Endpoint security is a significant concern for today’s organizations and has only grown more complex with the institutionalization of hybrid working. Cybercriminals also engage in modern attack tactics that include reusing stolen credentials, exploiting zero-day vulnerabilities, employing ransomware, and exploiting trusted insiders. Unfortunately, it only takes one mistake, poorly-secured device, or weak password to give attackers the opening they need to get inside the network. And once they’re in, they can move laterally with little resistance, seeking privileges and valuable data to encrypt or exfiltrate.
Identifying these threats early is critical. However, identity-based threat detection requires a different approach not found in traditional defenses. Organizations use Endpoint Detection and Response (EDR) platforms as a primary incident response tool for most security teams, alongside Endpoint Protection Platforms (EPPs) and other valuable tools. These solutions are a good starting point, but stopping today’s threats requires a more unified approach. Extended Detection and Response (XDR) solutions can improve the reliability and efficiency of security operations with enhanced detection and response capabilities. XDR solutions are a natural evolution of EDR, consolidating multiple security products into a single security incident detection and response platform capable of identifying suspicious activity in near-real-time.
Why XDR for Threat Detection and Incident Response?
Gartner refers to XDR solutions as “a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.” This description effectively gets to the heart of the benefit that XDR offers. Today’s cybersecurity teams often employ many different tools, but XDR provides the ability to unify multiple telemetry streams and present options for numerous forms of detection and response.
It might sound similar to Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solutions, and while this is in some ways accurate, speed and effectiveness matter. For example, organizations often use SIEM tools primarily for log storage and compliance, collecting information for later analysis but not offering real-time detection capabilities, limiting the value of such implementations. XDR solutions focus mainly on threat detection and incident response use cases, allowing them to add significant value to security deployments from the moment of installation.
Whether the attacker is human or automated, XDR solutions provide early and accurate threat detection and can quarantine a compromised endpoint instantly. Whereas reviewing logs or SIEM data might only reveal an attacker’s presence after leaving the endpoint, XDR solutions can lock them down in real-time.
How ITDR and Deception Fits With XDR
Identity Threat Detection and Response (ITDR) and cyber deception-based detections can enhance XDR platforms, which can correlate additional attack data and activate incident response actions.
ITDR solutions add layers of defense by efficiently detecting and responding to identity-based attacks. They protect against credential theft or privilege escalation on the endpoints and derail Active Directory identity compromises.
Deception technology provides a comprehensive detection fabric that blankets the network with deceptive credentials, shares, bait, and other decoys likely to draw an attacker’s attention early in the attack life cycle. Deception has proven to be a highly efficient way to trick attackers into revealing themselves. Traditional deception technology can also pair with concealment technology, which hides and denies access to production network assets, stopping attackers from leveraging credential stores, Active Directory objects, and data.
In addition to a high-fidelity detection alert, deception can also safely engage the attacker by steering them into a decoy and then sharing TTPs and IoCs with an XDR platform.
The Future of XDR
Attackers have learned how to evade security controls over the years. Compromising an endpoint and using stored credentials, querying Active Directory, moving laterally, and escalating the privileges are hallmarks of today’s attackers. The extra intelligence that modern XDR solutions provide can make a significant difference in helping defenders identify and respond to suspicious or attack-related activity quickly before adversaries can significantly infiltrate the network. However, as Peter Firstbrook from Gartner has stated, “XDR is not complete without ITDR.” Augmenting XDR with identity security and cyber deception can further enhance the effectiveness of this critical modern cybersecurity tool, improving the efficiency and capabilities of an already indispensable resource. As time goes on and attackers continue to grow more sophisticated, XDR, ITDR, and the adversary intelligence that deception technology provides will go a long way in preventing attackers from completing their mission successfully.
In May of 2022, we became the first XDR provider to natively include identity security for endpoints, identity infrastructure (Active Directory), and cloud environments with its acquisition of Attivo Networks.