News, Opinion, Security

How to tackle cyber threats with XDR

Vibin Shaju, VP Solutions Engineering EMEA at Trellix, explains how XDR is crucial for cybersecurity in GCC as organizations seek comprehensive protection against rising threats.

Extended detection and response (XDR) has become something of a household (well, boardroom) name — according to Trellix’s recent ‘Mind of the CISO’ research, 56% of organizations across the UAE and KSA already have XDR as part of their security strategy. Its fame comes from its ability to solve the point solution problem and bring together disparate elements of cybersecurity at a time when the GCC is inundated with cyberattacks. But not all XDR is created equal, so when deciding which XDR solution is right for you, it is worth considering four key security pillars.

  1. Visibility

You cannot detect what you cannot see. An obvious point, maybe, but one that has escaped the notice of many an organization. If this was true before pandemic lockdowns pushed us into the cloud en masse, it is doubly so now. Many enterprises do not, or cannot, gather data from third-party environments or the personal devices of remote-working employees. Lack of data equates to blind spots. Whether at rest, in transit, or in use, data, and the metadata it generates, must be captured. And this must happen wherever the data is — on premises or in the cloud, on hardware or on a virtual machine.

SecOps teams must be supported by processes, policies, and tools that give them unfettered access to all asset types; and this visibility must be maintained over time. If not, then analysts cannot be expected to effectively monitor all possible attack channels.

  1. Threat intelligence

In addition to visibility, SecOps teams must also have access to threat intelligence. This can take many forms, from the diligent investigations of the analysts themselves reviewing data from compromised endpoints to the external intel made available commercially or as part of an open-source or threat-sharing initiative. The indicators of compromise (IOCs) that result from intel exercises can be shared with different security controls for the purposes of detection and response.

If a SecOps team can efficiently ingest, share, and leverage threat intelligence across its security solutions — endpoint, data, email, cloud, and network — it will have taken the first step towards robust XDR. The team should also be able to generate threat intelligence through day-to-day operations. It is the only way to guarantee the ability to identify an active intrusion. Which brings us, neatly, to detection.

  1. Detection

You cannot guard against what you cannot detect. Another obvious point that only stands because so many regional organizations find themselves with a detection shortfall. Organizations must review their tools and techniques across attack channels to ensure the SecOps team is covered for real-time action. We all know the GCC faces a skills gap in cybersecurity and that (apparently) cybergangs do not. This is a challenge. Since prevention is now all but impossible, well-defined detection and remediation tools are critical, as are the procedures that govern their use. Field-tested, automated playbooks should turn the SecOps team into threat hunters, capable of examining all data — whether stored, moving, or accessed — and determining whether a leak is happening.

The playbook should require alerts from endpoint, email, network, or cloud solutions to be instantaneously shared with the centralized data protection dashboard for real-time visibility. This allows the XDR solution to also detect lateral movement. Taken together, these detection capabilities allow the reduction of dwell time, which according to some reports can average as long as three weeks.

A strong XDR solution will be able to link events together to detect low and slow intrusions. This is where XDR proves to be more than the sum of its parts. Individual vendor solutions may not be capable of the same level of discovery. XDR, which brings these solutions together, garners more context and can tell analysts the full story of what happened during a contained breach. This allows them to search for additional context among other affected systems or credentials.

Working like this means policy wins over technology. A point solution may identify a weak signal, but this may be a ploy by an attacker to slip under the radar. If several point solutions identify weak signals and pass them along to a central decision-making apparatus, XDR will put several “weaks” together to deduce a “strong”. And so, what would otherwise have been a stealthy attack with weeks of dwell time is thrown into the light where SecOps can decide what to do with it. And so, we come to response.

  1. