Guest OpEd by Gilad David Maayan, CEO and Founder of Agile SEO
Security teams rely on a complex technology stack that helps prevent, detect, and respond to security incidents. However, this stack is becoming unwieldy, and may no longer be enough to handle security threats, which are growing in number and sophistication.
In this article I’ll discuss existing security tools, why they are lacking, and how a new, holistic approach to security tooling known as XDR is the next big step forward.
What Does the Traditional Security Stack Include?
Medium-to-large organizations commonly rely on the following tools to defend against cyber threats:
-
Firewall—a defensive measure deplied at the network edge. It allows the organization to apply rules that filter out harmful or unwanted traffic, limit the quantity of allowed traffic, and report about traffic anomalies.
-
Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS)—intercepts all network traffic and either detects threats or actively blocks suspected malicious traffic.
-
User and Event Behavior Analysis (UEBA)—collect information about user activity, identify behavioral baselines, and look for deviations from these baselines that might signify a security incident.
-
Endpoint Detection and Response (EDR)—deployed on endpoint devices like employee workstations and servers, allowing security staff to identify breaches occurring on endpoints, investigate them and take immediate action to stop them.
-
CSPM (Cloud Security Posture Management)—CSPM is used to analyze cloud resources, detect configuration and security issues, and provide repair recommendations and guidance.
-
Security Incident and Event Management (SIEM)—allows organizations to capture and correlate information from multiple security tools, aggregating it to generate alerts for security analysts.
How Does a Security Operations Center (SOC) Work?
A security operations center is the heart of a modern security organization. A SOC team mainly has two primary responsibilities:
-
Security tool operations and maintenance—teams need to operate, maintain and update tools in the security stack.
-
Part of their role is to train and certify on new tools adopted by the organization.
-
-
Investigate suspected security incidents—identifying suspicious activity on the corporate network or affecting any IT system, typically received as SIEM alerts, classifying and investigating them.
-
Responding to real security incidents—surprisingly, only a small fraction of the role of security teams is to actually “fight the bad guys”.
-
This is because large efforts are spent on the above two roles—managing tools and combing through alerts.
-
The SOC team consists of several roles:
-
Security analyst—reviews security alerts and investigates them. In case of a severe threat, the analyst will escalate to a higher-tier analyst with specialized expertise.
-
Security engineer—maintains and updates security systems
-
SOC manager—hiring security specialists, responsible for training, strategy, and directly managing severe security incidents.
Challenges of the Security Stack
While the current security stack has a dizzying array of technologies, and is doing its job, the cracks are showing.
There are four key challenges affecting modern security technology:
-
Time to detect a breach—average dwell time for a security threat in the USA is over 180 days.
-
Many large security breaches were discovered years after they actually occurred, and in the interim caused horrific damage to the companies that were attacked.
-
-
New vectors of attack—security tools are getting better at detecting unknown malware and attacks.
-
Machine learning based tech, such as UEBA, can identify anomalous behavior that might be an attack, even if it is not a recognized attack pattern or a known malicious IP.
-
However, because security tools are siloed, attacks that move across several security layers, such as attacks on cloud infrastructure, can evade even state of the art security measures.
-
-
Alert fatigue—a survey by ESG showed that over a quarter of security professionals say it takes them too long to investigate alerts.
-
“Alert fatigue” is a well known problem in the industry. Although machine learning analysis and SIEM solutions have made the situation better, the volume of alerts and the time required for triage is still overwhelming.
-
What is XDR?
eXtended Detection and Response (XDR) is the evolution of Endpoint Detection and Response (EDR), a technology already deployed by most security teams.
XDR provides a model for detecting attacks on endpoints, networks, software applications, cloud infrastructure, and virtually any other addressable resource in the network.
What is new about XDR is that it provides visibility into all layers of the network and application stack, with advanced detection, autocorrelation, and machine learning capabilities.
XDR does not replace the existing stack—it integrates with existing tools and combines their data to deliver new insights.
Unlike SIEM, which also collects alerts from all over, XDR can dive deep into the data and perform intelligent analysis, combining pieces of data to create a coherent attack story.
XDR enables:
-
Making more of existing security data, converting it into contextual information that security analysts can immediately use to respond to threats.
-
Identifying hidden threats, using machine learning-based behavioral models applied across much larger security datasets.
-
Identifying threats across multiple layers of the IT environment, including hybrid cloud and multi cloud infrastructure.
-
Minimize alert fatigue by providing comprehensive data about suspected attacks, including a complete attack story.
-
Providing detailed forensic data automatically, without requiring security analysts to “dig” into raw data to investigate an incident.
-
Automatic response to any security incident by activating other security tools such as firewalls, IDS, EDR.
How is the XDR Stack Different?
Let’s review the impact of XDR on the modern security stack.
Multiple Telemetry Sources
While traditional security products focus on a single point of attack or network element, XDR spans a broad lifecycle, from EDR and endpoint security to network security, email, web servers, identity and access management, and cloud environments.
It collects detailed telemetry from all these sources and combines them into data analysts can immediately use.
Unified Platform
XDR does not replace existing security tools, but it provides one platform and one pane of glass for security teams to operate.
Analysts no longer need to train on, and spend time operating and maintaining, dozens of security tools. They can identify, investigate, and respond to an alert in one convenient interface.
Cloud-Native Architecture
Because XDR lives in the cloud, it can collect data from cloud-native constructs like cloud compute instances, containers or serverless functions.
It can scale up to meet demand, uses modern data lake infrastructure to store and query vast amounts of security data, and uses APIs to easily integrate with existing security and IT systems.
AI-Driven Automation
XDR can automate incident identification and investigation, but doesn’t stop there. It can also autonomously respond to security threats, even before security analysts have seen the alert.
XDR can store security playbooks for known threat scenarios, and execute these playbooks when an attack is discovered, dramatically shortening time to mitigation.
Conclusion
XDR actively changes the nature and lifecycle of incident response. Alarms are no longer passive signals waiting to be investigated by security teams using a complex stack of tools.
Instead, it provides actionable information that security analysts can immediately use to investigate threats and react to them.
XDR promises to transform the complex security stack into a unified platform, with one interface analysts can use to identify threats and eradicate them.
This can not only improve the effectiveness of incident response processes, but also dramatically improve productivity in security teams. Hopefully, this will ensure security professionals use their time not just to sift through data, but to actually do battle with hackers.
About the Author
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
Today he heads Agile SEO, a leading marketing agency in the technology industry.
AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:
- Provides named sources
- Reported by more than one notable outlet
- Includes supporting video, direct statements, or photos
Subscribe to the AST Daily News Alert Here.
Learn More…
Cutting Edge Security Tech in 2021: XDR, Zero Trust, IAST & More