WIXLIB

The journey toXDR: practicalquestions to askEveryone in cybersecurity has heard the hype about extended detection and response (XDR),and many companies are interested in exploring this approach. But what should organizationsbe focused on as they research the growing number of solutions in the market?This white paper looks at the problems XDR addresses and discusses what security practitionersshould consider as they plan their journey. 2022 AT&T Intellectual Property. AT&T and Globe logo are registered trademarks and service marks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks are theproperty of their respective owners. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.WHITEPAPER

What is XDR?Extended detection and response, or XDR, is a holisticapproach to threat detection and response. It tacklesthe long-standing problem of siloed security by usingdifferent technologies to collect, correlate, and centralizenetwork, endpoint, and cloud telemetry from across theattack surface.For years, vendors have promised to address the needfor better visibility and better data sharing betweentools. With the move toward edge computing, and asbusinesses expand their digital footprints, security andoperational complexities increase. Hybrid architectures,the accelerating adoption of cloud computing, a vanishingnetwork perimeter, and a growing remote workforceare just some of the challenges organizations face whentrying to secure their IT environments.XDR extends the capabilities of the security informationand event management (SIEM) platform. It improveshow data is collected and correlated, and it gives thatdata context. With XDR, security practitioners getthe expanded visibility, advanced security analytics,continually updated threat intelligence, and automatedor orchestrated detection and response capabilitiesthey need to detect and respond to threats in real time.The XDR market is still emerging. Opinions vary on wherethe technology came from. But focusing on how XDRcame together is not as important as understanding theoutcomes it drives: more efficient IT operations and theability to identify, hunt, and remediate threats beforethey become security incidents.Two approachesSome vendors are entering the XDR market throughacquisition. They are driving toward single-vendor, ornative, solutions that offer a unified suite of security toolsfrom one vendor on a centralized management platform.Other vendors are choosing not to provide all componentsof their XDR solutions in house. Instead, they offer opensolutions with one central management console thatintegrates with multiple third-party security products.The year 2021 saw a large number of mergers andacquisitions driven by XDR. Notable deals includeCybereason’s July purchase of security analytics firmempow1; Logpoint’s acquisition of SecBI for its securityorchestration and automated response (SOAR) and XDRtechnologies2; and most recently, IBM’s announcement ofits plans to acquire endpoint security vendor ReaQta.31 Cybereason looks to help security teams with its XDR offering.Montenegro, Fernando. Oct. 27, 2021. 451 Research2 Another day, another XDR deal as LogPoint picks up SecBI for its analytics chops.Montenegro, Fernando. Sept. 2, 2021. 451 Research3 IBM reacts to XDR trend with portfolio announcements, pickup of ReaQta.Montenegro, Fernando. Nov. 3, 2021. 451 ResearchFocusing on how XDR cametogether is not as important asunderstanding its outcomes:more efficient operations andthe ability to identify, hunt, andremediate threats before theybecome security incidents.The need to evolve threat detection and responseTo understand why security practitioners should careabout XDR, it is important to understand the ongoingsecurity and operational challenges it helps them address.XDR is essentially a convergence of the capabilities ofdifferent security products. This convergence has beendriven by the need for: I ncreased telemetry from multiple sources and better,centralized visibility across an increasingly diverse anddistributed attack surface A dvanced analytics and machine learning to sortthrough the influx of data and provide context B etter use of automation and orchestration to enablefaster and more efficient threat detection and responseWhy XDR. . . and why now?Expand telemetry frommultiple sourcesGet increased visibility and information gatheringBoost threat intelligence and improvesecurity analyticsImprove time to detect and accuracy of detectionsAutomate andorchestrate workflowsAccelerate response speed and recovery time2

