New and emerging XDR solutions provide security analysts with an incredible arsenal of tools and capabilities that offer a variety of business benefits.
XDR clearly, it is important to consider the endpoint security products from which XDR originates.
In the early days of the Internet and computing, traditional antivirus products (AV) were produced to protect endpoints. These were simplistic by modern standards.
For example, one of the most common approaches used by traditional AV to detect malware was “signature-based detection”. Each file has a unique signature and hash value, which meant that AV companies could keep a “library” of all known malicious malware and their associated signatures and hashes. Their AV products would then scan endpoints, and if they detected a file with a known malicious signature, they would block it.
AV products evolved to look for bad scripts and certain other strings and processes, but at its core it was still a case of matching specific information to files within their “libraries” of malicious signatures.
Despite the value of this, it was easy for attackers to bypass. All they had to do was make a single edit to a file that would change the signature and hash value so that it could avoid detection.
There was a need for something better, as traditional AV became less effective over time.
EDR was the next development of AV. EDR tools still use signature-based detections to identify malicious files, but their capabilities have improved to deal with small tweaks that attackers make. For example, EDR products can use machine learning to detect the similarities of hash values between the “known” hash of some malware and a hash for malware which had been subtly modified. This is known as fuzzy hashing and humans would not be able to detect similarities between hashes.
More importantly, EDR products can also detect suspicious behaviours on endpoints, rather than just signature-based detections. This provides strong protection against threats and makes it much harder for attacks to succeed.
Crucially, EDR also gives defenders the ability to respond. Security professionals can manage their endpoints with a centralised EDR platform, which enables them to detect threats and vulnerabilities, stop attacks and remediate issues across their endpoints.
XDR is an extension of EDR (hence the inclusion of “extended” in its name). While EDR can provide incident detection and response on endpoints, its capabilities do not extend across an organisation’s broader IT landscape, while XDR does.
It provides threat detection and response capabilities across end-user environments, cloud services, on-premise infrastructure and mobile devices. It unifies signals from multiple technology environments and attack vectors to provide security analysts with a “single pane of glass” for threat detection and response.
For example, with EDR, a security analyst might see an incident that tells them that malware has ran on a machine, but with XDR, they could see the phishing email that was clicked on, the malware download, and the network traffic logs of that machine, all automatically correlated and presented to them. It’s very powerful.
XDR platforms empower security analysts to do more with better threat insights and response capabilities across their organisation’s full IT estate. Some key benefits include:
The ability of XDR to correlate detections from different environments, and provide context behind threats and attacks, enables security analysts to benefit from powerful forensics and visualisations. This allows security teams to gain an in-depth understanding of how attacks are taking place against their organisation and their progress in the kill chain.
Leading XDR tools collect and process a vast number of signals from across your organisation’s entire technology estate, using advanced analytics, AI, and machine learning to identify complex modern cyber-attacks.
Automated response enables many vulnerabilities, threats, and active attacks to be automatically remediated in near real time, reducing the need for manual intervention by human analysts. XDR platforms will use telemetry from customers worldwide to inform their threat detection algorithms and processes, with machine learning constantly evolving and improving its ability to detect anomalous signals and identify real threats. Security teams can also create their own bespoke automation processes that can run in certain scenarios and situations specific to their industry or threat model.
Automation not only allows security teams to reduce KPIs such as “mean time to detect” (MTTD) and “mean time to respond” (MTTR), but XDR tools also allow security analysts to perform manual response actions incredibly quickly. Despite the benefits of automation, human intervention will be required on many occasions, and XDR facilitates this; XDR tools enable security professionals to investigate and manually take action against a threat through a “single pane of glass”.
The “single pane of glass” is a crucial element and benefit of many XDR platforms. Having an ecosystem of connected security products means that security analysts do not have to move between disparate third-party products to investigate and remediate threats. Good security depends on an excellent understanding of the context behind a threat, and a well-integrated XDR platform can facilitate this. Native integration allows XDR products to combine multiple data sources and aggregate your security signals to create security incidents. Since XDR has cross-domain integration, the power to contextualise threats, and the ability to group related alerts into single incidents, this leads to fewer incidents and reduces alert fatigue for analysts.
While connectors exist to link products from multiple vendors, a market-leading XDR platform that integrates natively under one provider can provide a seamless experience and offer significant benefits.
By opting for an XDR suite that is holistically integrated “out of the box”, many organisations can save money by consolidating their multiple security tools with a single provider. It can often prove more expensive to combine different third-party products to deliver XDR, while delivering less capability and making it more difficult to manage.
XDR tools also support security teams in prioritising security incidents that security analysts can investigate and respond to. When vulnerabilities and threats are detected, they are often prioritised by severity, enabling analysts to increase productivity and efficiency by focusing on the most pressing security vulnerabilities and threats. You can also connect many SIEM (Security Incident & Event Management) platforms to your XDR tools.
Microsoft Defender is Microsoft’s leading XDR solution and the most comprehensive XDR solution available today. Since most organisations worldwide use Microsoft’s productivity software for end users, a seamlessly integrated XDR capability is beneficial for these organisations.
Microsoft’s XDR solution combines Microsoft 365 Defender (email, endpoints, identity, cloud services, apps, data) and Microsoft Defender for Cloud (servers, containers, on-premises / hybrid / cloud, networks, SQL).
Even greater capabilities come when the Microsoft Defender XDR platform is combined with Microsoft’s cloud native SIEM and SOAR (Microsoft Sentinel). This is a major focus of Microsoft, which you can read more on here.
Maintaining an internal cyber security team is expensive and difficult to manage, with a significant skills shortage worldwide. For this reason, many organisations are looking to outsource elements of their cyber security to managed detection and response (MDR) service providers that provide managed EDR and XDR services.
Due to Microsoft’s inspiring security vision, technical maturity, and integrated remediation capabilities, we have built our advanced MDR services on Microsoft 365 Defender and Microsoft Sentinel. To learn more about the benefits of XDR and our advanced MDR services, contact us today.
At Chorus, we provide three levels of MDR Services from our 24/7/365 UK Cyber Security Operations Centre: