Demystifying 'Detection' in XDR
XDR • Sep 21, 2021
We use cookies to improve your experience. Do you accept?
XDR • Sep 21, 2021
This blog, by Cyware experts, will help you declutter the origins and utility of XDR and how organizations can build the optimal XDR solution to address various security use cases.
Our Experts for this blog are Avkash Kathiriya (VP of Research and Innovation, Cyware) and Rajan Chheda (Director of Customer Success, Cyware). Avkash has massive experience in the Information Security domain. Avkash has experience in SOC/CSIRT Management, Cyber Fusion, Red team, Cyber Resiliency, Threat Hunting, Threat Intelligence and research, Enterprise Security Architecture, Cyber Security governance, Network Security management. Rajan has a plethora of diversified work experience in Information/Cyber Security and is skilled in managing various Cyber Security/Defense like Security Operations Center (SOC), Threat Intelligence, Vulnerability Management, Threat Hunting, Red Teaming, Identity & Access Management, Vendor Risk Management, and Cyber Security Compliance, among others.
According to analyst firm Gartner, Extended Detection and Response (XDR) is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
The primary goals of XDR is to improve detection accuracy, SecOps efficiency and productivity.
Instead of just Endpoint Detection and Response (EDR), XDR is aimed at providing any-to-any detection and response capabilities.
As compared to EDR solutions which are focused on protecting specific devices, XDR takes a broader view to provide integrated visibility and threat management across endpoints, cloud infrastructure, mobile devices, and more.
The X in XDR represents this approach of providing security integration for threat detection and response across an enterprise network that is comprised of a large number of systems, with different security priorities and threats impacting them.
An XD R solution aggregates data from across the enterprise network and puts it in the right context to provide detection capabilities for sophisticated and distributed attacks.
XDR solutions can also help respond to an attack in progress or implement preventative measures to block potential threats before they impact any assets.
In this blog, you will understand the significance of threat detection, the various threat detection mechanisms used by organizations, the challenges they face, and the way ahead for a more cohesive XDR solution.
Threat detection is the practice of analyzing the entirety of a security ecosystem to identify any malicious activity that could compromise the network or any systems in it. If a threat is detected, then response actions must be executed promptly to neutralize the threat before it can cause any disruption. Instead of responding to incidents after a system or network is compromised, organizations rely on various threat detection mechanisms to detect threats at an early stage.
Siloed approach - Too many cooks spoil the broth. When security teams are using dozens of tools, many with specific use cases and some with overlapping capabilities, it becomes difficult to build a unified approach to threat detection. Organizations need to overcome the silos around different security functions for rapid and effective threat detection across all their assets.
Lack of correlated detection - Another problem arising from security silos is the lack of correlation between threat data from external sources and internal tools. To detect the most sophisticated threats, security teams need to identify and correlate the different pieces of the threat puzzle by analyzing the activity and data collected across their entire security infrastructure.
Analyst fatigue - The volume of security alerts generated every day has become a challenge in itself for organizations. Without putting the alerts into the right context and eliminating the noise, security analysts can get overwhelmed and lose focus from the most important issues that require their attention.
Only IOC-based detection - Traditionally, security teams have relied on tools that detect threats based on Indicators of Compromise (IOCs) such as IP addresses, file hashes, domain names, and so on. While IOCs can help detect known threats, it is easy for threat actors to change their IOCs to bypass such detection mechanisms. Moreover, IOCs are not useful in detecting novel attack vectors.
Threat detection and monitoring are performed using many diverse tools and techniques that work on different layers of the technology infrastructure. Some of the common solutions used by organizations for threat detection include:
Data lake or SIEM (via rules) - A Security Data Lake (SDL) or a Security Information and Event Management (SIEM) solution helps organizations ingest, parse, and organize security data from multiple security tools into a common structure.
Email Gateway - Email gateways can help detect email-borne threats originating from known suspicious domains and block them before they reach the targeted users.
Network traffic analysis (NTA): NTA is a method of examining network traffic data to identify malicious activity and attribute it to known IOCs..
