Will XDR Change Incident Response?

Extended Detection and Response (XDR) is a new security technology that promises to change the way security organizations operate, and introduce important efficiencies to day-to-day processes. In particular, XDR is expected to have a huge impact on incident response teams.

In this article, we’ll explain the basics of XDR, show how it addresses incident response challenges, and how it can transform traditional processes in the SOC. 

What Is XDR?

XDR provides detection and response of security incidents across multiple layers of the IT environment. XDR collects and automatically correlates data from email, endpoints, servers, cloud workloads and networks, to detect evasive threats and enable security analysts to investigate and respond to them faster.

XDR is an alternative to traditional, reactive approaches that provide visibility into attacks in each layer separately—using tools like endpoint detection and response (EDR), network traffic analysis (NTA) or security information and event management (SIEM). 

Visibility into isolated events occurring at different layers provides important information, but requires manual investigation and forensic work to piece together information about an actual attack. XDR saves this manual work by automatically collecting data and assembling an attack story, enabling immediate response.

How XDR Addresses Incident Response Challenges

Security threats are becoming more complex and more difficult to detect and block using traditional security approaches. Security teams suffer from alert fatigue, and can easily overlook unusual behavior. The average dwell time for an attacker is over 180 days.

Most organizations struggle with handling large amounts of security event data. While you can’t protect what you don’t see, seeing too much, in the form of low-quality security alerts, is effectively the same. Security teams often miss ongoing attacks because critical incident information is lost among numerous false positive alerts.

Enhanced detection and response capabilities address this, by providing visibility and analysis of unified data across an organization’s assets. Integration of security silos allows security teams to view the data collected by all security solutions across all platforms in a single dashboard. Analysts can leverage insights gained by aggregating event information from different solutions into one contextual event.

XDR unifies the incident response process into one platform. It leverages automation and artificial intelligence (AI) capabilities to simplify analyst workflows, achieve rapid incident response, and eliminate simple or repetitive tasks to reduce analyst workload.

What Are the Benefits of XDR for Incident Response Teams?

XDR goes beyond endpoint detection and response (EDR) tools into a cross-organization incident response solution, including advanced threat detection and response capabilities. These capabilities include:

• Consolidating a large number of alerts into few, relevant events.
• Enabling analysts to quickly resolve alerts by providing the context they need.
• Providing integrated incident response options, including automated playbooks and remote control of endpoints and network devices.
• Automating repetitive tasks involved in triage and investigation of security incidents.
• Smoother learning curve and improved productivity for Tier 1 analysts, and reducing the need to escalate events for further investigation, with a common management and workflow experience across security components.
• Provides useful, high-quality inspection content with minor adjustments

XDR improves security operations center (SOC) capabilities which are very important in timely response to attacks:

• Detection—XDR combines endpoint telemetry with data from many other security controls to identify real threats.
• Investigation—XDR supports human-machine collaboration, letting incident responders correlate all relevant threat information and apply the relevant security context, to reduce noise signals and identify root causes.
• Mitigation—XDR provides specific recommendations to analysts to further investigate an incident through queries, and suggests the most effective countermeasures to eradicate detected threats.
• Threat hunting—XDR provides universal query capabilities across data repositories, including multi-vendor telemetry, looking for suspicious threat behavior. This allows threat hunters to quickly identify threats or vulnerabilities and take action to remediate them.

XDR: A Focus on Response

Another key factor XDR brings to the table is automated response. While previous technologies like EDR and security orchestration, automation and response (SOAR) offered some of these capabilities, XDR promises to achieve automated response in a seamless manner that transcends security silos. 

The XDR response process includes three phases:

1. AI-driven analytics—XDR analyzes security data using AI/ML algorithms and puts together an attack story.
2. Human-led analysis—human analysts quickly review attacks and identify the severity and impact of the threat.
3. Response recommendations—XDR provides actionable steps security teams can take to contain and eradicate the threat. These can include automated responses, with orchestration of several security tools, or manual steps. Analysts can quickly decide which steps are the most effective and push the button to execute them.

XDR enables several types of responses:

• Alerting—XDR can help organizations define who should participate in a particular response, from security to IT, legal teams, or senior management. XDR tools generate alerts based on security incidents, but these alerts are not sent within the XDR system. XDR systems can integrate with incident alerting tools like OnPage, to send out critical notifications via audible push, emails, SMS, Slack and more.
• Network reconfiguration—XDR integrates with EDR, intrusion detection/prevention systems (IDS/IPS) and network devices to change network segmentation and access control on the fly in response to attacks.
• Remediation—XDR can automatically remediate many security issues, for example by wiping and re-imaging endpoints, changing firewall security rules or activating cloud security measures.

Conclusion

XDR is a new paradigm in security technology that will have a critical impact on incident response. XDR integration and implementation is complex, and because it is new, we have yet to see how it impacts day-to-day operations in a large SOC. Try XDR—but take careful steps in your adoption and take into account the cost and risk of adjustment to a new operating model.