reporting of incidents and actions. You also need to be able to quickly report what happened, what actions were taken and how the incident was resolved. This means sending reports to executives, the board and regulators (for compliance), and sending them with as little effort as possible, so you can focus on your core monitoring and response functions.
6. Ability to actively hunt for threats. A similar set of tools is needed for the context required in your analysis and the ability to easily detect deviations from known baseline activity.
