Blog

An Intelligence-Driven Approach to Extended Detection and Response (XDR)

The XDR wave is one worth keeping an eye on. Enterprises have everything to gain from the efficiency and risk reduction benefits XDR promises to provide.

Hugh Njemanze
March 16, 2021
Table of contents
<p>Threat detection isn’t getting any easier. Today’s threat actors are escalating the number of attacks they launch, going after more targets, using increasingly sophisticated techniques, and achieving their goals through surreptitiousness – not notoriety. With more than 2,000 security vendors <a href="https://www.security-yearbook.com/">cataloged</a> and organizations reporting an average of <a href="https://www.zdnet.com/article/the-more-cybersecurity-tools-an-enterprise-deploys-the-less-effective-their-defense-is/">45 security products </a>deployed, why aren’t we any closer to solving the threat detection gap?</p> <p>To answer this question, we first need to ask, what are we trying to achieve? For years now, we have known that the “whack-a-mole” approach of detecting discrete threats is at best a stopgap for the next inevitable attack. At a high level, most would likely agree that the always-shifting nature of adversaries, the emergence of new vulnerabilities and exploits, and the all-menacing “zero-day” leads to the continued proliferation of incidents ranging across data breaches, ransomware, and cyberespionage, etc. As soon as we close one door to attackers, they find and open another. This has always been the case. There's more to this though. We think some of the answers can be found in the failure to fully optimize and connect existing security tools, processes, and people to give them broader visibility over traffic and advanced threats moving in and out of their networks while seamlessly layering in detection and response capabilities.</p> <p>As we were told in a recent discussion with an industry analyst, “We've reached an inflection point.” Enterprises know that the resources needed to greatly improve their security operations exist, they are now hungry to start using these security solutions to their maximum potential.” In other words, “We know the goods are available, how do we start using them to better find and neutralize the bad actors?”</p> <h2>Enter Extended Detection and Response (XDR)</h2> <p>You may have noticed lately that XDR is white-hot in the security world. Scores of vendors are entering the fray ranging across small startups to established 800-pound gorillas. Dozens of industry analysts are quickly validating XDR as more than just a buzzword, with Gartner adding XDR to the “innovation trigger” on the newly created Security Operations Hype Cycle.</p> <p>As a long-time member of the security technology community, I can add that while we have certainly seen enthusiasm for trends at different periods, the level that XDR is generating reminds me of three other significant movements that changed the course of computing and security. The first was for Security Information and Event Management (SIEM), which I experienced during my time as a founder at ArcSight. The second was during the “big data” era. The third was for “cloud,” which in many ways has been reinvigorated due to COVID.</p> <h2>XDR: What is it?</h2> <p>Multiple definitions exist. We think of XDR as an architecture and in terms of how enterprises can leverage it to maximize the performance of their overall security investment (people, technologies, services) to take response action against threats at the fastest possible speed. As leaders in the threat intelligence market and with deference to the essential role that global threat intelligence plays in accelerating detection and response, we offer up the following working definition:</p> <p>Organizations that run on top of XDR architectures are able to move closer to managing their security infrastructure as an integrated, unified platform. With XDR, Security Operations Centers (SOCs) can break silos to converge all security data and telemetry collected and generated by security technologies they've deployed (tech that includes firewalls, EDR, CASB, SIEM, SOAR, TIP etc.). With this information, they can generate strategic threat intelligence that empowers immediate threat detection, streamlined investigations, and high-performance, automated-response capabilities that isolate and mitigate threats before they escalate into costly and disruptive incidents.</p> <p>There certainly are deeper and more technical discussions to be had specific to each of these capabilities, which we'll save for another time. For now, we think that this definition works, although we also expect that it will evolve as new lessons are learned and innovations are introduced.</p> <h2>XDR: The Early Days?</h2> <p>XDR is perceived as new (added to the Hype Cycle slightly more than eight months ago). Although there is hype, it is, as our aforementioned analyst friend told us, a very real and tangible movement within the security market with a level of momentum he hasn't experienced in close to a decade.</p> <p>We're intrigued by the emergence of attention and excitement around XDR. Not only because it is ushering in acceptance of an available leap forward when it comes to closing the gap between information gathering, detection, and response, but also in many ways because it validates what Anomali has been delivering to the market all along.</p> <p>Seven years ago, we recognized that organizations needed a way to collect, aggregate, analyze and operationalize threat intelligence, which led to the development of Anomali ThreatStream an early enterprise threat intelligence platform (TIP). Shortly thereafter, we introduced Anomali Match, opening new opportunities for our customers to further optimize intelligence by immediately matching internal threats against external threats.</p> <p>As it turns out, these innovations were supporting a key XDR layer threat intel. Before XDR was XDR, we were extending the ability to collect and manage unlimited levels of threat data, making it available for investigations, enabling internal threat detection by matching it against all telemetry, and ultimately helping to power faster response by operationalizing intelligence across security infrastructures.</p> <h2>XDR, COVID, and the Cloud</h2> <p>No future vision of any technology can be presented without acknowledging what impact the cloud is going to have on it, the same can now be said of COVID. Any enterprise that wasn't a cloud operation prior to the pandemic is certainly one now. Organizations that have made it through this past year aren't going to descend from the cloud ever.</p> <p>The cloud provides consistent access in a world that is now characterized by uncertainty. People may not be allowed into the office, but they can always connect from remote locations. Sales reps may not be able to travel to customer locations, but they can always meet with them virtually. Marketers may no longer have access to trade shows, but they are finding ways to keep their organizations relevant through virtual events. For businesses, leaders, and employees, the cloud has become essential to survivability.</p> <p>The ability to scale fast enough for millions of workers and processes to shift from the office to a remote reality could only be handled because of the cloud. For security operations, the cloud has of course created new challenges. Overnight, millions of endpoints connected to corporate networks via at-home WiFi, meetings started taking place over vulnerable video and chat applications, data became cloud-native, patching and vulnerability scanning backlogged. This sea change wasn't missed by adversaries, which are taking advantage of it all.</p> <p>To meet the present and keep pace with the future, XDR has to move into the cloud as well. It's the only way that it will be able to scale alongside the new IT infrastructure reality.</p> <p>Many reading this may remember when Big Data burst onto the scene. As it quickly became part of the Silicon Valley vernacular, everywhere you turned there were vendors “differentiating” by claiming that their solutions were “Big Data Ready.” As it turned out, this wasn't all hype. Security technologies that could handle massive data volumes ended up in the winners' column. In that same vein, we are certainly soon to see vendors start differentiating their XDR by marketing around terms like “Cloud Native.” Although much of this will be “marketing,” enterprises should demand that vendors can do XDR in the cloud before making an investment (In future segments, I'll draw on my experience in building cloud-native security technologies and discuss how to determine if an XDR solution is truly cloud-ready).</p> <h2>XDR: The End Game</h2> <p>Gaining the ability to holistically manage a security infrastructure, eXtend a unified set of tentacles across it, ingest every bit of security data available, apply analytics to it, and then use it to automate threat Detection and Response has always been a goal of security. Unattainable? Maybe not. Established players are committing huge resources to bringing XDR solutions to market. Disruptive startups are eager to contribute. Enterprises have everything to gain from the efficiency and risk reduction benefits it promises to provide. The XDR wave is one worth keeping an eye on.</p>
Hugh Njemanze

