A Guest Post by Mark Harris, former Senior Director Analyst at Gartner
In the cyber security industry, there is a never-ending cat-and-mouse game between adversaries who create new exploits and defenders who devise ways to stop them. As soon as a defender finds a way to stop one type of cyber attack, the adversaries create a new type of attack. As a result, cyber security is a never-ending cat-and-mouse game, with defenders always playing catch-up. New products and solutions are constantly emerging to address rising threats, while existing products adapt or merge with other solutions. The goal is to stay one step ahead of the attackers, but it’s an ongoing battle that is unlikely to ever be won definitively without an effective cybersecurity strategy.
This multi-part blog series provides an overview and guidance on how to develop a successful cybersecurity strategy for your organization. In Part 1, we focus on why organizations need to extend protection beyond the endpoint to stay ahead of adversaries.
The XDR Advantage
Endpoint Detection and Response (EDR) has quickly become an integral part of endpoint protection (EPP), but as attackers have got more sophisticated, detection and response has needed to evolve beyond just the endpoint; extended Detection and Response (XDR) provides three key capabilities.
- Combine alerts from multiple security tools into a single incident to improve the efficiency and effectiveness of security teams. Reducing the gap in visibility and the time taken to investigate and triage incidents meaning incidents are contained more quickly.
- Correlate “weak” signals (low priority alerts) from multiple security sources to create new detections that may not be identified when those signals are in a silo or viewed in isolation.
- Automatically respond to threats detected across multiple products.
For example, a user trying to log in to a machine and failing may mean they’ve forgotten their password. But if multiple users try and fail, that could be an attacker. If a user then successfully logs in and starts running administration tools to download files or change configuration, then it’s a much stronger indication that an attacker is in the network.
Those multi-events and the subsequent detection should be presented as a single incident that needs investigation. The response also needs to be automatic and could be to isolate the affected machine and force the user to re-authenticate.
Moving Beyond SIEM and SOAR
For many years the main tool for the security operations center (SOC) was Security Information Event Management (SIEM), but these tools were often more focused on log collection than correlation and relied on the SOC team expertise to manage and process the large volume of data and alerts. Any response would often need to be handled through a separate security orchestration, automation, and response (SOAR) tool.
These tools required dedicated, highly skilled teams to sift through the vast amount of information to try and identify incidents. More often than not, SIEM and SOAR are used post-incident to understand and remediate what happened rather than a detection and response capability.
EDR addressed a lot of the overhead of managing endpoint focused threats; collecting events and data in a central cloud-based infrastructure gave security teams the ability to hunt for threats across an entire organization, giving them visibility to reduce the time to detect a threat significantly. SentinelOne’s automation and remediation means threats can be quickly identified and resolved often with minimal effort allowing security teams more time to carry out these investigations.
In the case of managed service providers or SentinelOne’s own Vigilance service, that visibility is across all customers using the service. Storyline™ not only provides security teams with curated automated correlation but also the ability to quickly and easily add new rules specific to their organization.
Protecting the Organization, Not Just the Device
Today, threat actors are not just targeting individual, single machines; they are targeting an organization as a whole. The first machine to be compromised is just the starting point. From that initial entry, the attacker can carry out further surveillance and move through the network to identify valuable data before stealing it. Whilst EDR tools are very effective, there only needs to be one weak link for the attacker to exploit.
Ensuring that endpoint protection and EDR are deployed on every single machine is one of the biggest challenges for IT operations teams. Although achieving that 100% deployment is rarely achievable for all but the smallest of organizations, tools like SentinelOne Ranger provide the visibility into the network to find any unmanaged or unauthorized devices.
XDR goes beyond just the endpoint and provides the integration and correlation of events and alerts across a wide range of security tools to improve visibility, reduce the time to detect even further and then respond quickly. The IBM data breach report estimates that deploying XDR can reduce the time to detect by a month.
What Do Vendors Mean By “XDR”?
While the need for XDR is clear, vendors don’t all agree on what the term means or how XDR solutions should be delivered. The term ‘XDR’ is perhaps one of the most overused terms in cybersecurity today.
There are a number of interpretations of how to deliver XDR.
- Single Vendor XDR – All the security tools are provided by a single vendor. There is limited integration with other tools, usually limited to just ingesting logs and alerts. Choosing a single vendor XDR solution is a complex, risky and expensive approach. Migrating security tools takes time, and existing licenses will have to be paid whilst the migration is done. There is also no guarantee that the solutions from a single vendor will meet an organization’s needs.
- SIEM XDR – Several of the SIEM vendors are combining traditional SIEM functionality with SOAR and claiming XDR, but these solutions don’t have automated threat detection capabilities.
- Managed XDR – Managed service providers can provide the capabilities of XDR by integrating multiple tools into their services. Although it may deliver on the outcomes, the service relies on the MSP SOC team and functionality.
- Open XDR Platform – Provides a platform that can integrate multiple products from different vendors and correlate those events. To be effective, the integration needs to be both ways, receiving alerts from a product but also being able to automatically send response actions. One of the key advantages of an open XDR platform is that rather than replacing existing solutions, they can be integrated into the platform, and the benefits of XDR are realized much sooner.
SentinelOne has built an open XDR platform that provides a flexible and scalable solution. Singularity™ XDR integrates with both the broad range of SentinelOne products and services as well as with leading third party security providers such as Mimecast for Email security. It includes the automation, AI and ML capabilities to quickly get the benefits of XDR and provide a scalable, extensible platform to build upon.
XDR is the natural progression of EDR, moving beyond the endpoint to the rest of the security infrastructure, including identity and cloud security. XDR is a journey, and as threats evolve the XDR platform needs to be able to grow and adapt. XDR isn’t necessarily just selecting a solution, it’s choosing a strategy and a strategic partner. SentinelOne provides that vision and strategy to help organizations deliver on the promise of XDR and protect the whole organization.
About the Author
Mark Harris is a Cybersecurity advisor and former Senior Director Analyst at Gartner with over 25 years of experience. At Gartner Harris was the author of a variety of market shaping research for Endpoint Protection and EDR including the EPP Magic Quadrant and Critical Capabilities as well as Market Guides and research on ransomware and other threats.