XDR will be the key feature of the SOC of the future

Cristina De Luca -

December 28, 2021

The ability to focus on data is just one of the key capabilities that the SOC of the future needs to be efficient and effective. But there’s more to it than that. As attackers use more complex tactics, techniques, and procedures (TTPs) to successfully bypass and exploit traditional security controls, organizations need new approaches to protect a growing number of vulnerable digital assets inside and outside the traditional network perimeter, as well as proactive and unified security measures. In short, SOCs need a platform that intelligently brings together all relevant security data. This is where Extended Detection and Response (XDR) comes into play.

Early definitions of XDR described it as a solution built on EDR solutions, where “X” is simply an “extension” or “next generation” of EDR. But today XDR is understood as a holistic, architectural approach that orchestrates tools from different vendors; systems that protect at multiple application points across attack surface areas; cloud-based and on-premise security technologies.  

XDR enables an organization to go beyond typical detection controls by providing a holistic and simpler view of threats to the entire ICT infrastructure. It provides support for a wide range of network security responsibilities and can also be adapted to help support specific use cases, depending on the maturity of the security team. To this end, it ingests and distills various threat detection and monitoring, investigation, and incident response streams.

The challenge is that today, organizations maintain more than 45 different security tools that, for the most part, do not communicate, and teams that do not work together. An operational reality that makes it difficult to view XDR as one more solution in this puzzle. “If we define XDR as a solution, SOCs cannot achieve their goal because, as a solution, XDR cannot be a holistic approach,” argues Marc Solomon, chief marketing officer at ThreatQuotient.

In contrast, viewing XDR as architecture presupposes having ALL the tools and ALL the teams working together. Having data-driven security approaches working together and in harmony with previous process-based approaches.

XDR Advantages

According to Gartner, the main advantages of Extended Detection and Response (XDR) are:

  • Enhanced protection, detection and response capabilities;
  • Increased productivity of operational security personnel;
  • The lower total cost of ownership for effective security threat detection and response.

But the consultancy warns that this market is still in formation, with solutions emerging from different vendors, approaches, and experiences. According to its projections, by 2023, at least 30% of EDR and SIEM providers will claim to provide XDR, despite not having basic XDR functionality.

According to Gartner, XDR products will appeal to pragmatic security leaders who lack the resources to integrate a large portfolio of best-of-breed security products and/or who are still struggling to get the full value of SIEM and SOAR tools. Although Marc Solomon points out that SIEM, network detection, and response tools, and security-as-a-service are just as important to XDR as EDR. Integrations with these tools, and others, will be critical to really having an XDR approach.

It should be considered that three main types of XDR architectures are emerging. 

Vendors must be able to accommodate the reality that not all organizations will have all their tools from a single vendor readily, and the appetite to remove and replace is low in the short term. Not to mention the fact that new vendors and solutions will continue to emerge due to the continuous innovation required to keep up with new use cases, threats, and threat vectors.

2. Land and expand. This approach starts from a specific attack surface area where the vendor is focused, such as Endpoint Detection and Response (EDR) or Network Detection and Response (NDR), with the vendor planning to add additional XDR capabilities through integration with other security tools.

While this approach provides the opportunity to select a leader in a basic detection and response technology, it also presents some challenges. Integrations are essential to creating an XDR architecture. However, the vendor will likely focus on continued innovation of its core technology offering at the expense of integrations. Not to mention the significant amount of time it will take to identify the tools to interoperate and execute deep integrations to deliver on the promise of XDR if integration is not a core competency. 

3. Open the platform. Vendors following this strategy offer an integration-focused platform, joining tools across the different attack surface areas as well as other security infrastructures. Serving as a conduit between existing security technologies, including vendors claiming XDR solutions, this approach enables a more agnostic approach to XDR. This requires vendor core competency and a focus on integration and data flow between systems. Organizations that are not starting from scratch and have a variety of the best solutions across departments and teams have a flexible path forward with an open and extensible architecture that enables strong integration and interoperability with existing tools – including that product with which the XDR vendor may not be familiar. Standard interfaces are used for ingesting and export,

There are pros and cons to each of these approaches. But if you see XDR as a destination rather than a solution, regardless of which path you take, you’ll need to understand each vendor’s focus and core competencies, the level of effort involved in transitioning to XDR, and where there may be distractions. Only then can you be sure that the vendor you select can deliver on the XDR promise of achieving the goal of detection and response across the entire infrastructure and across all attack vectors.