Proxies - A network proxy can help organizations safeguard their employees’ online activity by monitoring outgoing traffic from their networks.
EDR - Endpoint Detection and Response (EDR) solutions are focused on detecting and mitigating threats on endpoints, such as end-user workstations or servers.
Cloud Monitoring Solutions - Many of the above solutions are also deployed through cloud platforms to enable threat detection over cloud-based or hybrid infrastructure.
UEBA from SOCs/NOCs - User and Entity Behavior Analytics (UEBA) solutions help organizations model and detect anomalous behavior of humans and machines within their network.
**Consolidation of Detection - **With the prevalence of such endpoint tools for specific use cases, organizations face new challenges in using and getting value from them. While endpoint protection is necessary, organizations need to ensure that it does not result in greater security complexity and a lack of visibility across the entire organization. This is why the XDR approach to threat detection is a step in the right direction, as it allows organizations to gain a single pane of glass view of their threat environment without delving into all the point tools deployed on their systems.
Contextualization of Detection - Another critical issue that many point tools face is their reliance on low-level Indicators of Compromise (IOCs) like IP addresses, file hashes, URLs/domains, etc. Such IOCs are often linked to only a single attack and can be easily changed by the threat actors, thereby limiting their use in detecting future attacks. They can also lead to more false-positive alerts. The biggest shortcoming of IOC-based detection is that it is reactive, which means that IOCs are only recorded and used for detection after an attempted or successful security breach. IOCs are thus typically linked to specific incidents instead of being threat-centric. It does not help detect entirely new threats that are not linked to any previous indicators. Most of the significant breaches in today’s threat landscape are not isolated incidents, but rather a part of more extensive attack campaigns often conducted by sophisticated threat groups. To detect threats from such campaigns, organizations need to analyze historical incidents in conjunction with threat intelligence collected from various sources to figure out the attack patterns. IOCs provide limited help in detecting and contextualizing such sophisticated threats.
Instead of IOCs, security teams need to analyze the attackers’ tactics, techniques, and procedures (TTPs) that do not change often and can help describe and predict the behavior of threat actors at different stages of the attack lifecycle. Cyware helps organizations move from IOC-based detection to TTP-based detection by providing tactical and technical threat intelligence on adversary behavior. With TTP-based detection, security teams can detect an entire family of threats based on common behavior patterns.
By contextualizing threat detection with the infusion of enriched threat intel, Cyware helps security teams find the hidden links between different incidents, uncover attack campaigns and threat actors, and ensure all assets are protected from malware, vulnerabilities, threat actors, attack campaigns, and other kinds of threats.
Through automation , Cyware’s solutions help rapidly operationalize threat intel and boost the dissemination of threat intel to different roles and business units within an organization. It also enables real-time threat intel sharing and collaboration among members of information sharing communities (ISACs/ISAOs) and for national CERTs. Cyware’s virtual cyber fusion centers combine the power of a threat intelligence platform and a SOAR solution to accelerate threat detection and hunting by collating and analyzing information from diverse sources. With the power of cyber fusion and security automation, Cyware also helps organizations transform and accelerate their threat response and management capabilities.
While there are a large number of security tools available on the market, many of them are not designed to communicate with each other. Cyware steps in again with its VirtualCyber Fusion Center(vCFC) that makes a diverse set of security applications interoperable through smart orchestration and automation. This makes the lives of both security vendors and their customers easier by enabling comprehensive vendor-agnostic threat detection capabilities through collaboration between different tools. Moreover, it also means that detection mechanisms are more tightly integrated with threat intelligence platforms and SOAR, thereby boosting mitigation efforts.
Threat detection is an indispensable part of modern security operations. While traditional detection mechanisms come with their shortcomings, a more integrated approach to threat detection can help organizations stay prepared to defend their assets rapidly and effectively. Cyware is building pioneering solutions that accelerate the shift to XDR by enabling TTP-based threat analysis, collaboration among different tools, and fusion with threat intel and SOAR capabilities.