Hugh Njemanze is the President of Anomali. Hugh has an illustrious 30-year career in the enterprise software industry. Hugh co-founded ArcSight in May 2000 and served as CTO as well as Executive Vice President of Research and Development. He led product development, information technology deployment, and product research at ArcSight, and expanded these responsibilities to lead all engineering and R&D efforts for HP’s Enterprise Security Products group, the organization that ArcSight became part of post-acquisition. Prior to joining ArcSight, Hugh worked as the CTO at Verity, where he led product development, and before that he was at Apple in software engineering, where he was one of the key architects behind the Data Access Language (DAL). Hugh is a CISSP and holds a B.S. in computer science from Purdue University.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

March 16, 2021
-
Hugh Njemanze
,

An Intelligence-Driven Approach to Extended Detection and Response (XDR)

<p>Threat detection isn’t getting any easier. Today’s threat actors are escalating the number of attacks they launch, going after more targets, using increasingly sophisticated techniques, and achieving their goals through surreptitiousness – not notoriety. With more than 2,000 security vendors <a href="https://www.security-yearbook.com/">cataloged</a> and organizations reporting an average of <a href="https://www.zdnet.com/article/the-more-cybersecurity-tools-an-enterprise-deploys-the-less-effective-their-defense-is/">45 security products </a>deployed, why aren’t we any closer to solving the threat detection gap?</p> <p>To answer this question, we first need to ask, what are we trying to achieve? For years now, we have known that the “whack-a-mole” approach of detecting discrete threats is at best a stopgap for the next inevitable attack. At a high level, most would likely agree that the always-shifting nature of adversaries, the emergence of new vulnerabilities and exploits, and the all-menacing “zero-day” leads to the continued proliferation of incidents ranging across data breaches, ransomware, and cyberespionage, etc. As soon as we close one door to attackers, they find and open another. This has always been the case. There's more to this though. We think some of the answers can be found in the failure to fully optimize and connect existing security tools, processes, and people to give them broader visibility over traffic and advanced threats moving in and out of their networks while seamlessly layering in detection and response capabilities.</p> <p>As we were told in a recent discussion with an industry analyst, “We've reached an inflection point.” Enterprises know that the resources needed to greatly improve their security operations exist, they are now hungry to start using these security solutions to their maximum potential.” In other words, “We know the goods are available, how do we start using them to better find and neutralize the bad actors?”</p> <h2>Enter Extended Detection and Response (XDR)</h2> <p>You may have noticed lately that XDR is white-hot in the security world. Scores of vendors are entering the fray ranging across small startups to established 800-pound gorillas. Dozens of industry analysts are quickly validating XDR as more than just a buzzword, with Gartner adding XDR to the “innovation trigger” on the newly created Security Operations Hype Cycle.</p> <p>As a long-time member of the security technology community, I can add that while we have certainly seen enthusiasm for trends at different periods, the level that XDR is generating reminds me of three other significant movements that changed the course of computing and security. The first was for Security Information and Event Management (SIEM), which I experienced during my time as a founder at ArcSight. The second was during the “big data” era. The third was for “cloud,” which in many ways has been reinvigorated due to COVID.</p> <h2>XDR: What is it?</h2> <p>Multiple definitions exist. We think of XDR as an architecture and in terms of how enterprises can leverage it to maximize the performance of their overall security investment (people, technologies, services) to take response action against threats at the fastest possible speed. As leaders in the threat intelligence market and with deference to the essential role that global threat intelligence plays in accelerating detection and response, we offer up the following working definition:</p> <p>Organizations that run on top of XDR architectures are able to move closer to managing their security infrastructure as an integrated, unified platform. With XDR, Security Operations Centers (SOCs) can break silos to converge all security data and telemetry collected and generated by security technologies they've deployed (tech that includes firewalls, EDR, CASB, SIEM, SOAR, TIP etc.). With this information, they can generate strategic threat intelligence that empowers immediate threat detection, streamlined investigations, and high-performance, automated-response capabilities that isolate and mitigate threats before they escalate into costly and disruptive incidents.