- What would the organizations processes, and playbooks/workflows are going to look like once XDR solution is implemented so that the SecOps team can focus on the actual incidents?
- How is XDR solution going enable SecOps team around detection, response, and remediation across various attack channels such as Data, Network, Email, Cloud and Endpoint?
- How is the XDR solution going to bring Security, Incident Response and Operations team together, so they can collaboratively work together as ONE TEAM during a Cyber incident?
Based on our experience with various organizations across different verticals, Organizations that are looking for XDR solution need to consider few key security pillars when it comes to choosing the right XDR solution for their environment.
In this blog, I will start with two of these key security pillars: Visibility and Threat Intel.
Visibility is the key! It’s similar to having a house with CCTV security control installed but then there are few places around the house where CCTV cameras are missing. In this scenario, how is the full-scale detection of intrusion is going to take place? A true XDR solution should enable the organization to provide visibility across various potential detection points: Network, Email, Endpoint, Cloud, Data, User Behavior. This is very important as NO VISIBILTY = NO DETECTION.
Visibility is also related to the data visibility across various part of the organizations. From data protection point of view, an organization needs an XDR architecture that provides visibility across the critical data that’s stored on various endpoints (Data at Rest), data that’s currently flowing through the network (Data in Motion) and data that’s currently being used by the endpoints/users (Data in Use). Organizations needs complete visibility of this data to be able to apply relevant security controls to protect this data from getting into the wrong hands. When organization have this data visibility, they are able to find out the potential data leakage that may have occurred during a Cyber Incident or while investigating any breach.
Visibility is also related to the security coverage of assets. Due to the current Hybrid work environment, Organizations now have their critical assets located across different operating system as well as form factors (hardware, virtual, cloud). A true XDR solution should have well-defined processes/playbooks/tools in place that provide the SecOps team visibility across all the asset types, and make sure this visibility does not degrade over time with changes in the environment. This visibility across various attack channels leads to accurate and early detection of advance attacks so the SecOps team is then able to respond and remediate to these attacks on time in order to prevent further damage.
So, this was all about visibility which is one of the key security pillars that should be used by the organization while considering an XDR solution.
The next security pillar that I would like to cover is Threat Intel. In the current threat environment, organizations rely on accurate threat intelligence to identify and understand threats targeting their industry. This enables the organization to tune and focus their detection and response processes and security controls to promptly detect and respond to targeted threats.
Organizations typically derive threat intel from the following activities and channels:
- Security Analysts’ Investigations – New threat indicators may be discovered when a security analyst reviews data collected from a compromised endpoint. Indicators of Compromise (IOCs) that may be discovered include malicious files, processes, or URLs. While conducting static and dynamic analysis on the malicious files, the security analyst may identify additional traits that could be used to create IOCs
- Commercial Threat Intel Feeds – Many organizations purchase verified threat intelligence feeds, some of which may have a specific focus such as nation-state actors, deep and dark web threats, or industry-specific threats.
- Open-Source Threat Intel Feeds – Organizations also often rely on feeds from Open-Source threat intel sources, including free information from vendor blogs and publicly available deny or allow lists from security researchers.
- Threat Sharing Groups – There are also various threat sharing groups such as ISAC (Information Sharing and Analysis Centre) groups that share industry relevant thread data with vetted members.
SecOps team often ask this question “Now I have Threat Intel from multiple sources, what should I do next? The typical methods that organizations use to share threat intel between different security controls often consist of manual processes that are time and labor intensive. Security analysts spends a lot of time analyzing and manually maintaining IOCs in an Excel spreadsheet or in a threat intelligence platform such as MISP and share these IOCs with different teams in their organization through emails, chat messages, or other manual and error prone methods.
Sharing threat intelligence quickly with different security controls is crucial to ensure that the organization can detect and respond to threats immediately as they are discovered. This also ensures that the Security controls are integrated and working together to provide effective, layered defense for the organization.
Thus, when organizations are considering an XDR solution, they should look for well-defined built-in playbooks and procedures for ingesting, leveraging, and sharing threat intelligence across security solutions for endpoint, data, email, cloud, network. An XDR solution should also enable the SecOps team with tools they need to generate Threat Intel as a part of the day-to-day operational activities and able to share this Threat Intel across all attack channels. Using this Threat Intel, during a cyber security incident (as an example), data protection solution would know immediately that there is an active intrusion that’s happening, and response action needs to be initiated. Using an XDR solution, SecOps teams would be able to generate and operationalize Threat Intel automatically without the need of manual and time-consuming processes.
Thus, Threat Intel should be the second key security pillar to be considered by the Organization looking for XDR solution.
Stay tuned for the next blog, where I will cover the next key security pillar for evaluating XDR solution which is Detection and Response!
In the meantime, in case you like to learn more about Trellix XDR platform, here is the link.
