Quick Links

XDR has been waiting in the wings for some time, but its moment may have arrived. How can this new twist on an old strategy help your cybersecurity? Here's our quick guide.

XDR Hits Critical Mass

It seems like some things just take a while to gain traction. There has to be a period of time for the idea to lodge in the collective consciousness and start to have some sway on the decisions that involve security, budgets, or both. If the concept is more of a strategy or an initiative than a product, it can take longer for that idea to gain critical mass. There have to be enough people talking about it, implementing it, and eventually recommending it for it to gain market-place momentum.

An example of that is the zero-trust network. It was originally mooted in a Ph.D. thesis in 1994 by Stephen Paul Marsh. Nearly 16 years later John Kindervag brought it out of the realms of academia and proposed a practical way to create such a network, and a viewpoint and mindset to go with it. It's that ground shift in thinking---and acceptance---that sometimes takes time to catch up with the practical innovation.

Today zero-trust networks are being discussed everywhere and are recommended by the National Cyber Security Centre and the National Institute of Standards and Technology.

A similar slow-burn XDR, or eXtended Detection and Response, looks like it is coming into its moment. XDR is best considered as an initiative or a strategy that can be implemented using a combination of network architecture and a suite of integrated technologies.

The XDR Vision

An XDR implementation requires the wrangling of a collection of security products and network architectures so that they interact in a cooperative fashion. The aim is to prevent successful cyberattacks by detecting on-going attacks and providing an automated response to those attacks.

The definition of XDR is still fluid. Different vendors tend to skew their definition of XDR to resemble---or be centered around---the technologies and products that they have traditionally offered, that they understand completely, and are well-versed in delivering. Nonetheless, an XDR implementation is likely to include technologies that provide or address these points:

  • Endpoint security, in its broadest sense. As well as endpoints such as corporate PCs and laptops it also includes physical and virtual servers---either on-premise or in data centers---and virtual servers in the cloud.
  • Protection for commonly used threat delivery vectors such as business email and corporate websites and portals.
  • Automatic file and threat isolation and sandboxing.
  • Threat Intelligence. This provides analytics, reporting, and alerting.

The driving principle is that the integration of technology and advanced analytics will dramatically accelerate threat detection and response. XDR ought to detect lowkey, long-term attacks just as readily as it detects malware and viruses. Many cyberattacks incorporate long periods of covert remote access. The threat actors use this time for network mapping to ensure the maximum impact of their ransomware attack, or to seek out important data they wish to exfiltrate.

Advanced Persistent Threats that employ long-term observation should also be detected by an effective XDR system. The analytics and monitoring will detect activity, patterns of behavior, and other warning signs that would be missed by traditional protection techniques.

Sophisticated cyber attacks follow a linear process, named a kill chain---a military term---that describes the phased execution of the attack.

  • Reconnaissance: Finding a vulnerability by port scanning, probing defenses, gathering useful information from other data breaches, or social engineering.
  • Weaponization: Building or selecting a malicious payload that can be delivered by exploiting an identified vulnerability.
  • Delivery: Delivery of a weaponized bundle of software. This might be via a phishing attack. Typically this will be a remote access trojan or other malware that gives the threat actors covert access to your network.
  • Exploit: Gaining access to the compromised network and performing further reconnaissance or performing actions such as privilege escalation.
  • Installation: Installation of the malicious payload of the attack. This could be ransomware for example.
  • Command and Control (C2): Establishing a line of communication between the malware and the threat actor's remote command and control servers. These accept information from the malware and send instructions, upgrades, and other payloads to the malware.
  • Actions: The threat actors execute the attack and your network is encrypted, deleted, or otherwise damaged.

The promise or vision of XDR is to tightly bind security controls and defenses with security operations---the security operations center, whether it is modest or sophisticated---into an end-to-end integrated solution that can detect the different phases of a kill chain.

How To Deploy XDR

You can't just go out and buy XDR, no more than you can go out and buy some cybersecurity. In both cases, you can find vendors who will help you to plan for the slow migration to XDR and advise on or supply some of the systems you need to implement it. Because there are no one-stop shops for XDR, open APIs, open industry standards, and the fostering of user and partner ecosystems are critical to the sustainability of XDR as a solution. Vendors and interest groups are working hard on these.

Much like a zero-trust network, an XDR system is something that could be built-in from the ground up if you are managing a greenfield site and starting from scratch. Without that luxury, you need to plan how you are going to phase it in. This involves identifying which of your existing tools and systems can be replaced or upgraded to those with XDR capabilities.

That will permit the identification of phases based on the remaining in-service life of the identified components. Knowing when these components are due to be replaced or upgraded gives you a set of points in time. Some will stand alone, others can be brought slightly forward or delayed for a short period to group them into logical, manageable phases.

The larger the organization, the more of a challenge it will be to deploy, and to convince the C-suite that it is a change and expense that is justified. Also, large-scale enterprises are likely to be in a position to devise or commission their own end-to-end integrated equivalent to an XDR implementation built out of off-the-shelf applications. For this reason, XDR is more appealing to upper-tier, small to medium enterprises.

A Maturing Feature Set

Although XDR has stepped into the limelight, and many of the big players like Fortinet, Cisco, and McAfee have XDR offerings, it is still a new approach to the problem of threat detection, reporting, and automated management. There are different interpretations of what is and what isn't XDR. Not surprisingly they tend to each favor the technologies and product expertise of each vendor.

You should talk to the XDR vendors, but also talk to your current strategic security partners and ask them about XDR and what their game plan for this space is.

Take a long hard look at your current threat detection and response systems. What works, what doesn't, and what could be improved? Maybe the next generation set of your current tools from your existing vendors will be a better fit for you.

If XDR is the way forward for your organization, start the planning exercise for the phased introduction and involve all the stakeholders---including your security and IT operational teams.