Today the first line of defense against the cyber attacks is XDR as the devices are connected and subscribed from multiple sources including on-premise and cloud. Therefore to have the right approach to having and configuring to the XDR is paramount.
Regional cybersecurity chiefs have their hands full — they are understaffed and they face skills gaps. These are challenges that threat actors don’t face. And the increase in IT complexity, combined with many employees working from home on private networks with personal devices, means it has become a steep challenge to keep sensitive apps and data safe.
The Middle East and Africa cybersecurity market hit US$ 1.9 billion in 2020, and is projected to reach US$ 2.9 billion by 2026. The spending surge can be attributed to a staggering increase in cyber incidents, brought about by the stay-at-home work trends that emerged from the pandemic. In late 2020, in the United Arab Emirates, the nation’s cybersecurity chief described a 250% year-on-year increase in attacks as a “cyber pandemic”.
Something must be done, and one of the most popular approaches to the much-desired, catch-all cybersecurity platform in the industry today is extended detection and response (XDR), a cloud-native solution capable of peering into every crevice in the technology stack, to detect and respond to incidents in real time.
Interpretations of the form
But as with many products in many industries, not all XDR is created equal. There are many interpretations of the form. Here, I will argue that only context-driven XDR can adequately support security analysts in their prioritization of threats and the reduction of alert fatigue.
Because of the regional skills gap in digital security, teams need all the advantages they can get when it comes to identifying and mitigating threats. However, too often the alerts that prompt the hunt offer very little supporting information about the users, assets, and behaviors that triggered the initial warning. Threat hunters need to know a range of things relating to operating systems, vulnerabilities, and the configuration of assets, as well as an initial assessment of how likely the attack is to succeed.
If the attack was already successful, where in the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework did it fall? If it is ongoing, can it be mitigated by automation, or a junior analyst, or will it take a team of internal or external experts to address? Whether successful or not, it helps analysts to have a rich journal of events leading to the flagged event, including a post-event analysis of business impact.
A pyramid of needs
Compiling all this information in a timely manner is one of the key challenges for the region’s beleaguered security professionals. Incomplete information from multiple sources can leave analysts struggling to understand their organization’s risk exposure and asset criticality. Travelling from dashboard to dashboard, they will try their best with what they have to hand, but the time they spend chasing false positives is time spent away from more productive activities, such as addressing genuine threats that pose real risk.
The modern SOC has three fundamental needs when it comes to threat assessment. The first is immediacy, where responses can occur at scale in real time. The second, criticality, calls for the understanding of impacts and potential impacts, for the purposes of prioritization. And third is response, which represents the means to take effective action, such as killing processes and quarantining files.
To deliver on this pyramid of needs, XDR solutions must break down security data silos to deliver a unified view of the enterprise technology stack and the threats it faces. Effective XDR should bring the tapestry of security solutions and functions together in a single platform. In doing so, context-oriented XDR can help to dial out the white noise that varied telemetry creates and present a real-time view for the user of the business impact of a given alert. Context, in short, leads to more effective response.
Context XDR brings together available information on risk posture, asset criticality, and the threats themselves to deliver a clearer picture. It leverages comprehensive vulnerability and exploit insights for a threatened asset’s OS and for third-party apps. Insights must include misconfigurations and end-of-life (EOL) flags. This uninterrupted vulnerability mapping will provide a more complete picture of the organization’s risk posture than simple risk-scoring based on how OS-patch statuses relate to common vulnerabilities.
Active asset discovery is vital in context XDR. Policy-driven criticality assignments can evolve with an asset’s current state more easily if information on the asset is up to date. The right security and business context can help security teams to prioritize, say, an executive’s laptop or a database server that stores sensitive intellectual property.
Everything XDR hopes to accomplish hinges on the quality and availability of the right data at the right time. This is not only true of assets, but of the potential attacks themselves. Threat intelligence on current exploits and attack methods can deliver the actionable insights that can help security teams prevent and mitigate the perils beyond the digital gates. Where possible, XDR solutions should look to data from third-party solutions within the technology stack and combine it with asset risk posture, criticality, and direct threat intelligence to create even higher fidelity in alerts.
The future is context XDR — a full-fledged, many-tentacled sentinel with access to every surface and crack in the digital estate. Threat actors may have us outgunned, but with context XDR in our arsenal, the advantage will finally be ours.