Brought to you by:
Enterprise Strategy Group | Getting to the Bigger Truth™
ESG WHITE PAPER
Understanding XDR Requirements
What XDR Is and Why Organizations Need It
By Jon Oltsik, Senior Principal Analyst and Fellow, Enterprise Strategy Group
OCTOBER 2021
Executive Summary
ESG research points to a dangerous conclusion: existing threat detection and response strategies aren’t working, leaving organizations in a state of more cyber-risk than they perceive. Why? Security operations for threat detection and response are based on too many tools and manual processes, not to mention an overworked and under-skilled security operations staff. As a result, many firms are scrambling to bridge the threat detection and response gap by increasing budgets and looking for innovative new security technology solutions.
CISOs aren’t alone in recognizing the need for new threat detection and response strategies. In fact, security technology providers are championing a new technology initiative dubbed eXtended Detection and Response (XDR). XDR tools are intended to solve many threat detection and response issues by providing an integrated security architecture, advanced analytics, and simplified operations. Despite this innovation, however, users remain confused about XDR and where it could fit into their security programs.
Just what is XDR and which are the most important XDR requirements? This white paper concludes:
• Organizations already have a list of threat detection and response goals they want to achieve. Security Operations Center (SOC) teams have ambitious threat detection and response plans like improving detection of advanced threats, increasing process automation around remediation tasks, and enhancing incident response (IR) timing. These goals are not new, but there remains a lot of room for improvement.
• SOC teams continue to face numerous threat detection and response challenges. Security professionals report numerous threat detection and response challenges, including increasing security operations complexity, resource shortages, a growing/changing attack surface, a dependence on an army of disconnected point solution tools, and significant challenges in fusing together the disparate information and tools into actionable guidance. These issues can lead to costly ransomware attacks, data breaches, and disruptions to business operations.
• XDR is an emerging security technology architecture. ESG has long described an integrated architecture for security operations (security operations and analytics platform architecture (SOAPA)) that integrates security control points, automates remediation and IR, and provides advanced analytics for detecting advanced and sophisticated threats. XDR has emerged as a commercial offering like SOAPA. As it matures, XDR has the potential to improve security efficacy, streamline security operations, and modernize SOCs.
• Leading XDR solutions will offer several important capabilities. ESG believes that enterprise-class XDR solutions will provide coverage across hybrid IT infrastructures, advanced analytics, automated response, central management, and open integration with other security and IT technologies.
Threat Detection and Response: A Work in Progress
Threat detection and response remains a priority at most organizations, as cyber-attacks like ransomware and data breaches can disrupt business operations and carry heavy costs. Given this priority, it’s not surprising that 83% of organizations will increase spending on threat detection and response technologies, services, and personnel in the next 12 to 18 months.1 ESG research indicates that many firms also have well-defined threat detection and response objectives, including (see Figure 1):
• Improving the detection of advanced threats. Organizations want to develop their capabilities around detecting sophisticated cyber-attacks that follow a “kill chain” pattern. This demands higher-fidelity security alerts, crafting cross-domain analytics, and integrating threat intelligence into security operations tools and processes. Many SOC teams use the MITRE ATT&CK framework as a template for advanced threat detection.
• Increasing automation of remediation tasks. Security operations are often anchored by manual processes, but these processes can’t scale to keep up with today’s security volume or dynamic hybrid IT infrastructure. To address this imbalance, CISOs and security teams are pursuing security operations process automation in areas like investigations, remediation, and risk mitigation, often without the help of IT operations teams. By doing so, SOC teams can automate repetitive tasks so they can focus on high-priority tasks.
• Improving mean time to respond to threats. Once threats are detected, it can take days, weeks, or more for investigation and remediation actions. This can give cyber-adversaries ample time to alter their tactics, move laterally across networks, or compromise administrator credentials. CISOs want to bridge this gap by decreasing the timeframe between threat detection and response.
Note that 27% of respondents say that they want to gain better visibility into cyber-risks that could impact critical business systems and applications. In this case, risk could include permissive access privileges, poor password management, misconfigurations, etc. Since a reasonably sophisticated hacker could easily find and exploit these vulnerabilities, security teams are keen on improving security hygiene and posture management for risk reduction, especially as it relates to the systems and applications that drive the business.
