History has a funny way of repeating itself. When endpoint threat detection and response solutions (which we now know as EDR) first emerged on the market a decade ago, they were seen as the answer to the poor detection rates of anti-virus (AV) solutions. Today, the pendulum has swung to the other end of the spectrum; a common complaint about EDR solutions is the “alert fatigue” produced by too many false positives.
The introduction of EDR solutions was intended to address the rise in sophisticated cyberattacks, which can be characterized by their ability to escalate privileges, move laterally, and establish persistence. However, no single solution can detect or prevent all threat vectors.
Essentially, sophisticated cyberattacks can hide their suspicious activities in the blind spots of EDR solutions or in the sea of false positives they generate. The larger issue, however, is that not all assets on a network can even install EDR. OT, ICS, IoT and IoMT devices are typically “un-agentable.”
Consequently, organizations have turned to extended detection and response (XDR) solutions to help, but unless they focus on gaining comprehensive visibility into all devices on their network and integrating across security solutions, then they run the risk of history continuing to repeat itself.
Extend XDR Beyond Networks, Servers, and Cloud Environments
EDR marked a change in basic assumptions from the signature-based detection of AV to a focus on behavioral analytics, but the threat landscape has continued to evolve beyond the endpoint. As organizations have adopted digital transformation initiatives, such as cloud migration, IT/OT convergence, and remote work, cybercriminals have adopted multi-pronged strategies, targeting these diverse attack vectors across the digital ecosystem.
Whereas EDR solutions were only ever intended to protect the endpoint, XDR solutions are intended to protect networks, cloud environments, email gateways, and beyond by aggregating insights from across the extended enterprise. Think of XDR as a conductor, orchestrating the efforts of various instruments in harmony.
Unfortunately, many XDR solutions are a few instruments short of a symphony. These XDR solutions have extended EDR to monitor networks, servers, and the cloud, but they lack visibility into IT/OT networks, IoT devices, and other unmanaged devices. True extensibility should protect all connected devices across the entire enterprise, including cloud, on-premises, remote, and data center environments.
Organizations should avoid closed (or native) XDR solutions that require a vendor’s entire tech stack so that they can leverage telemetry from any vendor’s security tools. XDR should remain vendor-agnostic, regardless of which EDR solution an organization has deployed. By integrating threat intelligence, automated workflows, and real-time analytics, XDR empowers organizations to proactively neutralize threats before they can inflict substantial damage – but only if they are open and comprehensive.
Increase Operational Efficiency
Mean-time-to-detection (MTTD) and mean-time-to-response (MTTR), which measure how long it takes an organization to discover and fix a security incident, are two key metrics for any security operations center (SOC). Unfortunately, the complexity of threat detection and response can cause these metrics to lag.
A typical security analyst needs to become proficient with EDR, security information and event management (SIEM), security orchestration, automation, and response (SOAR), user and entity behavior analytics, (UEBA), threat intelligence platforms (TIP, security analytics, and often a variety of open-source tools. Each of these solutions plays its part, but without integration and automation between them, analysts can spend hours wading through false positives and even longer responding to a single threat, losing valuable insight as they switch between solutions.
The solution is for XDR to normalize data and enrich it with user info, IP attribution, geolocation, critical asset information, and other analytics that can be used for threat detection and incident response. Likewise, detection engines should be fortified with a combination of signature-based detection, UEBA, cyber intelligence, statistics, and context-aware AI/ML to generate high-fidelity, high-confidence threat detection with minimal false positives.
Planning for the Future with XDR
The security industry has gone from EDR solutions monitoring the endpoint to XDR solutions monitoring the network, servers, and cloud. Just as the challenge of AV solutions providing poor detection was replaced by the challenge of EDR solutions providing too many false positives, today’s challenge of EDR solutions not providing enough visibility could be replaced by the challenge of XDR solutions providing too much complexity (and yet still not enough visibility).
Organizations need to ensure that their XDR solutions can provide comprehensive visibility across all devices on their network while simultaneously streamlining interoperability across their tech stack. As organizations increasingly embrace AI, it is imperative that they can provide an authoritative source of high-fidelity data.
Finally, organizations should consider becoming more proactive about threat detection and response by extending the focus of their risk management. Just as XDR extended the focus of EDR, risk management should extend beyond vulnerability management to discover risks and exposures such as misconfigurations as well. But organizations can only begin to achieve these sorts of secondary benefits if they put more initial focus on gaining comprehensive visibility into all devices on their network.
As Chief Technology Officer (CTO) at Forescout, Justin Foster leads the product vision, research, data science and thought leadership teams at Forescout. He brings over 20 years of experience in information security, encompassing server security, cloud security, network security, security analytics and encryption. Previously, he had been the CTO and Co-founder of Cysiv, a SOC as a Service provider.
