e-book the ultimate guide to xdr
TRANSCRIPT
exabeam.com 01
The UltimateGuide to XDR
eBook
exabeam.com 02
Table of contents
Introduction
What is an XDR?
Why the XDR market exists
Why XDR is needed
How XDRs are different from other security tools
Types of XDRs
Key features of Native XDR
Key features of Open XDR
Benefits of using XDR solutions
Focus on threat-centric use cases
Additional considerations when evaluating an XDR
03
04
05
06
07
08
09
10
11
12
13
The Ultimate Guide to XDR: All You Need to Know About XDRs
exabeam.com 03
, or eXtended Detection and Response, describes specific cloud-based security solutions that unify a SOCs detection and response across specific tools and processes. This guide was created to help clarify the confusion about the XDR market – why it exists, what defines an XDR solution, the types of XDRs, key features, and more. For organizations evaluating XDR solutions, this guide will help you better understand XDR and how it can be adopted to improve your overall security posture with faster, easier, and more accurate threat detection, investigation, and response (TDIR).
Introduction
XDR
exabeam.com 04
XDRs are cloud-based solutions that combine many data sources including, but not limited to, endpoint, network, cloud services, email, and identity authentication, to simplify detection and response to advanced threats. XDRs tie together an organization’s security stack for a comprehensive view, and offer advanced threat detection and response through correlation and analytics. XDR is not limited to detection; they also help simplify and automate response to detected threats. A key theme for XDRs is simplicity – they are supposed to be turnkey tools that work effectively “out-of-the-box.”
XDRs consist of four primary components that combine telemetry from many security products. The correlation of that telemetry helps organizations easily achieve TDIR outcomes with as little work or customization as possible:
Ť Sensors (or integrations with sensors) to generate or obtain endpoint, network, and cloud telemetry along with other security data sources (e.g. IAM, Email, etc.)
Ť Analytics and correlation to detect threats using available security telemetry
Ť Prepackaged workflows and content that help security teams easily achieve TDIR efficiency
Ť Automated responses using threat-specific actions and playbooks
What is an XDR?
XDR is not limited to detection; they also help simplify and automate response to detected threats.
A key theme for XDRs is simplicity – they are supposed to be turnkey tools that work effectively “out-of-the-box.”
exabeam.com 05
XDRs emerged as a reaction to unmet needs and rising problems in the cybersecurity landscape. As each new entity (endpoint, server, cloud, credential, etc.) moved outside the perimeter, the need to combine views and correlate events across on-premises resources and the cloud has grown.
There are three main trends driving the rise of XDRs in the market:
1. Distributed enterprise assets + redefined perimeter + success of cloud/business transformation = explosive number of attack vectors and techniques The modern enterprise has complex business processes, distributed data storage, and uses an increasing number of cloud applications. This multiplies the potential cyber security vulnerabilities, introducing new attack vectors and techniques for malicious actors. Since central controls are limited in remote visibility for employees, resources, and assets, security leaders are looking for cloud-delivered avenues to defend against advanced threats from a variety of attack vectors.
2. Narrowly-scoped security solutions operate in silos Point security solutions provide a single layer of visibility/protection for their specific areas and lack the context or ability to correlate attacks with other tools. Each security solution in an organization’s technology stack looks at a single (or at most several) attack channel or vector but few solutions can cover everything.
Why the XDR market exists
3. SIEMs often suffer from scope creep, which can result in complex solutions with deployment challenges What was supposed to be a strength – the ability to combine various security tools and information to address threats – can become a weakness in execution. Security Information and Event Management (SIEM) tools often attempt to address too many use cases, resulting in complicated features that often require scripting knowledge and deep networking knowledge to optimize for daily use building events of interest.
The security requirements and skill sets of most security organizations vary broadly from the first-level analyst up to SIEM engineering and architecture. XDR can add context to events and alerts from security systems that both educate analysts and provide clarity on next steps, reducing the management overhead for the SIEM solution.
Market reaction: XDR These factors define the XDR market demand: a cloud-based turnkey tool that a security or IT team can switch on – and it works. Simple. Automated.
exabeam.com 06
SOC analysts are often confronted with new, compound threats to organizations. This is compounded by the myriad of security tools to support with limited resources that often don’t correlate gracefully. Each tool requires different expertise, user interfaces, and specific security knowledge requiring new education — the traditional SOC analyst’s experience with perimeter and packet capture has expanded with the full MITRE kill chain to learn.
Just increasing the number of logs ingested by the SIEM isn’t effective. While you can bring endpoint and identity detection into many commercial SIEMs, too often that just adds to the noise of “one more event stream” for analysts without providing cross-event correlation or even recognizing as an attacker moves from one credential to another, or even mapping proliferation of legitimate-seeming access as an indicator of attack. SIEMs are most effective with an XDR component or supplement.
XDR integrates across security tools and supports the entire TDIR workflow and security stack, spanning from data ingestion through normalization, correlation attack detection, investigation, and response. This
Why XDR is needed
reduces the amount of tools and UI security teams need to use, simplifies workflows with pre-built playbooks and automation, and creates a standard approach for resolving incidents.
Did you know? An average SecOps team has 19+ TDIR tools (e.g. IPS, EDR, NDR, CASBs, email security, etc.)
exabeam.com 07
XDR versus EDREndpoint Detection and Response (EDR) focuses on defending against threats related to endpoints in an organization – from antivirus alerts to potential compromise. While an XDR may absorb EDR, XDRs take in the threat data from EDRs (and all other security solutions) to find and defend against threats beyond those of endpoints. This may include advanced, persistent threats (APTs) that attack an organization from multiple vectors and lateral movement from endpoint to the datacenter and cloud. XDRs are able to correlate and analyze security data from multiple network and cloud security tools beyond just EDRs to find threats and track the threats as they move through the Kill Chain.
XDR versus SIEMSIEMs have similar capabilities to XDRs – collecting and analyzing security telemetry from across tools to generate alerts. XDRs are an evolution of SIEMs – offering more simplicity and out-of-the-box threat-centric workflows. Many SIEMs in the market are hard to operationalize and tune, due to the number of variables and features that are available – and often they don’t add any context to ingested events from new SysLogs or APIs from new security tools. For security operations unfamiliar with threat modeling and custom rule creation for each vendor, it can take months to stand up a new SIEM solution – and even longer to keep it tuned and add new rules, and often requires specialist resources that can be in short supply.
How XDRs are different from other security tools
The two tools most often compared to XDRs are EDRs and SIEMs. Here’s how XDRs are different:
XDRs instead offer up pre-built templates and workflows that simplify the threat use cases security teams want to focus on. XDRs are:
Ť Laser-focused on TDIR – driven by outcomes
Ť Simple, often working with little to no customization
Ť As automated as possible
Ť Cloud-based – easy to maintain and operate
exabeam.com 08
Types of XDRs
The three pillars of XDR
There are two types of XDRs: native and open. The difference between these two types of XDR comes down to the components they offer.
Front-End
Security point products that:
Ť Generate telemetry
Ť Perform response actions or enforcing security controls
Back-EndA set of technologies that enable TDIR by:
Ť Collecting & correlating data from sensors
Ť Performing threat detection
Ť Automating alert, incident triage
Ť Accelerating incident investigation
Ť Automating response to detected threats
ContentPrescriptive, threat-centric workflows
Pre-packaged security content:
Ť API connectors
Ť Parsers
Ť Detection rules and models
Ť Investigation and response guidance
Ť MITRE ATT&CK mapping
Ť Response actions and playbooks
Ť Reports
Native XDR solutions offer both the front-end solutions that generate security telemetry data as well as the back-end capabilities of analysis and workflow. To be a Native XDR solution, a vendor should ideally offer all required sensors needed for common XDR use cases, typically endpoint, network, cloud, identity, email, etc. as well as a back end capable of performing threat detection, investigation, and response with that data.
A Native XDR may be simpler for organizations that rely on a single vendor across much of their security stack. However, there may be gaps both in coverage and depth as a single Native XDR vendor can depend on similar detection engines across the stack, and have limits in the depths of capabilities it can cover. Moreover, Native XDR solutions may not provide mature or robust content (see “Three pillars of XDR diagram”).
