XDR is Coming, CISOs Need to Prepare Accordingly

Beyond threat detection and response, CISOs should think of XDR as a catalyst for modernizing the SOC, automating processes, and improving staff productivity.

According to Enterprise Strategy Group research, enterprise organizations claim that improving detection of advanced cyber-threats is their highest priority for security operations. As a result, 83% of organizations will increase threat detection and response spending over the next 12 to 18 months.

This is no surprise—threat detection and response is always a high priority. Unfortunately, the data reveals something else. Despite spending millions of dollars on cybersecurity technology over the past few years, most organizations still can’t detect or respond to cyber-attacks in a reasonable timeframe. It’s also fair to say that things are getting worse—just ask any organization using SolarWinds for network monitoring.

Recognizing the need for better mousetraps, the security technology industry is proposing eXtended Detection and Response (XDR) as a possible solution. I posted a blog about XDR last June where I defined the term and speculated on how the market would develop. As I suspected at the time, XDR innovation has steadily progressed, and I expect big things from the supply side for the remainder of the year.

To be clear, XDR is still an emerging technology, not a panacea. Nevertheless, there’s a lot of industry innovation and investment going into XDR, and it may help organizations bolster security analytics efficacy, streamline security operations, and anchor their SOCs with a tightly integrated security operations and analytics platform architecture (SOAPA).

Given its potential, organizations should have a game plan for XDR in 2021. I suggest that CISOs do the following:

1. Cast a wide net with lots of upfront research. Only 24% of security professionals claim they are “very familiar” with XDR, which is understandable due to new technology and lots of confusing marketing. Given this knowledge gap, the first thing organizations should do is learn about all types of XDR: Platform-based (i.e., multiple controls with analytics and a control plane), software only (i.e., a software layer on top of existing controls), open XDR, etc. This will help the SOC team decide on a strategy where XDR can supplement or replace existing tools and processes. As a consolidation architecture, it’s likely that many existing and trusted vendors will be pitching XDR as an outgrowth of their EDR, NDR, or security analytics technology. At this early stage, CISOs should invite strategic security technology partners in to educate the security team on XDR and outline their product roadmaps. This should get the team up to speed and help them start to craft an XDR strategy.
2. Identify organizational weaknesses and blind spots. Before moving forward with yet another threat detection and response technology, it’s worth digging into existing tools and processes to see what’s working and what’s not. Is the SOC team fully utilizing EDR, NDR, and SIEM or is there a skills or resource gap? Are there process bottlenecks that slow mean time to detect/mean time to respond to threats that have nothing to do with technology? If either of these things are true, SOAR and professional services may make more sense than another analytics tool. Since modern cyber-threats move laterally across networks, it’s also worth investigating if the organization has any weaknesses or blind spots when it comes to security monitoring. For example, ESG research pointed to security monitoring weaknesses related to public cloud infrastructure. In cases like this, XDR should start by improving cloud security visibility and integrating cloud security analytics with existing EDR, NDR, threat intelligence, etc.
3. Pick a starting point for project planning. XDR is an architecture, not a product, so it may take a few years to fully deploy and configure XDR. That said, you must start somewhere. Based on the previous point, it’s not surprising that 43% of survey respondents speculated that their organization would start a project by implementing an XDR solution with threat detection and response capabilities for cloud-based workloads and SaaS. This is a reasonable starting point, but XDR technology can evolve from tactical to strategic coverage. Regardless of where an organization starts an XDR deployment, the security team must look forward, identify points of integration, map out engineering projects, and define a set of metrics it will use to measure XDR and project effectiveness.
4. Use XDR to establish security operations best practices. Security operations are haphazard at many organizations, featuring many manual process and constant firefighting. Some SOC teams use SOAR to help them out of this mess, but SOAR platforms require staff resources and skills to create playbooks and code orchestration routines. XDR will likely act as a poor man’s SOAR by “canning” a lot of common security processes, which should be fine for most organizations. Some XDR platforms can also help organizations operationalize the MITRE ATT&CK framework—a big step forward. In selecting an XDR solution, CISOs should evaluate how each vendor supports and promotes security operations best practices and how well their organization can adapt to these changes.
5. Get the IT operations team involved. Incident response requires strong collaboration and cooperation between security and IT teams. To support and improve the team effort, XDR platforms should adapt to existing process handoffs and integrate with existing security operations tools like ServiceNow, Jira, Microsoft OMS, etc. In other words, XDR projects should improve rather than disrupt existing data analysis, case management, incident prioritization, and mitigation efforts.

Cybersecurity tends to suffer from what I call “shiny object syndrome.” A new technology comes along, and the industry goes gaga. When organizations flock to these new tools, however, they don’t take the time to fully learn the technologies or modify security operations to achieve the maximum benefit. XDR is an architecture that will take months or years to fully deploy, giving organizations time to do things right. Therefore, CISOs should amalgamate XDR into formal projects and future strategies. In this way, XDR can act as a cybersecurity force multiplier, not just the next buzzworthy topic at RSA and Black Hat.

BTW: I’m excited about our new XDR research, so look for more blogs on this topic soon.