Does your organization need XDR?

Answers to basic questions about extended detection and response.

Does your organization need extended detection and response (XDR) class protection?

Lately, it has become more commonplace to advise large organizations to choose XDR solutions to protect their infrastructure. However, a lot of people don’t completely understand what XDR is and what it really does. In this post, I will answer some basic questions about XDR to help you to figure out if your organization would benefit from implementing it.

What’s wrong with the traditional protection?

Traditionally, it was the endpoints — servers and workstations — that were protected first from cyberthreats, and ultimately this became a fundamental step when it came to combating complex cyberattacks. Organizations also used basic network protection or installed advanced protection tools to close just one potential attack vector — for example, on just the endpoints (EDR solution) or the network (NTA solution), etc. But today’s cybercriminals are increasingly taking a multivector approach to staging their attacks, while using multiple entry points to the infrastructure, lateral movement through the network, a variety of attack tactics and techniques, and social engineering. All these factors broaden the attack surface and make it harder to investigate and respond. And to combat these kinds of cyberattacks, organizations needed a new tool with a comprehensive approach to building defense.

What is XDR?

XDR stands for “Extended Detection and Response.” “Extended” means that threats are detected and remediated not just at the endpoint level (PCs, laptops and servers), but also beyond. In other words, an Endpoint Detection and Response (EDR) solution that is responsible for detecting and countering threats at the endpoints level — the core element of XDR technology — is supplemented with different information security tools from the same vendor. In addition, these tools are closely integrated with one another and add additional scenarios that strengthen the process of combating complex cyberthreats.

What does XDR include?

The type and quantity of tools that are connected to an XDR solution depend directly on how many tools a given vendor’s portfolio contains and how integrated they are with one another. These could be, for example, products designed to protect mail, web, the network, cloud infrastructure, identity and so on. XDR also may be integrated with threat Intelligence tools — for example, threat data feeds and the platform to manage this data (Threat Intelligence Platform). XDR may also include the portal with  search capabilities for cyberthreats’s details and dependencies lookup. It gives the IT-security expert additional context, which is important to have when investigating cyberincidents. In general, today the XDR concept is the embodiment of the modern economic trend in information security — ecosystems.

Does implementing XDR mean all our previous security efforts were in vain?

Not necessarily. There are two types of XDR solutions on the market: native and hybrid. Native solutions are a good choice if you are creating your protection from scratch or continuing to scale up products that come from a single vendor. Hybrid solutions allow for integration with information security solutions from third-party providers, so whatever money you spent before won’t go out the window.

Isn’t XDR just yet another marketing trick invented by analysts?

No — it’s just the opposite: leading analyst research companies recognized the concept and name “XDR” after this category of solutions had been created on the market. The concept appeared as information security products and market needs evolved. These days, customers need more than a unified set of infosec tools by the same vendor. They also expect other benefits from this unification — for example, in the form of cross-product scenarios, process automation, resource saving and liabilities reduction. An XDR solution encompasses all these features.

What is the value of XDR for businesses?

First, amid a global shortage of information security experts, XDR provides holistic protection for an expanding, changing IT infrastructure against a rapidly evolving cyberthreat landscape.

Second, XDR simplifies the jobs of valuable, scarce resources such as IT-security specialists and engages them in the process of working with incidents.

Third, XDR helps minimize the mean time to detect and mean time to response (MTTD and MTTR). This is crucial for combating complex threats and targeted attacks, where quick actions taken by the IT-security experts reduce the attackers’ chances of achieving their goal and inflicting financial or reputational damage to an organization. So even if you have limited expert resources, you can protect your organization from complex cyberattacks because XDR offers:

  • Increased automation;
  • The use of a single console;
  • A single data lake environment;
  • Close interaction between the iIT-security tools as a part of XDR and joint scenarios;
  • A coherent picture of what is happening in the infrastructure;
  • Built-in enrichment with trustworthy, relevant threat intelligence data;
  • Superior prioritization of incidents;
  • Fewer false positive alerts.

Do you have an XDR solution?

Our enterprise-level security solutions working in conjunction provide XDR capabilities to your company’s cybersecurity experts. Thanks to seamless interoperability our products allow your organization to control all key entry points to your infrastructure, increase visibility and provide centralized defense. If you want to learn more please visit Kaspersky Expert Security web page.

Tips