XDR: All-Round Detection and Response

The current cybersecurity scenario is decidedly worrying. Due to the continuous expansion of the attack surface of IT systems and the increasing technical and operational abilities of cyber criminals, the number of violations has increased exponentially.
What can be done about this? Many suppliers of security technology are betting on solutions which are not revolutionary but evolutionary, in order to protect the investments already made by organizations.
One of the concepts which has been most talked about over the last few months is called eXtended Detection and Response (XDR).

We should point out that XDR is not a product, but could rather be considered an architectural proposal. To clearly explain what it proposes, we need to briefly talk about its genesis, which can be traced back to another two concepts: the Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR). In this case, we are talking about solutions which are already present in a wide range of security products.

EPP is the acronym with which, for some years, many security providers have tried to respond to the evident vulnerability of the majority of corporate endpoints (PCs, servers, smartphones). Traditional antivirus solutions were, indeed, no longer able to deal with the wide range of attacks occurring on these. Initially, many EPPs simply integrated existing systems in a single application package. For example, the antimalware component (increasing the applications’ behavioral analysis capacity), system network protection (often using the existing firewall) and adding file and configuration integrity analysis capabilities and/or the possibility to encrypt the most important data on the platform.

They are therefore solutions which offer an essentially preventive security model, with decidedly limited response capabilities. This polarization of defensive capabilities has recently shown all of its limits, in particular with the evolution of malware and the diversification of attacks. This includes, for example, fileless attacks, or those making use of the management tools already present on the end-points (e.g.: PowerShell), not to talk about the epidemic of ransomware attacks.

We thus arrived at the EDR (Endpoint Detection and Response) proposition, where EPP technologies were combined not only with robust detection capabilities, but also the ability to react (even independently) once a potential threat was detected. Solutions such as Machine Learning and Threat Intelligence have been the key technologies in equipping these solutions with these capabilities, often integrated with forensic analysis tools and extended tracing capacities.

The subsequent evolution derived not only from the desire to expand visibility over different environments (cloud, network, server and serverless environments etc.), but also from the objective difficulty in managing the large quantity of information that these systems provided.
This is how the idea for a solution of the eXtended Detection and Response (XDR) type arose in an almost natural manner: a scenario in which all information and the previously described response capabilities are present in a widespread manner in all (or almost all) of the systems of the IT environment to be protected.

Substantially, a scenario in which it is possible to acquire, process and manage all information relevant for the threat detection and the response, from all elements of the IT system, regardless of whether they are endpoints, servers, cloud, network, hybrid infrastructure, remote and agentless systems and so on.

It is obviously essential to have a data analysis engine able not only to extract the relevant information, but also to orchestrate them and automate management for the operators.
The expected advantages are numerous, at least in theory:

• Total visibility of the environment, and therefore minimization of the IT shadow
• Faster and more effective response to attacks (fewer false positives)
• Possibility to eliminate IT silos, which make full security management difficult
• Protection of new environments such as IoT, wearable, Distributed Ledger etc.

We should nevertheless note that this is a point of view similar to what was always tried to create with the SIEM/SOAR pair. What are the differences compared to these solutions?
In short, when referring to the current state of the art, the current SIEM are often lacking the total integration between the various components (endpoint response management, integrated orchestration capacity) that the XDR model proposes. Typically, vendors try to compensate for this lack with the acquisition of vertical solutions (SOAR in particular) and with integration via APIs.
We must also highlight how many of the XDR proposals are aimed at the direct acquisition of information from the various systems (in other words of “telemetry”), instead of collection of logs.

It is important, however, to remember how the collection and retention of logs is a highly relevant function for compliance and forensics aspects. Giving up on this characteristic should be evaluated attentively by the CSO/CISO in terms of cost/benefit ratio.

At the time of writing (Q1 2021), the XDR market is still immature, in terms of organic propositions. Only a few start-ups are launching completely innovative products/services based on this concept, while the large majority of vendors, both of SIEM and of endpoint security technologies, have “enthusiastically” embraced the new paradigm, proposing different implementations.

In consideration of the above, we can conclude by saying that XDR is undoubtedly a current and valid response to the current panorama of cyber threats. Nevertheless, the main difficulty lies once again in the ability to effectively manage such a quantity of data, albeit distilled and organized by the best technologies available. It is nevertheless highly recommended to evaluate this opportunity alongside a team of professionals with proven experience of SOC assessment and management, as they will be closest to the effective use of the XDR proposal.