Figure 1. Top 6 Threat Detection and Response Program Goals
When thinking about your organization’s overall threat detection and response program goals, what would you say are your top areas of focus for improving your organization’s overall security? (Percent of respondents, N=388, three responses accepted)
Source: Enterprise Strategy Group
Threat Detection and Response Challenges
The data above suggests that many organizations have numerous and ambitious goals related to threat detection and response. Unfortunately, these goals may not be easy to attain because of existing threat detection and response challenges like (see Figure 2):
• Time management. ESG research reveals that organizations spend most of their time scrambling to respond to emergencies. This leads to employee burnout and never lets them advance their strategies or achieve continuous improvement. Organizations in this position will struggle to keep up with security operations workloads, let alone be able to detect and respond to advanced threats.
• Blind spots. Twenty-nine percent of organizations admit to having “blind spots” on their networks that limit visibility for threat detection. These blind spots can act as hiding places, cloaking adversary tactics, techniques, and procedures (TTPs) as they compromise systems or escalate attacks.
• Difficult data correlation. As part of threat detection and investigations, SOC analysts often correlate disparate data elements from an assortment of tools and data sources. This process can be complex, requiring advanced skills and a keen understanding of adversary behavior. Additionally, data correlation issues are often exacerbated by “alert storms” (i.e., a multitude of simultaneous security alerts from numerous security products). Regrettably, many organizations simply lack the right skills or resources to track, correlate, and analyze this deluge of security data in a timely and efficient way.
• Tracking and measuring progress through an attack lifecycle. Cyber-attacks typically track along a kill chain through phases, including reconnaissance, weaponization, delivery, exploitation, installation, command and control, and finally, actions on objectives. Most organizations depend on a plethora of tools and data sources to follow this path, and as previously stated, it can require advanced skills and resources to collect, process, and analyze all the data.
While organizations have extensive security operations goals, ESG data seems to indicate that existing threat detection and response technologies and processes aren’t working, leaving organizations at risk. CISOs must acknowledge these shortcomings, think about alternative strategies, and look for new types of innovative technology solutions.
Figure 2. Top 5 Threat Detection and Response Challenges
Which of the following would you say are your organization’s biggest challenges regarding threat detection/response? (Percent of respondents, N=388, three responses accepted)
Source: Enterprise Strategy Group
Enter Extended Detection and Response (XDR) Technology
Today’s sophisticated cyber-attacks must be addressed with tightly integrated and automated security defenses supported by advanced analytics and detailed threat intelligence. This calls for an architectural approach to security operations (i.e., SOAPA).
In the past, organizations had to customize and integrate various technologies to build SOAPA on their own, requiring resources and security engineering skills. Recognizing this, leading security technology vendors developed integrated SOAPA solutions of their own. The industry now calls these architectural solutions XDR. ESG defines XDR as:
An integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.
While XDR is in its early stages, many organizations believe it can help them overcome threat detection and response challenges, helping them improve security efficacy while streamlining security operations. Along these lines, ESG research outlines several important XDR outcomes for organizations, including:
• Improving the fidelity and prioritization of security alerts. To address security alert storms, data correlation challenges, and investigations complexity, security professionals want XDR solutions to improve the fidelity of security alerts by providing a detailed timeline of what happened and how a single incident progressed into an identified cyber-attack. SOC teams also want XDR to separate security “noise” from truly dangerous cyber-threats so they can triage, investigate, and prioritize security alerts that truly matter (i.e., those aimed at critical business resources).
• Acting as a central threat detection and response hub. Rather than pivot across tools and UIs, security professionals want XDR to act as a central management hub for the SOC team. This will require XDR solutions to have strong data visualization, dashboards, timelines, query capabilities, navigation, and integration with other security and IT operations tools (i.e., SOAR, SIEM, vulnerability management, case management systems, ticketing systems, etc.). The best XDR solutions will include role-based access control and dashboards that can accommodate the entire SOC team—from entry-level interns to senior level 3 experts.
• Covering a growing attack surface. Attack surfaces are growing precipitously, driven by remote worker sprawl, increasing cloud computing usage, and third-party partner connections. Based on the ESG research, security professionals want XDR to prevent, detect, and respond to threats across the entire attack surface while adapting to continuous growth and constant changes.
