The Next Major Evolution: XDR
Introducing the Security Operations Centers (SOC)
Organizations both large and small require the means to rapidly identify attacks, protect their environments, detect attacks in a timely manner, respond in the event of an attack, and recover when necessary. For many organizations the SOC is central to this concept, providing a central clearing house of expertise and tooling that seeks to provide deep and accurate insight across the computing environment.
It may be argued that a gamechanger for many early SOCs was the development and growth of Endpoint Detection & Response (EDR) capabilities, providing as they have deep and accurate telemetry that provided the means to rapidly identify and respond to anomalous behavior on a system. Today, EDR is regarded as a bedrock of any SOC and few organizations would downplay the significant benefits in brings in terms of security visibility.
Meanwhile our cyber adversaries have continued to evolve and adapt, despite best efforts by defenders, and the tremendous value and capabilities of EDR and other security detective and preventative tools in use adversaries are finding ways to slip through undetected and remain in our critical systems for too long.
SOC teams generally rely on a ubiquitous set of tools; a SIEM/SOAR platform, Threat Intelligence (TI) feeds, EDR, and specialist tools to monitor and manage specific aspects of the computing environment including whether critical vulnerabilities are present, corporate email and messaging systems, applications, the cloud environment, user access, and security controls such as firewalls. However, historically one critical domain of the computing environment was not generally monitored directly by the SOC; the network.
As a result we are at the cusp of the next major evolution in SOC tooling; the emergence of XDR.
XDR (eXtended Detection & Response) builds on and extends the promise of EDR, providing the means for defenders to see deeply into the inner workings of an endpoint (and server), while extending that same level of visibility across other domains of the computing environment into those of network and identity.
EDR gave sight of the breadcrumbs left by attackers in the endpoint. XDR gives sight of the breadcrumbs left across as attacks traverse (or move laterally) across the network, communicate from the network to the internet, and probe for weaknesses in corporate systems including email, applications, and our virtual identities.
XDR: A Better SOC Analyst Experience
The modern SOC is built on XDR, deployed in conjunction with many of the technologies already used by SOC teams, supportive of the proven processes already in place, and removes operational friction from the working environment.
XDR builds on the capabilities and techniques of EDR; deep and broad telemetry data capture, AI/ML analytics across the data set assisted by human intelligence. XDR extends (the ‘X’ in XDR) telemetry capture to the network, container based workload, cloud, email, and identity realms.
XDR offers the potential to improve the SOC Analyst Experience, removing friction from the analyst workflow as they triage, analyze, and respond to events. Such improvements will assist in reducing staff turnover, reducing analyst stress, and improving productivity and job satisfaction.
Through combining Endpoint Detection & Response (EDR) and Network Detection & Response (NDR), together with the ability to ingest other information sources, and perform AI/ML based analytics XDR offers a pathway to a more efficient, modernized SOC. A SOC which provides to the analysts the ability to see more, detect faster, respond with confidence, and ultimately stop more attacks.