7 steps to implementing a successful XDR strategy
There's still confusion around what extended detection and response is, but it will play a key role in enterprise security. To successfully implement XDR, follow these steps.
Despite the continuing confusion in the industry around what extended defense and response actually is, I'm convinced XDR is both a needed reset in the vision for how security teams think about supporting their detection and response programs and a recognition of the need for an expanded scope of visibility and automated analysis.
But what does it take to effectively implement XDR?
From the beginning, I've been writing and speaking about XDR as a journey, focusing on the need to improve detection and response programs to embrace diversity in IT infrastructure and combat increasingly complex threats. Research from Enterprise Strategy Group, a division of TechTarget, has shown that most security organizations have an XDR project underway, despite the multiple definitions of what XDR is. Our research has also found that security teams are turning to all types of security providers for XDR products and services.
At its core, XDR embraces the need for new levels of security signal aggregation, correlation and analysis, reflecting an increasingly diversified attack surface and more sophisticated threat landscape. A progressively growing and more complex use of cloud-delivered applications and services has been a key driver of this agenda. Many security leaders struggle to gain visibility and understanding of the many interdependencies of modern cloud applications. As these applications are accessed by a more distributed workforce that uses a new array of devices, device types and access locations, more visibility gaps are occurring, further complicating detection of advanced threats.
XDR: Product or strategy?
If you are a security architect, you probably know it's time to improve your detection and response program. Have you considered the role XDR will play in this effort? If you think a single XDR product will be the silver bullet to level up your detection and response program, you are likely having a hard time finding a product that can deliver everything you need.
Despite the many different definitions of XDR and the variety of XDR offerings from almost every major security vendor, finding a single product that fulfills the specific needs of your security program is going to be challenging. To overcome this challenge, do the following:
- Reframe how you think about XDR. Think of XDR as a strategy, instead of as a single, specific product.
- Support your XDR strategy with a clear set of requirements that fit the specific needs of your security program. Use these requirements to determine what you already have that supports your XDR strategy and where you need to invest.
- Don't get caught up in product labels. Offerings such as threat intelligence can support your XDR strategy but won't be labeled as XDR products.
The 7 building blocks of XDR
The following are my recommendations for what you need to implement a successful XDR strategy:
- A scalable analytics platform should be at the heart of your XDR strategy. This platform should be capable of ingesting and analyzing security telemetry from existing and future security controls associated with your changing IT infrastructure. The best case is that integrations are available out of the box, with the ability to easily extend to new integrations where needed. Both speed and scale matter, so consider an analytics platform that can process the growing amount of telemetry your current and future tools generate.
- This analytics platform must be powered by an automation engine. It should be capable of automating detections, remediation actions, threat intel analysis and security operations processes. An automation engine plays a key role in scaling your detection and response program with your infrastructure, the growing threat landscape and your security workforce. This is an area that hasn't been talked about enough in the XDR conversation, but it is one that requires more focus because current processes simply won't scale to meet the growth rate of infrastructure and attacks.
- This analytics engine must be informed by and capable of ingesting and automating a wide array of threat intelligence. Not all threat intel needs to come in the box. The engine must be extensible to ingest threat intel from multiple sources. While most security product and service providers invest heavily in threat research, depending on a single intel source will be inadequate over time.
- Risk-based alert and incident prioritization and triage will help your security team focus on areas of most significant risk first. With so many alerts and potential areas of investigation, risk-informed mechanisms are needed to help security analysts focus on the highest value, highest risk assets across the entire attack surface -- inside and out. Existing risk assessment mechanisms must integrate with your XDR strategy.
- Automated, highly visual and interactive tools help security analysts understand, investigate, mitigate or remediate attacks in progress. More than just visualizing an attack, tools should provide insights into common adversary behavior, Mitre ATT&CK mapping, historical incident activity and other intel gained from prior investigations. Automation plays a key role in speeding the investigation process by enriching data with more insights and automating workflows based on well-understood patterns.
- Focus on integration. Integration with other workflow tools, including ticketing systems, messaging tools, security, orchestration, automation and response, and others enables you to use existing workflows more easily. Be sure the mechanisms you choose feed your team's knowledgebase so you can harvest and use valuable investigation learnings over time.
- Align your security tools. As your XDR journey continues, consider implementing technology that aligns with your current security architecture and stack. Use prebuilt integrations with as much of your current stack as possible. This likely means acquiring XDR technologies from security providers you are already using.
This is a lot to unpack. And I'm not suggesting you need to -- or can -- find a single product that offers 100% of these capabilities. The bigger goal is to architect a strategy that supports your broader XDR agenda, and complements and supports the rest of your security strategy, architecture and tools.
A number of security companies are investing in XDR offerings, including Palo Alto Networks, Trend Micro, Microsoft, Cisco, CrowdStrike, SentinelOne, Fortinet, Broadcom/Symantec/Carbon Black, Trellix, Secureworks, Cybereason, Sophos, Qualys, Bitdefender, Anomali, Stellar Cyber, ReliaQuest, Hunters, Confluera and Gurucul.
While vendor offerings vary in scope and maturity, this massive focus on XDR confirms that a new approach to automating security operations is underway.
When evaluating tools labeled as XDR offerings, don't expect them to bring it all. Instead consider how and where a product can be used to support your XDR journey. XDR is not a silver-bullet product but is instead a strategy that requires careful planning, consideration, architecture and management.
Enterprise Strategy Group is a division of TechTarget.