Open XDR solutions are predominantly focused on delivering strong back-end capabilities such as attack correlation, analytics, and automation. Leading Open XDR vendors also add prescriptive content required across all the phases and the full lifecycle of threat detection, investigation, and response to easily solve common security operation use cases out-of-the-box. Open
XDRs need to integrate with all of an organization’s existing security and IT infrastructure, then correlate and analyze all relevant data, and finally automate and optimize TDIR workflows, making it easier for SOC teams to respond to incidents quicker.
Open XDRs can act as a single control plane across multiple products and vendors. This provides visibility and allows orchestration and automation of actions, (similar to SIEM and SOAR functionality), so that SOC teams don’t have to run manual workflows across multiple tools. Open XDRs may be better for organizations that have existing diversity in their security tools as they are more flexible and can absorb more vendor alert feeds and combine weak signals from multiple products to find complex threats missed by other tools. Additionally, as new security solutions come to market to address new types of threats, Open XDRs can easily integrate these solutions faster to enhance threat detection.
exabeam.com 09
Native XDR is centered around providing the required sensors for threat detection and response from a single vendor. As such, a major feature of any Native XDR vendor are the security point products themselves. All forms of XDR break down the gap between security and architecture teams by correlating advanced attacks across multiple security tools and attack vectors. They can detect complex threats using behavioral analytics and can follow these attacks as they move laterally through your network – giving security teams the context and information they need to effectively resolve incidents.
XDRs should contain these key features:
Ť Generate security telemetry from key data sources (native only)
Ť Correlate attack telemetry into one incident timeline/thread
Ť Automate root-cause analysis
Ť Speed threat hunting with comprehensive incident context
Ť Recommend response actions
Key features of Native XDR
Outputs
Behavioral detections
Incident alerts
Incident prioritization
Recommended response actions
Single UX
Single-click response
AnalystCapabilities
Incidents
Incident investigation
Incident response
Threat hunting
XDR
exabeam.com 10
Open XDRs break down security silos by correlating advanced attacks across multiple disparate security tools and attack vectors. They can detect complex threats using behavioral analytics and follow these attacks as they move laterally through the network and cloud – giving security teams the context and information they need to effectively resolve incidents. XDRs should contain the below key features, enabling security teams to:
Key features of Open XDR
XDR Customer Outcomes Ť Quickly ingest new security alerts and log information from multiple sources
Ť Correlate attack telemetry into one incident and timeline
Ť Indicate risk by endpoint, identity, server, or source
Ť Automate root-cause analysis
Ť Automate responses with playbooks and integrations
Ť Speed threat hunting with comprehensive incident context
They can detect complex threats using behavioral analytics and follow these attacks as they move laterally through the network and cloud – giving security teams the context and information they need to effectively resolve incidents.
exabeam.com 11
XDRs allow analysts to quickly detect advanced threats like compromised credentials and malicious insiders that were previously difficult or impossible to find using only endpoint or network security sensors. By collecting and analyzing data from multiple security tools, XDRs can quickly find threats based on analyses of correlated data.
Second, automation throughout TDIR workflows including actionable intelligence – alert enhancement and automated timeline creation – reduces analysts’ “time to answer.” With full investigation capabilities, the “Level 1 analyst” quickly
Benefits of using XDR solutions
can become the Level 2-3 analyst with fully visualized attack lists and suggestions for remediation.
Finally, XDRs extend the value of existing investments with out-of-the-box coverage for use cases (including the MITRE ATT&CK chain) to improve their efficacy and deliver repeatable successful outcomes. This simplifies security operations and allows security teams to focus on more strategic initiatives, versus always tuning security tools or training staff to support various solutions.
XDR Customer Outcomes Ť Uniting disparate tools
Ť Fewer false positives
Ť Visibility into the full attack
Ť Detection, investigation, and response in one place
Ť Faster and more complete incident response and threat hunting
exabeam.com 12
Focus on threat-centric use cases
Why do XDRs need to focus on threat-centric use cases? In order to fulfill the promise of simple, automated, and turn-key threat detection, investigation, and response (TDIR), XDRs must include prescriptive, threat-centric workflows. An effective XDR will provide all of the listed capabilities in the following graphic for quick, comprehensive use
case coverage. Security automation is key to modern security operations, and vendors need to offer prescriptive guidance and workflows for handling specific threats and tailor their products to deliver successful outcomes for specific threat types.
A threat-centric, turnkey threat detection, investigation, and response (TDIR) workflow:
XDRs should be able to offer a closed-loop solution that encompasses the entire security operations’ workflows of threats. XDRs should offer immediate time-to-value with minimum/no configuration, regardless of the expertise level of the SOC — so instead of tuning, analysts should be able to use XDRs to address immediate concerns and incidents. By this, we mean focusing on one use case and expanding from thereafter each one is addressed. Without focusing on
a threat-centric use case approach, an XDR would be yet another security tool to be managed and tuned.
The use case content includes everything you need to solve a particular type of threat for repeatable, successful outcomes every time and at scale. For example, this image represents prepackaged content for the lateral movement use case.
Detection
Ť Behavior based threat detection
Ť Watchlists
Ť MITRE Mapping
Triage Ť Alert prioritization
Ť Context gathering and enrichment
Ť Auto case creation
Investigation
Ť Prebuild Incident Timelines for all entities
Ť Automated Q&A
Response
Ť Turnkey Playbooks
Ť Custom Incident Types
Ť Incident Checklists
Collection Ť Predefined data
sources
Ť 500+ integrations
Prepackaged content for Exabeam lateral movement use case:
Data Sources
Ť Asset logon and access
Ť Authentication and access management
Ť VPN and zero trust network access
Ť Network access, analysis, and monitoring
Ť Endpoint security (EPP/EDR)
Ť Operating system logs (e.g. UNIX/LINUX/OSX/Windows)
Detection Rule Types
Ť Pass the ticket
Ť Pass the hash
Ť Abnormal remote access and RDP activity
Ť Abnormal network connections and traffic
MITRE Techniques
Ť T1090: Proxy
Ť T1205: Traffic signaling
Ť T1219: Remote access software
Ť T1071: Application layer protocol
Ť T1021: Remote services
Ť T1078: Valid accounts
Ť T1550: Use alternate authentication material
Investigation Tools
Ť Threat hunter saved searches
Ť Smart Timelines
Ť Guided investigation checklists
Response Actions
Ť Contact user/manager/HR department via email
Ť Add user or asset to a watchlist
Ť Block, suspend, or impose restrictions on users involved in the incident
Ť Rotate credentials/reset password
Ť Prompting for re-authentication via 2-factor/multi-factor authentication
Ť Isolate systems
exabeam.com 13
This guide has gone over many different considerations when it comes to XDRs – whether its type (open versus native), the focus (threat-centric use cases), or key features. As security teams evaluate an XDR solution, here are other functional requirement considerations:
Vendor lock-in and gapsA Native XDR may offer the major inputs for a security program and the simplicity of a single vendor, but may lead to vendor lock-in and a lack of depth and breadth of coverage for organizations. Security teams and management will find it difficult to get best-in-class capabilities across email, DLP, identity, cloud, etc. from a single vendor. And if the Native XDR vendor lacks coverage in a certain area, it’s hard to fill that capability gap.
Additional considerations when evaluating an XDR
About ExabeamExabeam is a global cybersecurity leader that adds intelligence to every IT and security stack. The leader in next-gen SIEM and XDR, Exabeam is reinventing the way security teams use analytics and automation to solve threat detection, investigation, and response (TDIR), from common security threats to the most critical that are difficult to identify. Exabeam offers a comprehensive
cloud-delivered solution that leverages machine learning and automation using a prescriptive, outcomes-based approach to TDIR. We design and build products to help security teams detect external threats, compromised users and malicious adversaries, minimize false positives, and best protect their organizations.
For more information, visit exabeam.com
Comprehensive threat coverageMost XDRs are highly focused on compromised insiders and external threats. However, because their correlation and analyses are focused on anomalies from compromised accounts and malware, they may be lacking in detecting threats which are more specific to an organization’s environment. Threats from lateral movement and malicious insiders are often missed by these XDRs.
To ensure an XDR can find threats like lateral movement, and account compromise/malicious insider, security teams will need to perform POCs and side-by-side tests with various XDR platforms. XDRs with strong user and entity behavior analytics (UEBA) can correlate signals between security data sources, build baseline behavior for all users and machines in an environment, and then identify complex attacks (like lateral movements and malicious insiders) by finding abnormal behavior associated with them.