Securing Endpoints in 2020: Proactive Security with XDR
by Gilad David Maayan
What is XDR?
In the past, endpoints were the preferred entry point for attackers. As attacks increase in number and complexity, organizations must go beyond antivirus software to protect their endpoints. Endpoint Detection and Response (EDR), is a viable solution to this problem. EDRs deploy endpoint agents to monitor, collect, and send data to the cloud to enable threat detection and mitigation.
The EDR method is simple and effective. However, if you need to log and analyze data collected from thousands of endpoints to isolate malicious behavior, the effort can be overwhelming.
EDR solutions are an essential part of corporate security and have helped improve corporate security systems. Organizations need a better way to push security beyond the endpoint, and connect the dots between endpoint security and other aspects of cybersecurity.
Extended detection and response (XDR) is a comprehensive solution that extends EDR through better context and data from many more enterprise systems. The X in XDR represents more data sources, enabling better detection and response. XDR provides a holistic view of the network and provides insight into endpoints together with network security data. Analyzing this data together provides a bigger picture of security incidents, enabling security analysts to conduct investigations more effectively.
XDR Security Benefits
Here are some of the key benefits organizations can derive from moving from traditional EDR to a holistic XDR approach.
With XDR, you can better understand endpoint users, their permissions, the applications they are using, and the files they are downloading. Combining this information with network visibility and application traffic (both in the local data center and in the cloud) enables faster detection and prevention of attacks.
XDR solutions provide microsegmentation at the infrastructure, application, and user levels, and security and access control policies can be implemented across multiple data centers, including cloud providers. This significantly reduces the attack surface and prevents lateral movement of threats between applications and environments.
Because of the large amount of data and extensive automated analysis that XDR provides, security teams can quickly trace the origin of attacks, understand the kill chain, and immediately respond by blocking infected sources and endpoints.
XDR solutions allow security teams to define cross-organization white and black lists, ensuring only known good software and configuration is used. You can effectively lock down servers, network devices, and environments without affecting user endpoints.
Today's security teams receive alerts that lack information and context. Rather than providing multiple tools, XDR provides a unified platform with one central point of reference for security teams. This dramatically improves operational efficiency.
Proactive Endpoint Security: Threat Hunting with XDR
Threat hunting is the practice of reviewing data from your organization’s network, resources and infrastructure, and looking for threats that have penetrated your systems and were not picked up by existing security defenses.
XDR solutions make the same assumption as a threat hunter - that threats and malicious actors are already active in the environment, having security defenses like firewalls, and intrusion prevention/detection systems. It is difficult to conduct threat hunting with a traditional event correlation/aggregation solution, and this is exactly where XDR can help.
With XDR, a threat hunter can perform much deeper inspection of data that may be relevant to a specific threat. XDR provides deeper access and analysis of logs, access requests, application traffic, and network events. The next stage is to automate a response - once a threat is detected, XDR can act at any layer of the environment to identify and mitigate it.
XDR can provide the following types of intelligence to assist in a threat hunting search:
- Machine learning analytics - can automatically review events or entities and assign a risk score to identify probable risk patterns
- Anomalies - identify high risk entities or valuable targets such as data, systems or specific users, for anomalous or unusual activity.
- Threat intelligence - add information on threat models, threat actors, malware, related sessions, and existing vulnerabilities.
Here is a process security analysts can use to carry out threat hunting using the advanced capabilities of XDR solutions:
- Use the XDR system to collect all relevant data sources for pattern recognition. The more data the better. XDR makes it easy to delete, suppress or filter out irrelevant data.
- Ensure that the first line of defence is working properly - risk assessment tools, firewalls, intrusion prevention, etc. Otherwise it will not be possible to rely on data from these tools for threat hunting.
- Use host names and user account names to reliably correlate data sources. IP addresses can change due to DHCP changes. The data must be highly reliable to facilitate analysis, because the XDR system correlates between many different systems and data sources.
- Identify sensitive assets and accounts and focus your analysis on them. Monitor who uses them, when, and what actions they are performing. Leverage automated XDR analysis to identify anomalies or outliers.
- Use catastrophic breach scenarios as the starting point of the analysis and move back - consider, if an attacker achieved this type of breach, what would they attack first, and follow the potential kill chain to identify threats.
- Use documentation of the corporate environment including network maps, business processes, asset inventories, data loss prevention (DLP) system configuration, and more. Identifying risk with XDR relies on the human analyst, linking alerts to real infrastructure and business activity. In order to identify how a threat entered the system, you must understand how security events are related to real workflows.
- When identifying a threat, use XDR capabilities to trigger an automated response. The XDR system should be equipped with playbooks for common threat scenarios. For example, it can isolate an endpoint, lock down a data asset, add rules to firewall, configuration, etc.
This article discussed how XDR is replacing EDR as a holistic method for securing endpoints, by correlating endpoint data with other security data taken from different layers of the IT environment. Specifically, the article focused on using XDR to make endpoint security proactive - leveraging capabilities like data collection and automated analysis to perform highly effective, real time threat hunting, and trigger automated response to identified threats.
About the Author
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.