By Ed Martin, Director of Product Management, Secureworks
Security Operations (SecOps) teams have been under pressure since their inception to perform the role of enterprise defender for firms in every industry. From detecting inbound attacks to managing prevention technologies, to becoming experts in all forms of threat intelligence, these teams have required continuously upskilling, just to keep up with attackers’ tactics, techniques, and procedures.
These challenges combined with the prevailing need for businesses to look at security investments as a budget issue have led to an oversimplification of the problem. What’s missing here is that risk is not adequately being taken into consideration.
Today, many organizations are only looking for the biggest threat right now, instead of taking a strategic, holistic approach to a systematic problem. This approach often leads to a significant investment in new tools, only designed to address new threats. When this happens repeatedly, it leads to higher spend for less protection. It also means there is no risk assessment or evaluation of assets versus loss of those assets.
Developing a risk-based approach
Without a risk-based approach, CISOs and other board members fail to see value in investing in a full-scale security platform.
The constant thrashing, from detection, to prevention and back to detection again, has led SecOps teams and their IT counterparts having to contend with multiple toolsets, some of which play nicely together, and some that do not.
For leadership teams taking a strategic approach to security investments, there are four key considerations to keep in mind:
- These solutions offer the greatest return on investment and allow security teams to have the best weapons to outpace their adversaries.
- They also enable businesses to grow while reducing risk. Endpoint Detection and Response, SIEM, SOAR, each offering its own value, but are limited.
- Their lack of interoperability and constrained cost models will punish users who want to add additional data.
- Using bespoke SIEM and SOAR products require additional effort and investment like threat intelligence, rule creation, content curation, etc.
XDR – Solving business-wide problems
The staggering quantity of data involved in each solution has put new pressures on budgets that drive decisions. To combat this pressure, Extended Detection and Response, or XDR, uses a cloud-native approach to solve leadership’s problem of budget, the security team’s problem of visibility, and the IT team’s problem of tool sprawl. XDR provides data connectivity for all security rich data such as endpoint, network, and cloud. It pulls together the capabilities required for SecOps teams to execute investigation and response actions across the entire enterprise tech stack.
Since the XDR market is emerging due to the need of SecOps teams to add additional data to their core EDR telemetry, it’s important to understand the ‘why’ of this important transformation. SecOps teams spend a great deal of time switching between multiple security solutions as they search for data to help them understand the context of a security threat. For example, a threat which takes advantage of a vulnerability in commonly used software may be impactful to the business if that software tool is installed on the laptop of a sales engineer, but it might shut the entire business down if that same vulnerability is exploited on a server that drives important financial decisions.
Context is everything
To understand the level of the threat, a SecOps analyst needs to pull together not just the alert which indicates something happened, but also the contextual information around the incident which will help them understand the severity. A good SecOps team will have multiple step-by-step operational guides or playbooks, which drive how the team will react. If the severity is high enough, and an immediate response is required, the SecOps team will execute all steps in real time, to avoid further damage.
This is what XDR is designed to do. It provides access to large amounts of data and highly curated threat intelligence which evaluates actions and creates meaningful alerts. It performs an investigation into any threat detected (in a collaborative fashion), providing access to all available information at the right time, and in the right view, to ensure no wasted effort.
The XDR checklist
When a team is looking to invest in XDR, there are some key attributes that should be considered. First look for companies that can show investment in the XDR platform as part of their product and corporate strategy. Extensive data lakes and highly curated threat intelligence require a great deal of technical and security expertise, find an established security provider that has a track record of delivering scalable systems. Service availability is also key.
Your team’s needs will change over time, and the ability to upskill may be tied to volatile investments. During the pandemic we saw security teams in many companies decimated by budget cuts. The XDR platform provider should offer a collection of services that can plug and play into security programs, either directly, or through highly trained and suitable partners.
Be sure these service wrappers include a full range of capabilities – tier one (reactive workflows), tier two (proactive threat hunting), Incident Response, etc.) and should have strong availability for your needs around the clock. High-quality service options should include multiple methods of communication, such as in-context chat, serviced by actual security practitioners.
Extended threat protection
Finally, look for pricing ease and confidence. Many SIEM-based XDR solutions, as well as those based on data center technology, use volume consumption pricing. These pricing models often discourage SecOps team to send more data, as price caps can really blow away budgets. Limiting data sent could result in missing data when you need it. For example, in recent breaches, where, in many cases, it took a year or more worth of data to understand the attack vector. Work with a vendor that keeps pricing transparent, simple, and straightforward. Also, ensure your data retention is aligned with your risk profile. At least a year of threat data retention is recommended, to deal with the aforementioned issues. This will enable leaders to have the details needed for productive conversations during budget cycles.
In the end, XDR platforms focus on upskilling teams, keeping them focused on only the most important threats, automating repetitive tasks, and providing highly curated threat intelligence across endpoint, network, cloud, and business system data, all while keeping the cost predictable.
About the Author
Ed Martin, Director of Product management at Secureworks is responsible for the development of Secureworks’ cloud-native security analytics application, Threat Detection & Response (TDR). In this role, Ed leads the product organization to deliver a world-class XDR solution, which empowers security analysts with the capabilities they need to compete with threat actors. With a decade of cybersecurity experience, Ed has held numerous positions at Secureworks and BlueVoyant as a security practitioner and in product management and engineering leadership. He has several GIAC certifications, including Security Essentials (GSEC), Intrusion Analyst (GCIA), Web Application Pen Tester (GWAPT), among other certifications with Hewlett-Packard, Pragmatic Institute, and AWS. Ed can be reached online at email@example.com and at our company website https://www.secureworks.com/.