In this blog we talk about the future of XDR in Security Operations. What does Extended Detection and Response (XDR) mean in the context of all the different security operation solutions in the market? And what is the outlook for XDR in the long term?
What Is the Definition of XDR?
There doesn’t seem to be a clean definition of XDR. Is XDR just a simple extension of EDR – Endpoint Detection and Response? Or something more? We look to Gartner as being the authority based on the number of vendors they talk to and the number of customers that rely on them for providing information and guidance around what technologies to evaluate.
Gartner defines XDR as “… a platform that integrates, correlates, and contextualizes data and alerts from multiple security prevention, detection and response components. XDR is a cloud-delivered technology comprising multiple point solutions and advanced analytics to correlate alerts from multiple sources into incidents from weaker individual signals to create more accurate detections.”
The way they talk about XDR is very similar to what a SIEM provides. However, it is absolutely a cloud-native offering that leverages advanced analytics that are implemented across a wide variety of data sources. In addition, what XDR does is de-couple the storage of security-relevant data from the threat detection, investigation, and response functions. XDR is meant to fill the gap where a lot of SIEMs are just too rooted in log collection (for storage), compliance, and traditional correlation rules to be that effective at preventing a successful breach.
Gurucul looks at XDR as being vendor agnostic. It should integrate with multiple solutions across the board – endpoint solutions, network solutions, vulnerability management systems – you name it. It should integrate with all the different security vendors for the purpose of being able to do better analytics and to chain those analytics together in a way that you’re identifying the attack across the kill chain. That’s what we look at as it being XDR. While some believe it is endpoint focused, that is a vendor bias. You can have a next gen Anti Virus (AV), you can have an EDR agent, you can have just the operating system – whatever it is – but how do you leverage that information with the right analytics and with other telemetry to really find an attack? An endpoint or network focus is missing the mark. The more data sources you have, the better your XDR should be.
Behavior Analytics is at the Core of XDR
User and Entity Behavior Analytics (UEBA) has become a much bigger part of XDR (and SIEM) solutions. At least six vendors in the last 12 months have announced a new UEBA agent they’ve added to their XDR or SIEM platform, rather than partnering with someone who’s been doing it for a while. It’s a concern.
When you add an immature set of UEBA capabilities, it can actually be quite dangerous. Behavior analytics requires a lot of tuning and real-world battle testing in a wide variety of environments to make sure it is triggering events with accuracy otherwise it can lead to a massive flood of additional alerts. We hear customers and prospects that are concerned when they add UEBA that they’re going to overburden their security teams even more.
A mature and battle-tested set of UEBA models and rules, such as the 12+ years with Gurucul UEBA, combined with other analytics and correlation rules should actually bring down the number of alerts that are being sent to the security team. This also comes along with the ability to perform link chain analysis, a unique capability of Gurucul, that goes beyond alerting on a bolted on set of analytics or single-stream analytics that trigger independent alerts. At Gurucul, we chain multiple analytics models together across different sources and analyze them to see how they validate or invalidate whether they are all part of an attack campaign.
Correlation Rules versus Artificial Intelligence Powered Analytics
The definition of a rule is very strict. So, if we are able to tie different aspects of a rule, whether it’s actual fields from within the rule or whether it’s the rule as a whole itself that’s been identified as a specific, say, tools, tactics, and procedures (TPPs), it’s still strict in nature, so that means that it’s historic. Anything that’s been defined as a rule is based on something that’s been seen in the past. That means in itself, rules are only looking for known threats.
Where artificial intelligence (AI) really comes in in this picture is not just the ability to be able to identify things without rules, but also the ability to be able to identify footsteps that may have never happened before. The activity is anomalous and different compared to the behavior that we’ve learned. Now, that doesn’t mean that we don’t need rules. Rules identify known threats. But the combination of rules and AI allows us to be able to identify things that have never been seen before. It identifies variants of things that haven’t been seen and looks at those as a whole without the creation of individual rules.
That means we don’t have to create hundreds and thousands of rules to actually check and detect every single aspect of every single security alert that’s ever been known or will ever be known. That gives us a lot of flexibility with AI, especially when it’s wrapped with those rules.
XDR versus SIEM
There is a lot of confusion around how XDR and SIEM are different. A lot of XDR vendors claim that you don’t need your SIEM, that their XDR can replace your SIEM. Let’s face facts: the SIEM is not going anywhere. It is still going to continue to be part of your security operations because you still require that initial use case, which is logging and compliance. It’s just how do we extend SIEM to make it much better? XDR works with the security tools you already have, including SIEM.
There’s a lot of similarities between current SIEMs and XDR platforms in the sense of they both have UEBA. They usually add UEBA as a silo-based service or device, which is where the UEBA engine provides its own set of distinctive alerts and events separate from the traditional events you’ll see from an EDR or SIEM solution. They’re not necessarily put together in any sort of meaningful way, but it is another set of events that’s provided. That’s typically what we see with most of the platforms that are out there. And all the SIEMs and XDRs use typical correlation rules, so that’s another place of overlap.
The Future of the Security Operations Center (SOC)
The reality is that XDR is useful today to augment traditional SIEMs or can be offered to organizations lacking a SIEM that are concerned about breaches and recognize that endpoint and network security solutions like Firewalls and IPS are not enough. However, in the future the capabilities of XDR will be consumed by the SIEM or the two will be combined into a platform, whatever it may be called and will continue to be the core of security operations. At Gurucul, we refer to this as our cloud-native SaaS-based Security Analytics and Operations Platform for lack of a better industry term. While we offer the ability to augment current SIEMs through XDR, we also have built a Next Generation SIEM that can also be implemented on the Gurucul platform.
Currently Gurucul Open XDR fills the gap around where traditional SIEMs have failed. With Gurucul Open XDR, SOCs can achieve the following:
- Improve efficiencies and ROI in their security operations
- Accelerate threat detection and response at every stage
- Unburden security teams from alert fatigue and false positives
- Improve the experience of new analysts and foster their development
Security leaders want to unburden their analysts by reducing the number of alerts that are critical to investigate and lowering the number of false positives. Security teams waste so much time looking for threats and trying to figure out which are important, and which aren’t. We use the term “putting the puzzle pieces together”. Our solutions enhance that process for security analysts leading to improved efficiency, but also help find threats with high accuracy and deliver responses more rapidly.
Watch the Webinar: Is XDR a Long-Term Solution?
If you want to hear more on this topic, watch our webinar where we dive into XDR in more detail. We discuss what XDR is meant to solve, how the definition of XDR is evolving, what its real value is to the SOC, and whether it’s here to stay or not!
Webinar: Is XDR a Long-Term Solution?
About The Author
Sanjay Raja, VP Product Marketing and Solutions, Gurucul
Sanjay brings over 20 years of experience in building, marketing and selling cyber security and networking solutions to enterprises, medium-to-small business, and managed service providers. Previously, Sanjay was VP of Marketing at Prevailion, a cyber intelligence startup. Sanjay has also several successful leadership roles in Marketing, Product Strategy, Alliances and Engineering at Digital Defense (acquired by Help Systems), Lumeta (acquired by Firemon), RSA (Netwitness), Cisco Systems, HP Enterprise Security, Crossbeam Systems, Arbor Networks, Top Layer Networks, Caw Networks (acquired by Spirent Communications), Nexsi Systems, 3Com, and Cabletron Systems. Sanjay holds a B.S.EE and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP as well as Pragmatic Marketing certified.