XDR Should Be Viewed as An Open Architecture

Aside from these challenges, research from ESG and the Information Systems Security Association (ISSA) indicates that 57% of security professionals say that their organization has been impacted by the global cybersecurity shortage.² What type of impact? Survey respondents point to increasing workloads, open job requisitions, and high burnout of security staff members. Since organizations can’t hire their way out of this situation, they will need smarter and more efficient/effective security technologies that help bolster security staff productivity.

1. XDR is an architecture of controls, data sources, and capabilities. It is not a product.

2. XDR brings telemetry together from different sources to monitor and analyze activity and detect attacks across a cyber-kill chain. In other words, XDR stitches together suspicious/malicious activities throughout the lifecycle of cyber-attacks.

3. XDR data sources and control point coverage is expanding. Endpoint, network, and threat intelligence have been the primary data sources for XDR, but security teams also would like support for identity context. In other words, detections must be grounded with an understanding of the locations from which attacks emanate. Identity context can help align detections to specific assets and users. This is especially useful for detecting account takeovers, insider attacks, and IoT-based attacks. For example, when an IoT device, such as a printer (which has no security agent installed), participates in a botnet, XDR should be able to detect this stealthy action based on analysis of suspicious network behavior.

4. Beyond identity, XDR should also be able to detect suspicious/malicious SaaS application activities. This is an emerging requirement as organizations embrace SaaS, especially in response to a growing remote worker population. Attackers often compromise SaaS credentials as part of the kill chain or execute data breaches by stealing sensitive SaaS-based data. To address this risk, leading XDR solutions must have visibility into who is doing what with SaaS applications—especially within critical collaboration applications like Microsoft 365, Google Workspace, etc., and human capital management (HCM) applications such as Workday, SuccessFactors, Oracle HCM Cloud, etc., where a compromise would allow a threat actor to create a legitimate employee account.

5. XDR must offer a variety of native automated response capabilities. Based on detections, XDR solutions must be able to quarantine systems, terminate network connections, block account access, etc. Response actions should be available across the cyber-kill chain. For example, XDR should be able to disable endpoint processes, deactivate a Wi-Fi connection, or deny access to a user or device—on internal networks, cloud-based workloads, or SaaS applications. These options would provide security teams with the ability to fine-tune response policies, regardless of where they detect suspicious/malicious activities.

6. XDR must be open and support ease of integration into the existing security stack. As an architecture, XDR must be flexible, accommodate existing security technologies, and improve security efficacy and efficiency along the way. To allow organizations to build and evolve their XDR over time, each element (EDR, NDR, CDR, etc.) should have standalone value that is amplified by adding it into the XDR architecture (versus requiring that the entire XDR be in place and tuned before delivering value). Leading XDR solutions will integrate with security controls (i.e., endpoint security controls, network security controls, CASB, etc.), consume and analyze data from sensors and threat intelligence sources, and act as inputs into security operations systems like SIEM and SOAR.

• Simplified visualization to bolster analyst productivity. Rather than pivot from one tool to another, security professionals want XDR to simplify visualization of complex attacks in order for analysts to understand how they progress across a cyber-kill chain. In this way, XDR can help tier-1 analysts improve their ability to triage alerts while tier-2 analysts will have the benefit of a timeline of events that can accelerate investigations. Simplified visualization across a cyber-kill chain can also help SOC teams to align XDR with the MITRE ATT&CK framework.

• Advanced analytics to detect unknown attacks. Beyond correlation rules, SOC teams want XDR to provide advanced analytics using artificial intelligence (AI) and machine learning algorithms. This can be particularly important for tier-3 analyst tasks like threat hunting—especially for unknown attacks conducted by nation-state actors or sophisticated cyber-criminals.

• Automated response capabilities to minimize damages. As described above, CISOs want XDR to act as an orchestration hub for addressing attacks in progress. Upon detecting an attack with a high degree of confidence, XDR can immediately communicate with endpoint security controls, identity services, network security devices, cloud workloads, or SaaS applications, and provide specific instructions about which indicators of compromise (IoCs) to block. This information can help minimize damages without involving IT operations teams or processes.

• Accelerated detection/response. These are the most desirable attributes of all—CISOs want XDR to improve threat detection efficacy and incident response efficiency, thus making XDR a security operations staple.

• Unifies analytics coverage for cloud, SaaS, network, identity, and endpoint. The Vectra Cognito platform (“Cognito”) collects and analyzes network metadata, relevant IAM, SaaS and IaaS logs, and cloud events to provide visibility into the actions of all cloud and data center workloads and into user and IoT devices. Once Cognito collects and analyzes data, it then uses more than 100 different AI algorithms to find hidden and unknown attackers in real time, providing a starting point for AI-assisted threat hunting and response.

• Designs its offering for integration. Vectra is designed to detect threats to networks, hosts, cloud workloads, SaaS applications, user identities, and IoT devices. In addition to these out-of-the-box integrations, Vectra is often used in conjunction with other SOC technologies like SIEM, SOAR, and EDR. Unlike EDR-centric XDR, Vectra promotes a “bring your own EDR” philosophy, allowing Cognito users to respond manually or choose an automated response through integration into native EDR response options including locking down a network host, cloud account, or network account.

• Automates incident response at multiple points across hybrid IT. Vectra enables host-based and/or account-based enforcement for incident response. With host-based enforcement, analysts target the source of an attack and lock down the endpoint being used. Vectra partners with EDR vendors like Microsoft, SentinelOne, CrowdStrike, and Cybereason. In many cases, attackers will gain access to the organization by stealing credentials through phishing or account takeover and logging in as a “legitimate” user. In these instances, account-based enforcement is effective, especially in cloud or hybrid environments where organizations don’t own the service or infrastructure. Cognito offers options for automated or manual actions. Automated responses can be used to reduce lateral spread and provide resource-stretched security teams with more time to investigate incidents. Alternatively, manual response actions can help threat hunters monitor attacks in progress to gain additional insight into the tactics, techniques, and procedures (TTPs), and campaigns used to attack their organizations.

• Delivers positive outcomes for SOC teams and the business. Through its AI security modeling, Cognito can help organizations turn typical SOC alert storms into a focused high-priority list of security events for investigations. This reduces SOC analyst workload while improving threat detection efficacy and operational efficiency.

Cognito also aligns with the MITRE ATT&CK framework by mapping detection details to the MITRE taxonomy of adversary TTPs. This orientation can help SOC teams hunt for further evidence of unknown attacks and anticipate future TTPs to monitor along a cyber-attack kill chain.

Vectra embraces the “extended” component of XDR with native capabilities and partnerships to support hybrid IT coverage. In the future, Vectra plans to work with additional partners and extend its analytics algorithms. For example, Vectra uses EDR data for enrichment today but plans on ingesting endpoint telemetry data into its analytics engine in the future. This should help increase the accuracy, timeliness, and comprehensiveness of its threat detection and response capabilities moving forward.