Deep Dive into XDR and Cloud Security

59% of global security decision-makers say that their firm’s sensitive data was breached at least once in the past year according to the Forrester report. Today I am diving into the Cloud Security space. One major update is XDR(Extended Detection and Response). Let's check out more in detail. To Understand in detail, We need to understand some basic information and terms. 

What is XDR?

XDR(Extended Detection and Response) is the next evolution of endpoint detection and response (EDR). Unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components. With a single console to view and act on threat data, XDR enables security teams to effortlessly uncover hidden and advanced threats, and automate even complex, multi-step responses across their security technology stacks.

XDR Conceptual Architecture:

The three primary requirements of an XDR system are:

1. Centralization of normalized data, but primarily focusing on the XDR vendors’ ecosystem.

2. Correlation of security data and alerts into incidents

3. A centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting

Extended Detection and Response Conceptual Architecture

Initial XDR focus is primarily on protecting end-users and the apps and data they consume. However, the XDR concept can extend into data center protection, identity and access management, and secure access service edge product portfolios.

Does it replace the need for SIEM and SOAR?

The short answer is no, it is important to understand how it is the next step in evolution.

What is SIEM?

SIEM(Security information and event management) is a set of tools and services to enable analysts to review log and event data, understand and prepare for threats, and retrieve and report on log data.

What is SOAR?

SOAR(Security orchestration, automation and response) platform enables a security analyst team to monitor security data from a variety of sources, adds orchestration, automation, and integrations for response to SIEM.

XDR(Extended Detection and Response) delivers threat detection and response capabilities based on the endpoint. This gives XDR the flexibility to optimize incoming telemetry based on what provides the highest efficacy detections, correlation, and potential actions in real-time. XDR is more like filling the void created by SIEM and SOAR and not replacing them. While XDR offers organizations new security capabilities and enhanced protection, it cannot and should not fully replace SIEM or SOAR.

Comparing And Contrasting SIEM, SOAR, And XDR Capabilities

Comparing And Contrasting SIEM, SOAR, And XDR Capabilities

XDR incorporates automation throughout each stage of the incident response lifecycle to lower the barrier to entry for new analysts and empower more-experienced analysts.

Important features included or have a roadmap to invest in XDR:

• Collect attack telemetry across tools and devices into a single incident alert. XDR uses the endpoint as an anchor for correlation. It enriches these endpoint detections with another relevant telemetry from security and business tooling collected in its data lake.

• Uses security analytics to automate root-cause analysis. XDR leverages security analytics to identify the root cause of the attack before analyst investigation.

• Automates response recommendations into workflows.

• Lowers the barrier to threat hunting and enables it across tools in a single place.

XDR can potentially improve operational security staff productivity by:

• Converting a large stream of alerts into a much smaller number of incidents that are required to be manually investigated.

• Providing integrated incident response options that have the necessary context from all security components to resolve alerts quickly

• Providing response options that go beyond infrastructure control points.

• Providing an automation capability for repetitive tasks.

• Reducing training and leveling Tier 1 support by providing a common management and workflow experience across security component parts

Happy investing,@anandkhatri

Acronyms:XDR(Extended Detection and Response)SIEM(Security information and event management)SOAR(Security orchestration, automation and response)EDR(endpoint detection and response )IAM(Identity Access Management)API(Application Programming Interface)DLP(Data Loss Prevention)CASB(Cloud Access Security Broker)IPS(Intrusion Prevention System)NTA(Network Traffic Analysis)