On June 9, 2021 Noord hosted a virtual boardroom in association with Secureworks. The event consisted of a presentation by Gavin Hill, VP Product Marketing at Secureworks, followed by a discussion among senior IT professionals on extended detection and response (XDR).
Reasons for attending and key challenges
Participants had a range of expertise, from secure innovations and cloud security architecture to cyber risk and compliance. They represented the healthcare, finance, hospitality, airline and aerospace sectors respectively.
Attendees were at various stages of their security journey, with some stating that they had an immature security posture and others having rolled out Office 365, Azure and DevOps at scale. Many mentioned that they wanted to understand the differences between extended detection and response (XDR), endpoint detection and response (EDR) and managed detection and response (MDR), feeling that marketing spiel created obscurity around the various offerings available. Other key challenges included aligning innovations with corporate strategy and mitigating insider threats.
Gavin then delivered a presentation on XDR. According to a survey conducted by Secureworks in collaboration with ESG, companies’ top security challenges are visibility, complexity and response. While security information and event management (SIEM) has promised to identify blind spots, reduce noise and alert fatigue and simplify detection and response to complex attacks, it is not effective at detecting unknown threats, takes up valuable time and resources and requires the expertise of cybersecurity analysts. In some cases, XDR can be used to replace SIEM altogether, and in others it can augment it. In fact, 76% of respondents would reduce or phase out SIEM based on XDR’s ability to improve detection and response.
Gavin noted that the technology industry is converging down to a few key components: threat detection and response; extended detection and response (EDR); and next-generation SIEM. The latter is moving toward business and IT analytics, log management and compliance. EDR, for its part, focuses on a single security control, whereas XDR looks at the whole attack.
The three main approaches to XDR are endpoint-focused, compliance and risk-focused and threat focused. In particular, a threat-focused approach provides in-depth coverage across the cloud, network and end point and can stop attacks before they occur by providing vendors with an understanding of the ways in which adversaries plan their attacks.
In terms of key considerations, organisations should evaluate their current SIEM investment – including its benefits for their security posture – as well as improve their incident investigation maturity. They should consider IT and threat hunting as must-haves, reduce the attack surface with vulnerability management and pave the path towards XDR, while remaining mindful that MDR is not tantamount to managed EDR.
Security priorities: looking ahead
Participants were asked to state their top priorities in relation to their organisation’s security posture over the next 12 months. One attendee noted that they were building out their SIEM and looking at workflow and automation tools. In terms of threat detection and response, one of their key challenges concerned the data within the feedback loop; they noted that it was difficult to interrogate whether there was truly full coverage and whether detection controls were functioning properly, including whether true positives were being missed. In this connection, Gavin underscored the importance of correlating single events to establish the chain of events leading up to an attack.
Another attendee said that they were building out their SIEM via the Splunk platform, which offered good out-of-the-box functionality for password sprays and allowed organisations to replicate attacks. However, developing threat awareness remained a challenge.
A representative from the financial sector noted that none of the technological solutions were joined up, which created a complex picture to interpret. However, another noted the cost-benefit attached to using multiple products, such as Office 365 E5, especially for small teams. Other challenges cited were a lack of in-house expertise or budgetary resources, alert fatigue and the human element to attacks, whether coercive, criminal or ignorance-based.
A few participants noted that they still need to lay the basic building blocks, with one attendee noting that some platforms, while purporting to solve a whole host of security challenges in one fell swoop – simply hampered organisations’ security strategies in the long run. In that respect, it was agreed that there is no magic bullet, but that organisations need to build a cohesive strategy which is tailored to their needs and priorities.
Integrating security analytics
When asked about the importance they attached to integrating security analytics from other tools, one participant noted that the challenge lay in pulling together all the strands to ensure real-time visibility. While some processes could be automated, others required the right people to make the right call, as opposed to mere reliance on out-of-the-box solutions which claim to work wonders.
Another noted that they planned to integrate security analytics, although the exact approach they would take was unclear and the project required some preliminary design work and thinking.
XDR versus SIEM
Gavin noted that using SIEM for threat detection and response is fairly manual and requires security teams to write rules and ensure continuous improvement. In comparison, while XDR is not a magic bullet, it has been designed to improve security efficiency when it comes to correlating threat intel signals across multiple security solutions.
One attendee noted that in their experience of using third-party SIEM, there had been gaps in data and failings in its operation, which raised questions about the organisation’s response to incidents which take place out of working hours and how the organisation can ensure that all events are being fed into the system without complete ownership of all its components. The organisation in question faced added complexity as it is heavily regulated and has to send and receive data between different countries.
MDR and CSPM
There was a brief discussion on the use of MDR to augment or replace skill sets for out-of-hours response and the use of cloud security posture management (CSPM) to enhance cloud security posture.
In terms of closing remarks, one participant stated that the more organisations can do to leverage any of the tools discussed, the better. Moreover, there is always a fine balance to be struck between relying on automation and ensuring that there is adequate focus on experts who can step in when the technology is not working well.