Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/03/30/demystifying-xdr-the-time-for-implementation-is-now/

In previous installments of our conversation with Forrester Analyst Allie Mellen on all things extended detection and response (XDR), she helped us understand not only the foundations of the product category and its relationship with security information and event management (SIEM), but also the role of automation and curated detections. But Sam Adams, Rapid’s VP of Detection and Response, still has a few key questions, the first of which is: What do XDR implementations actually look like today?

A tale of two XDRs

Allie is quick to point out what XDR looks like in practice can run the gamut, but that said, there are two broad categories that most XDR implementations among security operations centers (SOCs) fall under right now.

XDR all-stars

These are the organizations that “are very advanced in their XDR journey,” Allie said.”They are design partners for XDR; they’re working very closely with the vendors that they’re using.” These are the kinds of organizations that are looking to XDR to fully replace their SIEM, or who are at least somewhat close to that stage of maturity.

To that end, these security teams are also integrating their XDR tools with identity and access management, cloud security, and other products to create a holistic vision.

Targeted users

The other major group of XDR adopters is those utilizing the tool to achieve more targeted outcomes. They typically purchase an XDR solution and have this running alongside their SIEM — but Allie points out that this model comes with some points of friction.

“The end users see the overlapping use cases between SIEM and XDR,” she said, “but the outcomes that XDR is able to provide are what’s differentiating it from just putting all of that data into the SIEM and looking for outcomes.”

The common ground

This relatively stratified picture of XDR implementations is due in large part to how early-stage the product category is, Allie notes.

“There’s no one way to implement XDR,” she said. “It’s kind of a mishmash of the different products that the vendor supports.”

That picture is likely to become a lot clearer and more focused as the category matures — and Allie is already starting to see some common threads emerge. She notes that most implementations have a couple things in common:

• They are at some level replacing endpoint detection and response (EDR) by incorporating more sources of telemetry.
• They are augmenting (though not always fully replacing) SIEM solutions’ capabilities for detection and response.

Allie expects that over the next 5 years, XDR will continue to “siphon off” those uses cases from SIEM. The last one to fall will likely be compliance, and at that point, XDR will need to evolve to meet that use case before it can fully replace SIEM.

Why now?

That brings us to Sam’s final question for Allie: What makes now the right time for the shift to XDR to really take hold?

Allie identifies a few key drivers of the trend:

• Market maturity: Managed detection and response (MDR) providers have been effectively doing XDR for some time now — much longer than the category has been defined. This is encouraging EDR vendors to build these capabilities directly into their platforms.
• Incident responders’ needs: SOC teams are generally happy with EDR and SIEM tools’ capabilities, Allie says — they just need more of them. XDR’s ability to introduce a wider range of telemetry sources is appealing in this context.
• Need for greater ROI: Let’s be real — SIEMs are expensive. Security teams are eager to get the most return possible out of the tools they are investing so much of their budget into.
• Talent shortage: As the cybersecurity skills shortage worsens and SOCs are strapped for talent, security teams need tools that help them do more with less and drive outcomes with a leaner staff.

For those looking to begin their XDR journey in response to some of these trends, Allie recommends ensuring that your vendor can offer strong behavioral detections, automated response recommendations, and automated root-cause analysis, so your analysts can investigate faster.

“These three things are really critical to building a strong XDR capability,” she said,”and even if it’s a roadmap item for your vendor, that’s going to give you a good basis to build from there.”

Want more XDR insights from our conversation with Allie? Check out the full talk.

Additional reading:

• SIEM and XDR: What’s Converging, What’s Not
• 3 Ways InsightIDR Customers Leverage the MITRE ATT&CK Framework
• Demystifying XDR: How Curated Detections Filter Out the Noise
• This CISO Isn’t Real, But His Problems Sure Are
  

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/02/24/demystifying-xdr-how-curated-detections-filter-out-the-noise/

Extended detection and response (XDR) is, by nature, a forward-looking technology. By adding automation to human insight, XDR rethinks and redefines the work that has been traditionally ascribed to security information and event management (SIEM) and other well-defined, widely used tools within security teams. For now, XDR can work alongside SIEM — but eventually, it may replace SIEM, once some of XDR’s still-nascent use cases are fully realized.

But what about the pain points that security operations center (SOC) analysts already know so well and feel so acutely? How can XDR help alleviate those headaches right now and make analysts’ lives easier today?

Fighting false positives with XDR

One of the major pain points that Sam Adams, Rapid7’s VP for Detection and Response, brought to light in his recent conversation with Forrester Analyst Allie Mellen, is one that any SOC analyst is sure to know all too well: false positives. Not only does this create noise in the system, Sam pointed out, but it also generates unnecessary work and other downstream effects from the effort needed to untangle the web of confusion. To add to the frustration, you might have missed real alerts and precious opportunities to fight legitimate threats while you were spending time, energy, and money chasing down a false positive.

If, as Sam insisted, every alert is a burden, the burdens your team is bearing better be the ones that matter.

Allie offered a potential model for efficiency in the face of a noisy system: managed detection and response (MDR) providers.

“MDR providers are one of these groups that I get a lot of inspiration from when thinking about what an internal SOC should look like,” she said. While an in-house SOC might not lose money to the same extent an MDR vendor would when chasing down a false positive, they would certainly lose time — a precious resource among often-understaffed and thinly stretched security teams.

Got intel?

One of the things that MDR providers do well is threat intelligence — without the right intel feed, they’d be inundated with far too much noise. Sam noted that XDR and SIEM vendors like Rapid7 realize this, too — that’s why we acquired IntSights to deepen the threat intel capabilities of our security platform.

For Allie, the key is to operationalize threat intelligence to ensure it’s relevant to your unique detection and response needs.

“It is definitely not a good idea to just hook up a threat intel feed and hope for the best,” she said. The key is to keep up with the changing threat landscape and to stay ahead of bad actors rather than playing catch-up.

With XDR, curation is the cure

Of course, staying on top of shifting threat dynamics takes time — and it’s not as if analysts don’t already have enough on their plate. This is where XDR comes in. By bringing in a wide range of sources of telemetry, it helps SOC analysts bring together the many balls they’re juggling today so they can accomplish their tasks as effectively as possible.

Allie noted that curated detections have emerged as a key feature in XDR. If you can create detections that are as targeted as possible, this lowers the likelihood of false positives and reduces the amount of time security teams have to spend getting to the bottom of alerts that don’t turn out to be meaningful. Sam pointed out that one of the key ways to achieve this goal is to build detections that focus not on static indicators but on specific behaviors, which are less likely to change dramatically over time.

“Every piece of ransomware is going to try to delete the shadow copy on Windows,” he said, “so it doesn’t matter what the latest version of ransomware is out there – if it’s going to do these three things, we’re going to see it every time.”

Focusing on the patterns that matter in threats helps keep noise low and efficiency high. By putting targeted detections in security analysts’ hands, XDR can alleviate some of their stresses of false positives today and pave the way for the SOC to get even more honed-in in the future.

Want more XDR insights from our conversation with Allie? Check out the full talk.

Additional reading:

• Demystifying XDR: Where SIEM and XDR Collide
• The Great Resignation: 4 Ways Cybersecurity Can Win
• Evaluating MDR Vendors: A Pocket Buyer’s Guide
• Demystifying XDR: How Humans and Machines Join Forces in Threat Response