Engineer’s Take on eXtended Detection and Response

Search “Is XDR a product,” and quickly you’ll see paid ads from security vendors for their XDR products. Below that, you’ll see vendors representing the top 20 keyword searches related to XDR. That means “XDR” is a product, right? In a word, no.

Almost every industry analyst I speak with says XDR is a marketing tactic used by security vendors. I venture to say security teams are smart enough to know better. XDR is not a product, and do not let vendors tell you otherwise.

XDR Defined

As defined by the XDR Alliance, “XDR stands for Extended Detection and Response. It provides a simple, threat-centric approach to threat detection, investigation, and response (TDIR) using the data and capabilities from security products like endpoint, network, cloud, and more.”

While the XDR Alliance is composed of security and information technology providers, even they do not call XDR a product. Instead, they describe it as an approach or framework security teams can adopt, using data and capabilities from various security products to improve security postures and reduce the impact of cyberthreats.

So now that we’ve established that XDR is a framework and not a product, let’s dive into some questions we hear about XDR.

Q: What are the benefits of XDR?

A: An XDR framework shortens detection and response time. Full stop. An XDR framework can identify adversary behaviors earlier in their lifecycle and provide the ability to understand their pervasiveness inside an organization. This knowledge means not only can you take actions quicker, but your actions will be comprehensive. As defined by the XDR Alliance, XDR is needed because “building an effective TDIR [threat detection, investigation, and response] workflow has become incredibly complex. It involves identifying and integrating dozens of best-in-class products into a functional security framework.”

Q: What technologies make up XDR?

A: XDR consists of any technology that provides telemetry valuable to security teams in performing detection validation, hunting, and incident investigations. At the heart of an XDR framework is having a rich set of telemetry at a security team’s fingertips, with tools that allow for the analysis, correlation, and extrapolation of knowledge.

For clarity, log data is not to be considered a rich set of telemetry. Logs provide very little context or depth. For this reason, solutions such as network detection and response (NDR) and endpoint detection and response (EDR) combine to be the backbone of what security teams need for their XDR framework. Best-in-class NDR products provide L2–L7 near-PCAP-level metadata for all observed network traffic from any device. Best-in-class EDR products provide process-, execution-, and memory-level metadata for the activities on an endpoint.

Other examples of XDR technologies include email security products, identity and access management visibility solutions, and cloud security visibility solutions that provide rich telemetry for every email or transaction.

The other components of XDR technologies are the ability to serve as a data lake, provide robust investigation tools, support root-cause analysis, provide workflows, and recommend response actions. Best-of-class NDR, EDR, and next-generation SIEM/log aggregators/SOAR solutions can all contribute to these capabilities.

Q: Are there types of XDR technologies?

A: We must be careful to say there are types of XDR technologies that suggest XDR is a product rather than a framework. However, there are different ways an organization can acquire technology to support its XDR framework. Forrester defines two types of XDR technologies: 1) native XDR and 2) hybrid XDR.

Native XDR technologies integrate tools within the vendor’s portfolio first. In theory, this provides cost savings and tighter integration, but it also locks a security team into the vendor’s technology, which may not be best of breed for all components. In contrast, hybrid XDR technologies are built from best-of-breed technologies (such as NDR and EDR), but these solutions may not be as integrated.

Q: What is required to implement a successful XDR framework?

A: A successful XDR framework must look inward into its own network and device activity for behaviors indicative of an adversary’s presence. As such, an XDR framework’s minimum requirements are to capture and have long retention periods of rich network, endpoint, email, and cloud telemetry.

For clarity, an XDR framework needs richer contextual telemetry than just log data. For example, network flow records that just provide L2–L3 activity will not suffice. You need full L2–L7 network metadata (near PCAP level) that includes details like the entire HTTP request, so security professionals have the context at their fingertips to understand what the attacker is doing.

A more robust XDR framework will take advantage of advanced detection techniques, hunting tools, and investigative tools native to those network, endpoint, email, and cloud solutions (for example, NDR and EDR solutions).

Q: What skills should be in place to benefit from an XDR framework?

A: An XDR framework thrives when organizations invest in incident response teams, processes, and technology. Organizations with blue or purple teams who think like adversaries and understand tactics, techniques, and procedures taken by adversaries are important.

Their instinctive curiosity and knowledge, coupled with robust telemetry, enable faster extended detection and response efforts. However, as organizations build blue and purple teams for XDR, those teams benefit from technology vendors who staff expert security analysts and incident responders who can provide guidance during high-pressure incidents.

Q: How should enterprise best go about implementing XDR?

A: Start with combining an NDR and an EDR solution to achieve extensive visibility into your network and device activity. Some NDRs and EDRs have their own data lake and have robust integrations where you can use their combined offering to meet your data lake and correlation requirements. If you want more incident response capabilities, augment your NDRs and EDRs with a SOAR solution to provide combined playbooks for incident response efforts. Lastly, start to layer in email, IAM, and cloud telemetry to round out your visibility into behaviors taken by adversaries.

Q: How does Gigamon ThreatINSIGHT play into an XDR framework?

A: Gigamon ThreatINSIGHT™ Guided-SaaS NDR is a fantastic solution for building out your XDR framework, as it provides unparalleled visibility, detection, and incident response capabilities.

Here are some reasons why:

• Visibility: ThreatINSIGHT provides robust L2–L7 visibility for both cloud and core networks in the form of near-PCAP-level metadata that is indexed and searchable. Further, ThreatINSIGHT is the only NDR that includes retention of the network metadata for 365 days (most NDRs max out at 30 days). Lastly, ThreatINSIGHT enhances the metadata with enrichment data such as threat intelligence, PDNS, and WHOIS contextual information.
• Detection: ThreatINSIGHT provides precise threat detection of adversary activities and behaviors aligned to the MITRE ATT&CK framework. By using proprietary threat intelligence, behavioral analytics, machine learning, and human intelligence, ThreatINSIGHT brings to light adversary activity for XDR framework personnel to investigate.
• Incident Response: ThreatINSIGHT provides a rich set of tools designed to help security teams investigate threats, hunt for actors, and build a robust understanding of what an attacker has done in their network so you can effectively respond to attacks. ThreatINSIGHT tools include hunting and investigative playbooks, guided next steps, parallel hunting/searches so teams can work in concert, and robust advanced query capabilities with quick pivots of contextual evidence.

To see how ThreatINSIGHT can help your XDR efforts, go here.