The Emerging XDR Ecosystem
Security operations teams performing event triage, investigations, incident response or threat hunting are dealing with a complexity in the SOC that is growing geometrically. Enterprise technology platforms are constantly changing, increasingly leveraging the cloud, shortening development times, and embedding IT services throughout an organization, all of which create an expanding, and dynamic attack surface. Sophisticated, well-resourced attackers, armed with exploding compute power and automation, are constantly shifting tactics to exploit these new vulnerabilities. In triaging incidents, SOC analysts often cobble together a collection of “point solutions” which provide insight and direct workflows on particular sections of the attack surface. What’s missing from this approach is the insights from a more holistic view across all telemetry – what might seem an innocuous data point in isolation can be identified as a pattern if combined with other data.
In the past, the only method of creating this insight, and integrating these workflows, is via highly skilled security analytics using different products in the SOC; putting a person in the middle of any workflow reduces efficiency – given the scarcity and cost of this particular human capital. It is neither a scalable nor an effective approach. The SIEM, which was created to be a “hive mind” correlating security data, does not provide adequate visibility into the modern enterprise, given its focus on log analysis versus a broader set of telemetry and processes.
XDR is being positioned to solve this problem. XDR, or eXtended Detection and Response, provides a security analyst with an integrated set of previously disparate sources of security telemetry, analytics, and response tools to secure a modern enterprise.