Select Page

Dec 20, 2022

XDR: A Step Towards Integrated Security for Cyber Defense

by

2022: A Year in Review

2022 has truly been a year of turbulence and misfortune. Covid-19 pandemic continued to rage around much of the world, causing more illnesses, deaths, and isolations among societies; the invasion of Ukraine has shaken the global energy and food supply in Europe and other regions. Disruptions in global manufactories, labor, and supply chains, together with often political and economic adversary policies, have broken the demand and supply balances across almost all economic sectors, causing material and labor shortages, higher costs, inflations, and economic downturns.

Since COVID-19 struck, businesses also shifted operations and policies to cope with the impacts of the pandemic.  On one hand, organizations have quickly shifted from in-person to remote, and in parallel have accelerated the migration to cloud of more business applications and operations. According to Gartner, SaaS application spending has increased by roughly 35% during 2020-2022 and the trend will continue into 2023 and beyond.

Working remotely across multiple geographical regions extend the corporate network security boundaries, migrating to cloud computing platform further render security boundaries blurred or even vanished. This results in dramatically increased threat attack surfaces and exposes more security vulnerabilities.

In 2022, cybercrimes and cyberattacks also rose significantly. These attacks are often used as weapons to aid both political and military campaigns.  According to the various research reports and data, phishing attacks soared 61% during the 1Q 2021; Ransomware attacks also increased by 72% during pandemic with mobile vulnerabilities grew by 50%.  At the same time, we saw more sophisticated, targeted, often state sponsored cyber-attacks or campaigns that targets critical infrastructures, critical business assets or valuable user data and these attacks are also often conducted at larger scale than before, causing more disruptions to businesses as well as damages.  

Under these circumstances, cybersecurity vendors and professionals need to continuously advance their security detection, prevention, and mitigation techniques to better protect business applications and critical assets. They also need to do this in a more agile, effective, scalable, and cost-effective way.

While single-point threat detection and protection techniques such as NGFW, IPS, WAF, DLP, AV, sandbox, endpoint, are continuing their improvement and can prove to be even more effective, they each have shortcomings, mainly because each of these technique only look at specific type or class of data source, e.g., traffic meta data, URLs, files, domain names etc. they therefore all have their “blind spots.” This could result in missing out real threat attacks or introduce false positives. As threat attacks and adversaries become even more sophisticated and targeted these days, it is becoming even harder for any single point threat detection technique to effectively fend off these attacks.  

What Makes an Effective XDR Platform?

While single point threat detection technique can be effective in defending specific types of the threat attack, security industry needs a weapon that utilizes all these single security tools together to provide a more integrated and comprehensive solution to achieve accurate and effective threat detection, prevention, and mitigation.

Extended Detection and Response (XDR) is an emerging technology that ingests multiples data sources, utilizing different detection techniques and tools, correlates threat detection results, events and threat intelligence and provides a unified and efficient approach to detect, prevent and mitigate threat attacks, especially sophisticated cyberattacks like APTs.  

XDR market and technologies were still in their formative stage in 2022 and will continue to see further advancements in 2023 and beyond. XDR is not a brand-new technology, rather, it is an integration of existing security tools and techniques onto one single and unified platform. Many of its data feeds come from existing, single point security products or deployments. What makes XDR a powerful platform is that it collects these data feeds, analyze them using both conventional as well as machine learning or deep learning analytics, provides comprehensive insights of threat attacks with threat hunting and forensic analysis, then automates the mitigation process.

An effective XDR platform should continue to focus on the following fundamental areas to make it more effective and adaptive.

Heterogeneous Data Sources

An effective XDR platform should be able to ingest information from multiples data sources, like security device logs, threat events, network flow data or meta data, emails, servers, EDR events, threat intelligence, user data as well as third-party data sources. This data is heterogeneous in nature – they can be structured, semi-structured or non-structured; the scope of data also varies dramatically, from static device or user data to dynamic run time processes, applications. Data is collected and stored in different types of databases across data lake, which is essentially a large, centralized data repository, for certain lengths of time. The XDR platform conducts data normalization, classification, contextualization, and other pre-processing at different levels.

AI Driven Analytics

Analytics using AI technique is an important tool to enable an XDR platform to continuously perform analytical tasks on huge amounts of data in the data lake and over long periods of time, it is useful to detect abnormal behavior or threat infiltration and attack. On the other hand, if deployed in the cloud, multiple AI analytical engines can be executed continuously in the cloud in parallel, correlating analytical results in cloud and update AI models and local detection caches or databases on security devices.

Security Automation

Security automation has always been the important target of any SOC. It is also one of the key requirements for XDR.  There are many components in XDR that can be automated: for example, assets discovery, security vulnerability and risk scanning and assessments, threat hunting, forensic analysis, threat mitigation and ticketing management etc. XDR platforms can also integrate with automation technique using playbooks in a SOAR solution and provide complete threat detection and security operation in SOC.

Security automation helps security companies to improve operational efficiencies, reduce operational cost, which is especially important in today’s economic reality.

Open Architecture

An XDR platform with open architecture can take advantage of security techniques from existing threat detection and prevention techniques and product deployments. It can also leverage state of the art security techniques and tools from other vendors. Open architecture requires a different level of data normalization at the source, unified data interfaces and standard APIs.

By integrating with existing security techniques and solutions from different vendors, XDR platforms can quickly improve the security defense or security operations capabilities. It also helps the XDR platform to establish an eco-system benefitting all stakeholders.

The Future is XDR

According to a recent report from Gartner, while less than 5% of organizations are using XDR today, this number is expected to climb to 40% by 2027.  With the right technology integration, XDR will emerge as a well-rounded, effective security tool to defend against cyberattacks.