How to start

Gartner experts recommend that SRM leadership interested in improving incident response capabilities:

  • Evaluate an XDR-based vendor consolidation strategy on its ability to improve security effectiveness and improve the productivity of security operations.

  • Focus initial XDR product considerations on threat-centric detection and incident response heavy security use cases, such as user workspace, cloud use, application workload, or traditional network protection.

  • Evaluate XDR solutions on their overall utility, not just the component parts; other features to consider are the underlying data lake base with flexible, low-cost data storage, functional orchestration and automation, and advanced security analytics. A reliable XDR is more than just a series of point solutions from a single vendor, and should be able to replace some of the existing security operations tools with alternative, more efficient ways of working.

You will also need to thoroughly evaluate two components that every XDR solution must offer, described by Gartner as front-end and back-end.

The front-end should have three or more solutions or sensors, including, but not limited to, endpoint detection and response (EDR), endpoint protection platforms (EPP), network (firewalls, intrusion detection, and prevention systems (IDPs), network detection, and response (NDR), identity, email security, mobile threat detection, cloud workload protection, and fraud. The goal is for these to be threat-focused solutions and responses that can add up to a greater whole than the individual items provide on their own.

The back-end should include:

  • Unified policy mechanism for all components.
  • Centralised data storage (often referred to as a data lake) for storing and processing telemetry from the XDR component solution, as well as a relevant ecosystem of other data sources;
  • Integrations, usually via API, to enable better response use cases;
  • Advanced analytics to pre-process and correlate high-value alerts and reduce false positives;
  • Ability to perform enhanced automation, orchestration and workflow functions, with native orchestration and automation of security operations and incident response processes.

To ensure that your implementation is effective and that you get the greatest protection for your investments, avoid the following mistakes.

  • Integration complexity

XDR solutions need to integrate seamlessly with existing solutions. If the integration requires excessive work or custom plug-ins, you’ll miss out on productivity gains. And you’ll also likely have to sacrifice some of the control and visibility that make XDR an improvement over the alternatives. If the platform you want doesn’t integrate well, you’re better off trying to find another.

While you may not get all the features of your preferred platform, not having to maintain or build an integration from scratch can be worth it. Being able to take advantage of native integration allows you to implement a new platform quickly and provides immediate protection enhancements.

Similarly, when looking to integrate additional tools with your XDR, make sure you prioritize those that are already compatible. In general, you should be wary of applications, tools, and services that require additional integration work, as this is a debt you will have to carry.

  • Lack of automation

Automation is a key driver of XDR efficiency. The ability to automate tracking, alerts, and responses is what reduces the workload of security teams and allows them to focus on higher-level tasks. However, automation needs to go beyond simply sandboxing processes or blocking all traffic to be effective.

The chosen XDR platform should ideally include automation that adapts to the current system conditions and responds based on various parameters. For example, recognizing when a device has connected to your network and being able to match it to a previous user profile or assign it a temporary status. This can allow you to more closely monitor unknown devices and more quickly restrict potentially malicious access.

  • Operational complexity

XDR platforms should facilitate the efforts of security and response teams. This goes beyond interfaces and dashboards and extends to configuration and maintenance requirements. If a solution is difficult to update or does not allow configurations to be easily defined or changed, its value diminishes.

Furthermore, if a platform is built with multiple technologies not natively linked, your teams are still using disparate tools. These tools are unlikely to be as effective and require additional operational efforts. Instead, you should look for platforms that include native services and functionality that do not require external add-ons.

The easier the integration of XDR into the existing environment, the better the investment.