Figure 3. Top 4 Important XDR Outcomes
What XDR outcome would be most important for your organization in terms of security efficacy? (Percent of respondents, N=339, three responses accepted)
Source: Enterprise Strategy Group
Clearly, organizations see the potential of XDR, but many security professionals remain confused about what is and isn’t XDR. In fact, 34% of security professionals are not very familiar or not at all familiar with XDR. This begs an obvious question: What should an XDR solution include?
ESG has studied security operations for over a decade and has done extensive research in SOAPA and, more recently, XDR. Based upon this experience, ESG believes that leading XDR solutions must incorporate:
• Coverage across endpoints, networks, and clouds. Cyber-attacks often start by compromising an endpoint and then move laterally across the network, harvest credentials, and pursue an objective like exfiltrating data or encrypting data. This pattern is typical of an APT kill chain and is well documented in the MITRE ATT&CK framework. To detect multi-phased cyber-attacks, XDR should provide visibility across hybrid IT infrastructure, including endpoints, networks, and cloud service providers in context with high-quality threat intelligence. This requirement is reflected in recent ESG research. When asked to identify the most important data sources for XDR, security professionals pointed to a broad assortment, including cloud data, endpoint data, web security data, log data from security devices, and threat intelligence, amongst others (see Figure 4). This reinforces the comprehensive nature of XDR.
Figure 4. Top 8 Important Data Types for XDR
Of all data types your organization uses for security analytics/operations, which types would you say are the most important for threat detection and response? (Percent of respondents, N=388, five responses accepted)
Source: Enterprise Strategy Group
• Analytics that bring together the entire kill chain. Today’s threat detection is based on piecemeal security alerts and complex investigations. When an EDR tool generates an alert, analysts then pivot to other data sources and tools to see what else was going on at the time—a time-consuming process. To address this, XDR solutions must provide advanced analytics that can piece together and correlate the breadcrumbs and artifacts that indicate a multi-phased cyber-attack in progress. Once this analysis indicates a problem, XDR must also provide high-fidelity alerts that include a timeline of events and rich details that can help streamline and accelerate investigations. Finally, XDR kill chain coverage must align with a threat framework like MITRE ATT&CK, helping SOC teams understand adversary behavior and reinforce their security defenses.
• Automated response capabilities. The “r” in XDR is at least as important as the “d.” In other words, organizations want XDR tools to quarantine systems, block network traffic, block processes on endpoints, or disable an administrator account across hybrid IT infrastructure. When appropriate, automated response should also be able to take place within security defenses, eliminating the need to collaborate with IT operations or go through lengthy change management procedures. Common response actions like blocking an IP address or a malicious file should be designed into XDR workflows but still allow organizations to customize them as needed. Lastly, XDR should have some simple operations tool functionality like case management, trouble ticketing, etc.
• Central management. As described in Figure 3, XDR should act as a central management hub for threat detection and response operations. This demands strong data visualization and an intuitive and powerful graphical user interface (GUI) with the ability to dig into details or pivot across security controls. XDR should also feature role-based access control (RBAC) and provide specific templates and dashboards for different roles and experience levels. Ideally, XDR management will be so thorough that it will become the dominant threat management platform for level 1 through 3 security analysts.
• Integration with existing security and IT technologies and processes. Even leading-edge XDR platforms will still need to interoperate with a variety of IT and security tools like asset management, case management, vulnerability management, authentication systems, and security controls like DLP, email security filters, firewalls, and web proxies. Therefore, XDR systems must be open, offering published APIs, developer support tools and resources, and a partner ecosystem.
While the list of requirements is a good start, CISOs must remember that XDR is a relatively new technology and will evolve over time. In the near-term, XDR solutions will start with simple integration of controls and sensors and then add data sources, advanced analytics, and automation capabilities over time. Thus, CISOs should choose XDR solution providers with prescient vision, a supporting roadmap, and a track record of delivering quality products and excellent customer service.
Fidelis Elevate from Fidelis Cybersecurity
A Google search on the term “XDR” produces over 30 million results—little wonder, then, why many security professionals remain confused.
