XDR laptop Giacomo Lanzi

XDR as an approach to security

Estimated reading time: 5 minutes

Just like any other IT field, the cybersecurity market is driven by hype . Currently hype towards XDR, ie eXtended Detection and Response .

XDR is the latest in threat detection and response, a key element of a company’s infrastructure and data defense .

What exactly is XDR?

XDR is an alternative to traditional responsive approaches that only provide layer visibility on attacks . I refer to procedures such as detection and endpoint response (EDR), network traffic analysis (NTA) and SIEM , which we have talked about in many other articles.

The layer visibility implies that various services are adopted, stratified (layers), which each keep under control a specific entity in the infrastructure. This can be problematic. In fact, you need to make sure that layers don’t end up isolated, making it difficult, or nearly impossible to manage and view data. layer visibility provides important information, but can also lead to problems, including :

Collecting too many incomplete and contextless alerts. EDR detects only 26% of initial attack vectors and due to the high volume of security alerts, 54% of professionals security ignores warnings that should be investigated .
Complex and time-consuming investigations requiring specialist expertise . With EDR, the median time to identify a breach has increased to 197 days, and the median time to contain a breach has increased to 69 days.
Tools focused on technology rather than user or business . EDR focuses on technology gaps rather than the operational needs of users and companies. With more than 40 tools used in an average Security Operations Center (SOC), 23% of security teams spend their time maintaining and managing security tools rather than investigating . ( Source )

XDR data collection

For already overloaded security teams, the result can be an endless stream of events , too many tools and information to switch between, longer time frames for detection and security expenses that are beyond budget and are not even fully effective .

What’s new in eXtended Detection Response

XDR implements a proactive approach to threat detection and response . It offers visibility into data across networks, clouds and endpoints, while applying analytics and automation to address today’s increasingly sophisticated threats. The benefits of the XDR approach for security teams are manifold:

Identify hidden, stealth and sophisticated threats proactively and quickly.
Track threats across any source or location within your organization. < br> Increase the productivity of people working with technology.
Get more from their security investments .
Conclude investigations in a way more efficient .

From a business perspective, XDR enables companies to detect cyber threats and stop attacks, as well as simplify and strengthen security processes. As a result, it enables companies to better serve users and accelerate digital transformation initiatives. When users, data and applications are protected, companies can focus on strategic priorities.

Why consider it for your company

The two main reasons why this approach is beneficial are: endpoints do not have visibility into threats in places like cloud services , and it may not be possible to put a < em> software agent on all company endpoints .

But there are other reasons to consider too. The addition of other data sources can provide more context in the EDR results, improving triage and investigation of alerts . Providers are moving not only to provide more and better organized data, but also by delivering analytics platforms to lighten the analytical load on operators. This translates into ease of use and reduced operating costs.

XDR can seem very attractive as a product: Tight integration of parts, highly tuned content (as the provider has total control over the events from the data sources), use of analytics and response automation.

Virtual data XDR

What to pay attention to before adoption

Some providers are positioning their XDR as the ultimate threat detection solution . However, many vendors are unable to offer all the tools needed to get the advantage sold. Some providers offer endpoint and cloud monitoring in the package, others endpoint and network monitoring, but when looking at the comprehensive needs of most organizations, there are often missing details in the overall picture.

And if, once the company engages with a provider and notices a lack in one of the monitored sectors, what are the possible solutions? A situation of vendor lock-in from which to break free means to sever a contract and then open another one, with all the consequent costs.

XDR as an approach, not as a product

Before entering into a contract with a provider that sells a solution as final, it is always good to weigh the benefits and implications analytically.

Tight, two-way integration of multiple threat detection and response capabilities is the first distinguishing feature. But it is not necessary to buy two technology components from the same vendor to achieve good integration. Indeed, many products have the ability to integrate with some solutions from other vendors as one of their main strengths.

The XDR approach must provide a platform that allows the necessary data collection and storage , but also strong analytical skills, to orchestrate and automate response actions provided by the other parts of the solution. A cloud based Next Generation SIEM is a perfect solution.

How to move then?

The interest in XDR products is a clear signal that excessive fragmentation was leading to excessive complexity. A little consolidation is good, but it must be done while protecting flexibility and the ability to follow the best solutions.

In our opinion, a SOCaaS is an optimal solution. Provides next generation SIEM , with strong analytical capabilities. In addition, it also integrates artificial intelligence that helps in time to recognize threats through behavior analysis. A SOCaaS is the future of security operating platforms.

To find out with our services they can help you protect the data of your company and your customers, contact us, we will gladly answer all your questions.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205 December 22, 2024
    Posted by Thomas Weber | CyberDanube via Fulldisclosure on Dec 21CyberDanube Security Research 20241219-0 ------------------------------------------------------------------------------- title| Authenticated Remote Code Execution product| Ewon Flexy 205 vulnerable version|
  • Stored XSS with Filter Bypass - blogenginev3.3.8 December 19, 2024
    Posted by Andrey Stoykov on Dec 18# Exploit Title: Stored XSS with Filter Bypass - blogenginev3.3.8 # Date: 12/2024 # Exploit Author: Andrey Stoykov # Version: 3.3.8 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/12/friday-fun-pentest-series-16-stored-xss.html Stored XSS Filter Bypass #1: Steps to Reproduce: 1. Login as admin and go to "Content" > "Posts" 2. On […]
  • [SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269) December 19, 2024
    Posted by Matthias Deeg via Fulldisclosure on Dec 18Advisory ID: SYSS-2024-085 Product: CA Client Automation (CA DSM) Manufacturer: Broadcom Affected Version(s): 14.5.0.15 Tested Version(s): 14.5.0.15 Vulnerability Type: Improper Privilege Management (CWE-269) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-10-18 Solution Date: 2024-12-17 Public Disclosure:...
  • [KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities December 17, 2024
    Posted by Egidio Romano on Dec 16--------------------------------------------------------------------------- GFI Kerio Control
  • RansomLordNG - anti-ransomware exploit tool December 17, 2024
    Posted by malvuln on Dec 16This next generation version dumps process memory of the targeted Malware prior to termination The process memory dump file MalDump.dmp varies in size and can be 50 MB plus RansomLord now intercepts and terminates ransomware from 54 different threat groups Adding GPCode, DarkRace, Snocry, Hydra and Sage to the ever […]
  • APPLE-SA-12-11-2024-9 Safari 18.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-9 Safari 18.2 Safari 18.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121846. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Safari Available for: macOS Ventura and macOS Sonoma Impact: On a […]
  • APPLE-SA-12-11-2024-8 visionOS 2.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-8 visionOS 2.2 visionOS 2.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121845. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Crash Reporter Available for: Apple Vision Pro Impact: An app may […]
  • APPLE-SA-12-11-2024-7 tvOS 18.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-7 tvOS 18.2 tvOS 18.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121844. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. AppleMobileFileIntegrity Available for: Apple TV HD and Apple TV 4K (all […]
  • APPLE-SA-12-11-2024-6 watchOS 11.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-6 watchOS 11.2 watchOS 11.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121843. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. AppleMobileFileIntegrity Available for: Apple Watch Series 6 and later Impact: A […]
  • APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2 December 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Dec 12APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2 macOS Ventura 13.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121842. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Software Restore Available for: macOS Ventura Impact: An […]

Customers

Newsletter

{subscription_form_1}