Karl Freundsberger, Country Manager Austria at Fortinet, describes how a new security concept automates and thus simplifies the detection, analysis and response of cyber attacks in the company, and what is important when choosing the right XDR solution. […]
Cyber attacks are becoming more sophisticated and diverse. For security and IT teams in companies, this means headaches and a lot of work. Especially when a colorful hodgepodge of different, isolated security tools from different providers is used. The result: Thousands of warnings have to be evaluated every day. And usually manually.
It is therefore not surprising that in a 2017 survey by Forrester, almost half of security managers described the “complexity of their environment as one of the biggest challenges in the field of security”.
XDR comes into focus
A new security concept that attracts the attention of cybersecurity experts is Extended Detection and Response, or XDR for short. Gartner defines XDR as”a security incident detection and response platform that automatically collects and correlates data from multiple security solutions.”
XDR thus stands for a new security paradigm in which individual security controls see, exchange and correlate data as part of a coordinated security platform. Threats are detected more effectively. In addition, a coordinated reaction can subsequently take place, which covers the entire attack surface.
XDR is not equal to XDR
The idea of having different technologies work together as a single, integrated system offers great benefits for detecting and responding to threats. That is why the range of XDR solutions available on the market is growing.
But not every XDR solution handles every challenge equally well. For XDR to be effective, broad coverage of the attack surface must be ensured, deep integration must occur, and the focus must be directed to all three steps – detection, analysis, and response.
1. Advanced Detection: The simplest task of the three steps: Collect data, in a holistic and cross-system manner. So, the XDR solution needs to be able to “suck” data out of the entire enterprise and subsequently compress it into a smaller amount of detailed information about potential incidents. The more attack vectors with threat telemetry available, the more likely an active threat is to be detected.
2. Advanced analysis: As soon as a potential incident is detected, an investigation must take place. Is it a real threat or a false alarm? Is this an indication of a greater threat? If so, what is its scale?
The background to these questions: Nowadays, many cyber attacks are built in several stages. Components disappear as soon as they have fulfilled their function. Just because certain indicators that triggered an alarm are no longer visible, does not mean that the company is off the hook.
Most XDR solutions outsource this valuable correlation step to the security team. And again it says: examine manually. But given the amount of alarms generated, many security departments simply do not have the resources to investigate every potential incident. A detailed examination requires time. Time that is not available to many companies.
Artificial intelligence (AI) helps here and automates. XDR systems with AI should be able to identify the context of a potential incident, conduct a thorough investigation, identify the nature and scope of the incident, and ideally provide enough detail to accelerate the response. And all this in seconds.
3. Advanced Response: To defuse an incident, verification and validation must trigger an effective response. Therefore, the XDR solution must first be able to mobilize as many resources as possible to enable an effective and coordinated response based on the overall scale of the attack. Second, the response must be predefined and repeatable – not only to make it more efficient, but also to intervene in every step of an ongoing attack. And thirdly, it must be able to close the gaps in the existing security framework that allowed the threat to gain access to the network.
So what is important when choosing the right XDR solution?
The first question that needs to be clarified for companies is whether the solution will really improve the security situation of their own company. For a good purchase decision, there must be an understanding of what an XDR solution covers and what it does not, as well as what it can and cannot do.
Next, the question arises as to how much it will reduce the overhead. This question can be answered by comparing the functions and requirements, such as the investigation of alarms, with existing technologies and resources.
Ultimately, it is important to question whether the solution will support future network innovations. To do this, organizations need to determine whether the XDR solution they choose can support them even when they add new cloud platforms, expand their SD-WAN infrastructure, or deploy additional edge devices, for example.
Answering these and similar questions is the most effective way to ensure that the XDR solution you choose will help you survive in today’s increasingly complex and risky digital market.
* Karl Freundsberger is Country Manager Austria at Fortinet.