While many vendors are new to XDR, Fidelis Cybersecurity was moving in a SOAPA direction long before the term XDR gained popularity. More recently, Fidelis Cybersecurity introduced its own Active XDR platform: Fidelis Elevate. Fidelis Elevate aligns well with the description of XDR above by providing:
• Visibility and coverage across networks and endpoints. Fidelis integrated its endpoint security, network, and threat intelligence years ago, providing more holistic visibility, threat detection, and response facilities. With its acquisition of CloudPassage, it is now extending its XDR purview to cloud workloads.
• Multiple detection capabilities. XDR solutions tend to offer detection-in-depth using tried-and-true signatures and heuristics as well as modern advanced analytics. Fidelis Elevate delivers here, with packet and file inspection, rules-based content on attack campaigns and threat intelligence, and advanced analytics based on artificial intelligence and machine learning (AI/ML). In this way, Fidelis Elevate is instrumented to detect and respond to cyber-attacks conducted by script kiddies or nation-state hackers.
• Incident response functionality. Fidelis Elevate is a core component of any IR investigation. It can take actions and collect data with a customizable library of scripts and playbooks; speed investigations and analysis with remote access into endpoint disks, files, and processes; and remotely collect forensically sound data memory captures and full disk images. This means it can check the appropriate boxes by providing actionable alerts, MITRE ATT&CK framework context, and automated blocking across hybrid IT.
• Central management. Fidelis Elevate provides an XDR central management hub that provides holistic visibility across the attack surface—endpoints, networks, and cloud workloads. Fidelis Elevate also integrates with other security operations systems, including security information and event management (SIEM), security orchestration, automation, and response (SOAR), endpoint detection and response (EDR), next-generation firewalls (NGFW), secure web gateways (SWG), cloud access security brokers (CASB), zero trust network access (ZTNA), identity and access management (IAM), Active Directory (AD), secure email gateways (SEG), domain naming system (DNS), and packet brokers.
It is also worth noting that Fidelis Elevate is unique in that it includes deception technology as part of its XDR offering. In this way, Fidelis Elevate is an Active XDR platform that can reshape the attack surface as a countermeasure to the TTPs used by adversaries as part of their campaigns. Fidelis Elevate can help confuse adversaries and make cyber-attacks more costly and complex with its ability to continuously adapt deployment of decoys and breadcrumbs. In addition to providing a comprehensive XDR platform, Fidelis Elevate can also be an open XDR platform strategy where organizations can use their EDR platform of choice via integrations such as SentinelOne. Given its comprehensive functionality, CISOs considering XDR solutions would be well served by adding Fidelis Elevate to its RFI/RFQ list of vendors.
The Bigger Truth
XDR is an emerging technology that will develop quickly in 2022 and beyond. Based on the data presented in this white paper, it’s clear that many organizations will welcome XDR if it can live up to its promises.
As organizations evaluate XDR, ESG recommends that they balance short- and long-term goals. In other words, CISOs should start by addressing weak or complex areas. For example, many organizations want better visibility into malicious/suspicious activities related to cloud workloads as they relate to a broader kill chain. This means that organizations should look for XDR solutions that provide visibility across endpoints, networks, and clouds from the onset of XDR projects.
Aside from coverage across hybrid IT, XDR technology will be defined by two areas—analytics and automation. Leading XDR tools will provide detection-in-depth with the right signatures, heuristics, threat intelligence filters, and advanced analytics to detect sophisticated attacks in progress. Upon detection, XDR systems must also provide a myriad of automated response options within the security domain and in concert with IT operations.
Finally, XDR is a burgeoning technology area with lots of innovation. As such, CISOs should cast a wide net when considering their options. Given Fidelis Cybersecurity’s early innovation and adoption in this space and its features and functionality, it may be worthwhile to add Fidelis Elevate to any list of XDR candidates.
Extended Detection & Response For Your Enterprise
DOWNLOAD PDF REPORT
This ESG White Paper was commissioned by Fidelis Cybersecurity and is distributed under license from ESG.
1 Source: ESG Research Report, The Impact of XDR in the Modern SOC, Mar 2021. All ESG research references and charts in this white paper have been taken from this research report, unless otherwise noted.
2 Source: ESG Research Report, The Life and Times of Cybersecurity Professionals 2021 Volume V, Jul 2021.
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
Enterprise Strategy Group | Getting to the Bigger Truth™
Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.