There’s a lot of confusion about the exact definition of an XDR solution, which can obfuscate the important details around what it can specifically do for your security posture. For those looking for value in an XDR solution, there are six critical capabilities that should be considered a must.

1. Integration with everything

This is one of the capabilities that everyone agrees on. Whether you’re looking at it as a single vendor or open best-of-breed solution, the entire point of XDR is to consolidate your security stack into a single, tightly integrated solution. While this immediately disqualifies any solution that doesn’t have strong API-centric integration capabilities, there are other considerations that are also important to address early. XDR needs to do more than just receive a data feed from other solutions, which is effectively what a SIEM already does. The XDR also needs to be able to query any other tool in the stack for additional data and context, as well as initiate response actions without requiring the analyst to login to another tool.

If you’re looking for an XDR solution that will adapt to your requirements rather than being tailored to a single vendor’s portfolio, it’s important to understand how integrations are done. If you’re overly dependent on the vendor to roll out integrations on a release cycle that won’t prioritize your requirements, it can severely limit your ability to add new sources of telemetry to your XDR. Either the vendor needs to commit to rapid development of new integrations, or you need to make sure that the process for adding your own is easy.

2. Intelligent Automation

Based on many of the recent entries into the XDR market, maybe any automation capability is a good starting point. Without automation in some form, you’re really dropping back into the SIEM/Security Analytics concept where the platform is merely a data aggregator that has a minimal impact on operational efficiency. Analysts must manually investigate and respond to threats, which not only drains valuable time and resources, but increases MTTD and MTTR as well.

But simple automation that runs a handful of fixed playbooks or one-off actions isn’t enough. For an XDR to deliver simplified and consolidated processes that deliver better detection and response outcomes, automation needs to be smart. This intelligence needs to not only follow predefined playbook logic, but adapt based on the variables unique to each specific threat so that it can accurately determine risk and automatically respond in the right way. And it needs to be able to do so at scale to help eliminate alert fatigue through automated triage.

3. Artificial Intelligence

While a lot of the discussion around AI (and the source of much skepticism) is focused on its ability to analyze threats like a human, one of the most underappreciated applications of AI is to drive product usability and adoption. That means not just performing calculations to assess threat probability and risk on the fly, but also learning what you need in your specific environment and then telling you what you should do and how to do it.

Embedded AI/ML modules that help your playbooks deliver more effective threat detection and alert triage are incredibly valuable. Yet one of the biggest blockers to solution adoption is not having the time, resources or expertise to determine what to configure and how to do it effectively. When evaluating your XDR options, make sure that you assess not only how well the system can learn and adapt, but also its capacity for delivering unique configuration guidance based on what it learns from your business needs.

4. Deep Analytics and Consolidated, Advanced Threat Detection

This is the aim of any modern security solution, and there are many (SIEM, EDR, NDR, etc.) that provide critical aspects to the overall goal. A successful XDR deployment will consolidate all of that data and analyze it under one lens, identifying and correlating all of the relevant threat data to give a complete assessment of any potential threat. Just as important to the analysis is the ability to quickly distinguish between true threats and false positives, without missing real attacks.

The advantage that XDR delivers is the ability to tie threat data together and automatically apply multiple analytical methodologies to accurately detect, investigate, assess, and verify the validity of the threat, and then immediately respond to it. By looking at every potential threat vector in one place, the XDR platform can assess all of the different Tactics and Techniques being used by an attacker to correlate which are being used in conjunction with one another to deliver rapid, comprehensive, deep threat detection and deliver an appropriate response.

5. Extensible, Affordable Data Layer

No detection and response program works without access to security event data. That should be a given, but with high licensing and operating costs associated with long term retention, many organizations are forced to either limit their data retention or use secondary archives that can be difficult to search or analyze. SIEM solutions have long been the primary repository for data storage, both for near-term and historical analysis, and compliance mandated retention, but legacy architectures designed for rapid analysis come at a high cost.

One of the key reasons SIEM storage is so expensive is that it is largely built on outdated architectures that have trouble separating the near-term data required for rapid threat detection, and older data that is more useful for identifying historical trends and threat hunting. Data that doesn’t need to be analyzed immediately is still stored in an expensive tier, and the volume over time means that the cost continues to grow. An effective XDR can distinguish between the two, using more efficient and lower cost methods to retain historical data and deliverthe required access without the unreasonable expense.

6. Deployment Flexibility

When it comes to deployment requirements and solution form factor preferences, every organization is different. An XDR solution should support on-premise and cloud-based implementations, as well as managed deployments to accommodate organizations that lack the resources to manage them on their own. Cloud-based and managed deployments should have multi-tenancy and operating certifications like SOC 2 to ensure that the operating platform is secure. Over time those preferences/requirements can change. It’s important to be able to adapt, so the ability to quickly migrate between deployment options is important.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More