Extended detection and response (XDR) is swiftly becoming one of the most desirable additions to established security infrastructures. However, well-versed CTOs and CIOs may wonder whether XDR security will add enough value to their time-honoured structure and justify the cost.
To appreciate its value, we must first examine how modern cyber-attacks happen. Seeing the enemy's battle plan gives you a better understanding of how to win the war.
The Cyber Kill Chain is a good place to start
Lockheed Martin created the 'Cyber Kill Chain' to explain the process of a cyber-attack. Although its critics believe it over-simplifies a complex subject, its six stages are easy to remember. Compare that to the 18 stages proposed by the Unified Kill Chain or the granular detail of MITRE ATT&CK and its list of 226 cyber-attack techniques plus list of industry advisory bodies.
Mitre Corporation created 'Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) as a guide for classifying and describing attacks and intrusions. Far from being an alternative to Kill Chain, many cyber experts believe they complement each other.
Both models follow the typical form of an attack, i.e. break in, be stealthy, and steal data. However, while the Cyber Kill Chain is a linear sequence of phases, the ATT&CK Framework is a matrix not confined to a specific order of events.
Nathan Charles, Head of Sales & Account Management at OyrxAlign, explains: "The ATT&CK Framework expands elements of the Cyber Kill Chain into 12 categories called tactics. These are then further expanded into known cyber techniques. Both models support each other."
We've produced an updated infographic that seeks to overcome some of the criticism of the kill chain by adding more detail and recognising the persistence of modern cyber threats. The infographic is available as a .jpg or .pdf image; JPG Updated Cyber Kill Chain + MITRE ATT&CK, or PDF Updated Cyber Kill Chain + MITRE ATT&CK.
Prevention is no longer enough
Most security experts will tell you it's not a question of IF but WHEN you will be attacked. The bad guys will eventually get into your system. That's why organisations have been moving beyond prevention to 'detection and response'.
Extended detection & response (XDR) focuses on preventing and detecting an intrusion long before any damage can be done. And it does it automatically with speed. Nathan Charles explains: "A good XDR platform constantly scans your entire estate looking for indications of compromise. It quickly recognises suspicious activity and automatically remedies the threat."
Good XDR also knows the common tactics, techniques, and procedures (TTP) used by advanced persistent threats (APT) and other cyber criminals. It has an existing library of solutions that can expand as it encounters known, new and unknown threats. It learns as it detects.
"Your XDR should have an automated response that detects, triages, investigates and hunts when alerted. It should also be smart enough to recognise false positives and escalate only the most serious threats. This was the foundation of our securyXDR platform," adds Nathan.
Holistic XDR security
Another reason for the popularity of XDR is its 360-degree view of your entire IT ecosystem in a single platform. No cyber entry points are missed.
Many organisations have separate protection for their network, endpoints or email. This disjointed method can lead to conflict or gaps in security which exacerbates vulnerabilities. XDR will secure and protect your network, cloud, endpoints, email and 3rd party apps – and give you a single view of it all.
The holistic approach also solves the problem of missing dormant viruses. By seeing threats at every entry point and across your estate, XDR halts the adversary's ability to lay slow-working malware in your systems. This prevents larger-scale disasters down the line.
If you want to learn more about modern cyber threats and the role of XDR security, please book an online consultation with one of our team.
Photo by Flex Point Security Inc.