</p> <p>There certainly are deeper and more technical discussions to be had specific to each of these capabilities, which we'll save for another time. For now, we think that this definition works, although we also expect that it will evolve as new lessons are learned and innovations are introduced.</p> <h2>XDR: The Early Days?</h2> <p>XDR is perceived as new (added to the Hype Cycle slightly more than eight months ago). Although there is hype, it is, as our aforementioned analyst friend told us, a very real and tangible movement within the security market with a level of momentum he hasn't experienced in close to a decade.</p> <p>We're intrigued by the emergence of attention and excitement around XDR. Not only because it is ushering in acceptance of an available leap forward when it comes to closing the gap between information gathering, detection, and response, but also in many ways because it validates what Anomali has been delivering to the market all along.</p> <p>Seven years ago, we recognized that organizations needed a way to collect, aggregate, analyze and operationalize threat intelligence, which led to the development of Anomali ThreatStream an early enterprise threat intelligence platform (TIP). Shortly thereafter, we introduced Anomali Match, opening new opportunities for our customers to further optimize intelligence by immediately matching internal threats against external threats.</p> <p>As it turns out, these innovations were supporting a key XDR layer threat intel. Before XDR was XDR, we were extending the ability to collect and manage unlimited levels of threat data, making it available for investigations, enabling internal threat detection by matching it against all telemetry, and ultimately helping to power faster response by operationalizing intelligence across security infrastructures.</p> <h2>XDR, COVID, and the Cloud</h2> <p>No future vision of any technology can be presented without acknowledging what impact the cloud is going to have on it, the same can now be said of COVID. Any enterprise that wasn't a cloud operation prior to the pandemic is certainly one now. Organizations that have made it through this past year aren't going to descend from the cloud ever.</p> <p>The cloud provides consistent access in a world that is now characterized by uncertainty. People may not be allowed into the office, but they can always connect from remote locations. Sales reps may not be able to travel to customer locations, but they can always meet with them virtually. Marketers may no longer have access to trade shows, but they are finding ways to keep their organizations relevant through virtual events. For businesses, leaders, and employees, the cloud has become essential to survivability.</p> <p>The ability to scale fast enough for millions of workers and processes to shift from the office to a remote reality could only be handled because of the cloud. For security operations, the cloud has of course created new challenges. Overnight, millions of endpoints connected to corporate networks via at-home WiFi, meetings started taking place over vulnerable video and chat applications, data became cloud-native, patching and vulnerability scanning backlogged. This sea change wasn't missed by adversaries, which are taking advantage of it all.</p> <p>To meet the present and keep pace with the future, XDR has to move into the cloud as well. It's the only way that it will be able to scale alongside the new IT infrastructure reality.</p> <p>Many reading this may remember when Big Data burst onto the scene. As it quickly became part of the Silicon Valley vernacular, everywhere you turned there were vendors “differentiating” by claiming that their solutions were “Big Data Ready.” As it turned out, this wasn't all hype. Security technologies that could handle massive data volumes ended up in the winners' column. In that same vein, we are certainly soon to see vendors start differentiating their XDR by marketing around terms like “Cloud Native.” Although much of this will be “marketing,” enterprises should demand that vendors can do XDR in the cloud before making an investment (In future segments, I'll draw on my experience in building cloud-native security technologies and discuss how to determine if an XDR solution is truly cloud-ready).</p> <h2>XDR: The End Game</h2> <p>Gaining the ability to holistically manage a security infrastructure, eXtend a unified set of tentacles across it, ingest every bit of security data available, apply analytics to it, and then use it to automate threat Detection and Response has always been a goal of security. Unattainable? Maybe not. Established players are committing huge resources to bringing XDR solutions to market. Disruptive startups are eager to contribute. Enterprises have everything to gain from the efficiency and risk reduction benefits it promises to provide. The XDR wave is one worth keeping an eye on.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.