been up to the security practitioner to integrate thesetools in-house and then look across multiple dashboardsto understand when attacks are underway.XDR addresses this problem of siloed information bybringing together the different tools in a centralizedplatform for the end user. With XDR, the securitypractitioner can view events, investigate alarms, andrespond to threats from a single pane of glass. Andregardless of whether an XDR solution is the result ofa native or open integration, it is the vendor that takeson the responsibility of integrating the products andsystems—not the security practitioner.Threat intelligence provides more contextThrough advanced analytics and machine learningthat assesses and correlates the data, XDR can profilebehaviors to detect anomalies and predictively identifyadvanced threats, such as fileless malware, zero-dayattacks, and polymorphic attacks.XDR outcomesBetter visibility and more contextEffective threat detection and response requiresvisibility across the IT infrastructure because, ascybersecurity professionals like to say, “You can’tprotect what you can’t see.”Security practitioners need to be able to monitor theirentire attack surface—including across endpoints,network infrastructure, cloud workloads, applications,and more—to connect the dots and understand whenan attack is occurring in their environment. Withoutcontext, ongoing attacks can be missed. One phishingemail can lead to an infected endpoint. That can leadto an attacker moving laterally within the network toestablish persistence. Once the hacker has established abeachhead in your network, they can eventually delivera payload, whether that be encryption for ransomware,spying, data exfiltration, or another objective.XDR provides the security practitioner with visibility in theform of robust telemetry. This is gathered by differentsecurity tools from across the organization’s network,endpoints, servers, cloud workloads, and email. Thesecurity team can see all this data in one centralized view,so they can respond to threats quickly and effectively.Breaking down the siloesThe lack of communication between the many differentsecurity tools found in the typical security operationscenter (SOC) has long made the life of the securitypractitioner difficult. And while the capabilities found inXDR have been available in some of these tools, it hasXDR solutions use continuously updated threatintelligence and enhanced security analytics to increasethe accuracy of detections and improve time to detect.This includes mapping correlations and detections to theMITRE ATT&CK framework, which is a knowledge base ofadversary tactics and techniques. The threat intelligenceprovides additional context for the data and helps thesecurity practitioner triage responses.Workflows for automation and orchestrationWith so much data coming in to the SOC, manualprocesses for validation and correlation are a drainon resources and increase the chance of truethreats going undetected. While some analysis isautomated on the backend, security practitionersrequire better use of automation to help them sortand prioritize information.XDR simplifies day-to-day operations by allowing thesecurity practitioner to automate select workflows andprocesses. This includes investigating slow networkconnections, reviewing logs for unusual activity onmissing or destroyed devices, or identifying devices.With this automation, XDR speeds up investigations andhelps facilitate faster, more scalable incident response.For example, it provides automated root-cause analysis,so the security practitioner has the context and relevantinformation they need to take the appropriate responseactions. And with XDR, orchestrated response actionscan be activated by the security practitioner across alltools with just the click of a button.3

Planning and preparationFor the security leader seeking to lighten the load fortheir security teams and evolve their organization’scurrent threat detection and response capabilities, XDR’spromise is immensely appealing: greater efficiency insecurity operations and more agile security. But thereare already multiple offerings available in this emergingmarket, so where should the security leader start?Understand desired outcomesDecision-makers should begin by understanding thespecific objectives they seek for their organization.Based on those, they can evaluate how an XDR vendor’sbackground can help them meet these objectives.For example, if an organization is in a highly regulatedindustry, such as healthcare, manufacturing, or financialservices, it will have strict reporting and compliancerequirements. This organization would want an XDR vendorwith strong SIEM capabilities. Why? So the organization willhave the deep analytics and strong data log collection andlong-term data retention capabilities it requires.Network architecture and use cases will also driveconsiderations. For example, an organization that hasan IT estate focused heavily on Internet of Things (IoT)devices will not have the same visibility requirementsas the organization that has few IoT devices but manyendpoints. On the other hand, XDR vendors coming fromthe endpoint detection and response (EDR) space arelikely to be weaker on analytics but stronger at providingactionable response on the endpoint. Organizations withlarge numbers of endpoints that need to be monitored(and potentially restored in the event of an attack) willwant to partner with these vendors.Determining the best approachAs discussed earlier, vendors are implementing XDR inone of two ways: either by integrating security toolsfrom one vendor’s portfolio (commonly referred to as a“native” platform), or by utilizing third-party integrations(commonly referred to as an “open” platform).The organization that purchases a native XDR solution,in theory, will not have to implement and manageintegrations with technologies from other vendors.However, it will have to rip and replace what it has in itstechnology stack to lock in with a single preferred securityprovider—typically a costly and complex undertaking.And while the simplicity of this approach is attractive,it may preclude the organization from deploying moreinnovative solutions from other vendors as they emerge inthe market.Since vendor-agnostic, or open, solutions usethird-party integrations, customers can deploy themwithout having to replace tools they have alreadyinvested in. An important factor to consider with thesesolutions is whether the vendor has a large enoughecosystem for integration.Organizations that deploy tools from multiple vendorsare probably better off choosing an open platform orworking with a managed security service provider toleverage those investments.4