RSAC 2022: XDR Simplifies Detection and Response | Blumira

Digital transformation has provided challenges for organizations to effectively get visibility and protect against threats today, as Chris Meenan, VP of IBM Security Product Management, explained in his RSAC 2022 presentation, Being Open to a Zero Trust Future. Those conditions include:

• Shift to hybrid cloud – Infrastructure is now distributed across hybrid cloud, edge, IoT and OT. 32% of organizations report an increase in the number of cloud applications, according to IBM
• Remote workforce – Employees are increasingly working from home and accessing data from anywhere, using any device. 41% report an increase remote worker access
• Regulatory and privacy demands – As data is shared, regulations and end users demand more control
• Evolving threats – Ransomware and other sophisticated attacks are increasing; 38% report an increase in the threat landscape

As a result, more security tools are being adopted, meaning there are more silos and data fragmentation. Tools aren’t designed to talk to each other properly, and often require security engineers to build, set up and configure integrations — which results in opportunities for adversaries. 

IBM reports that 59% of organizations say cybersecurity has become more difficult over the last two years. Teams are struggling to keep up with new threats and detections with poor visibility across their environment.

Bringing Siloed Security Tools Together With XDR

Detecting threats across security analytics tools continues to be a problem, as security data is stored across a wide variety of silos. Modernization, as organizations undergo the digital transformation shift, requires visibility and advanced analytics, which can be achieved through the SOC triad, according to IBM Security. That includes:

• SIEM/UBA (security information and event management/user behavior analytics): Behavioral and rule-based detection and correlation of malicious activity through real-time log data analysis
• EDR (endpoint detection and response): Behavioral detection and prevention of malicious activity across endpoints; ability to mitigate and respond to threats remotely
• NDR (network detection and response): Behavioral detection based on malicious activity; SIEM/UBA and EDR provide critical insights to prioritize remediation

The typical workflow of security analysts is complex, requiring them to pivot between many different tools, user interfaces, query languages, etc. to detect and respond to threats across the enterprise. There’s a need to simplify a workflow to enable common query language and investigation framework across multiple tools (called XDR).

The improved outcomes of using an XDR platform are referenced by AT&T Business’s Director of Product Rakesh Shah in Open XDR: A Strategy for Evolving Security Needs:

• Expand telemetry to increase visibility and information gathering
• Boost threat intelligence; improve security analytics to increase detection accuracy and time to detection
• Automate and orchestrate select workflows and process to improve response and recovery

Shah also referenced five main use cases for XDR:

1. Prevent malware and ransomware on your endpoints
2. Detect and respond to attacks in your network
3. Get a unified view into your security posture
4. Augment your security team
5. Embrace the digital transformation

A few different approaches to XDR refer to the platform’s level of integration and interoperability with an organization’s existing environment:

• Hybrid XDR – This refers to a diverse environment consisting of many different tools provided by different vendors, but with one open XDR platform to bring them all together through third-party integrations (SIEM, EDR, NDR, cloud infrastructure, etc.), offering more flexibility and increased interoperability.
• Native XDR – One vendor provides different SIEM, EDR, NDR products that integrate with the vendor’s own XDR platform to provide telemetry about the environment. This could potentially result in vendor lock-in, less flexibility and less visibility across an organization’s environment, depending on the amount of third-party integrations available.

It can be challenging to choose a single security platform, so Shah recommended integrating with best-in-breed partners to leverage your existing investments and use API integrations for extended cyber defenses.

While a ‘basic’ integration may only translate raw log data into normalized events for analysis, a ‘deep’ integration will do that and more — collect and enrich log data; analyze data for threats; coordinate response actions; provide security orchestration and access to built-in dashboards.

Blumira: Achieving XDR Outcomes

The main takeaway from these two sessions is the need for a centralized, highly-integrated platform that intelligently processes and correlates different streams of telemetry data to help detect attacker activity and enable organizations to respond to threats faster.

Typical XDR platforms are built for large enterprise organizations with complex environments, often pricing out mid-sized and smaller organizations that remain unprotected. Blumira’s platform combines SIEM functionality (pulling in and analyzing data from hybrid environments, supported by third-party integrations) with built-in detections, developed and tuned by our team of incident detection engineers to reduce noisy alerts.

Every meaningful finding comes with response playbooks to guide small teams through faster remediation, while our SecOps team is available to provide further assistance. We do all of the heavy lifting for SMBs, keeping our platform up to date on the latest threats. Sign up for free to start protecting your Microsoft 365 environment in minutes.

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.