Not all threats originate at the endpoint. According to the 2023 IBM Cost of a Data Breach Report, phishing and stolen or compromised credentials were the most common primary attack vectors. XDR should enable you to detect email threats, including compromised accounts sending internal phishing emails. When a threat is detected, XDR should also scan mailboxes to determine who received the email, so it can be quarantined or deleted to prevent its spread.
Furthermore, Network Detection and Response (NDR) fills in the blind spots in network detection and response. Real-time activity data collected on traffic flow and behaviors as well as perimeter and lateral connections helps analysts discover how a threat is communicating and moving across the network. With this knowledge, security professionals can block the host and URL as well as disable the Active Directory account to limit the scope of the attack.
Cloud workloads, servers, and containers are critical to business operations, so monitoring activity at this layer is essential to mitigating critical incidents. XDR collects and correlates activity data such as user account activity, processes and commands executed, network connections, files created/accessed, and log modifications to tell the full story after an alert. This allows security teams to dig deeper into what happened within cloud workloads and how an attack spread.
Enable XDR Threat Intelligence
According to ESG’s Security Operations Center and the Role of XDR Update Report, the top SOC initiative for 2022 was “Improving Threat Intelligence Operationalization.” Integrating threat intelligence is an integral part of the SOC’s function in the face of increasingly sophisticated and successful cyberattacks. The more you understand an attacker’s maneuvers and objectives, the more resilient and accountable your organization will be.
The MITRE ATT&CK framework is invaluable for mapping specific attack campaigns, threat groups, and individual attack activities. Despite its widespread adoption, many organizations are still trying to figure out how to leverage the framework consistently.
From an XDR solution perspective, you can use detection techniques and methods to develop detection rules and models, ensuring that threat intelligence is directly included in the investigation of events. This can reveal the identity of a specific attack campaign and provide a clear view of the entire campaign lifecycle.
TTPs can also be used to develop threat search criteria or provide proactive views of TTPs identified in the environment that can be leveraged as a starting point for targeted investigations.
Finally, the MITRE ATT&CK framework can be leveraged to identify vulnerabilities and prioritize activities to reduce risk and improve resilience.
Key XDR Considerations
While sensor coverage is important, there is more to consider when choosing an XDR vendor to ensure you get the best threat detection and response capabilities. Consider asking the following questions:
1. Is the product API friendly? Some vendors do not integrate their APIs with SIEM and SOAR. The more XDR is integrated, the more it provides the ability to automate and orchestrate tasks, enabling workflows across the ecosystem. A vendor that has an XDR solution integrated into its cybersecurity platform will provide security professionals with a much-needed single pane of glass across the entire attack surface.
2. Does the product provide a comprehensive view of the attack? Some XDR solutions may only provide a snapshot of the attack. Security teams need clear visibility into managed and unmanaged assets and encrypted traffic on the network to understand where an attack is coming from and how it is spreading. By extending network telemetry and correlating network events via NDR, teams can build the full attack chain and strengthen your security posture.
3. What’s the user experience like? Finding (and retaining) skilled employees remains a challenge. Avoid security solutions that require a steep learning curve and poor support. A vendor that wants you to succeed (and not just sell you a product) will provide in-app tutorials, an online help center, and even live feedback loops or built-in feature requests.
4. Are they forward-looking? Make sure the vendor is committed to improving their product to not only address the evolving threat landscape, but also make it easier for your teams. Do they have a solid strategy for how to dramatically reduce the burden on your security teams with AI? Don’t be afraid to ask tough questions to make sure they’re not just talking heads. Bonus points for vendors who have a strategy for how to secure your organization’s use of AI tools.
4. Are the alerts actionable? As mentioned earlier, a legacy SIEM will generate a large number of alerts, but they are often useless. You need to do a lot of detection engineering to force the legacy SIEM to work in your favor. The right XDR solution will provide actionable alerts with ready-to-use cross-layer correlation and detection models right out of the box. Alerts should also be prioritized based on risk and impact severity to speed up response times.
5. What is the pricing structure? Look for vendors that offer pricing models that are conducive to changing business dynamics. Most vendors typically charge in bundles or subscriptions based on seats, which can leave you paying for unused sensors if your employees leave or are laid off. Consider more flexible licensing options that allow you to adjust customizations on demand, while eliminating fixed costs and any losses due to unused licenses.
6. Are managed services offered? Staffing shortages and budget constraints can hamper your threat detection and response efforts. A vendor that can offer managed services to augment your existing team with expert threat hunting, 24/7 monitoring and detection, and rapid investigation and mitigation can be invaluable. You gain experience and efficiencies while freeing up your overworked teams to work on higher-priority programs.
7. Has the product received praise from industry analysts? Everyone loves to say they’re #1, so be sure to check reports from reputable industry analysts to verify the seller’s claims. Shamelessly hype, see how the industry views Trend.
Get on board with XDR
While statistics show that cybersecurity spending continues to rise, that doesn’t guarantee that your budget will grow along with it. Getting the green light to invest in cybersecurity can be difficult, so framing the benefits of XDR in a financial and risk context is crucial. Here are some things to consider when making the case for XDR:
Investing in security = investing in business. According to the IBM Cost of a Data Breach 2022 report, organizations using XDR saved an average of nearly 10% on breach costs and shortened the breach lifecycle by 29 days. The reduced operational downtime and financial impact is music to the ears of senior executives.
Lower cyber insurance premiums. Underwriters look for EDR, but showing that you go beyond the endpoint by using XDR to reduce cyber risk can help you lower expensive cyber insurance premiums.
Next steps
For more information on XDR and cyber risk management, see the following series or click here to learn how Trend Vision One(TM) – XDR can ensure attackers have nowhere to hide.
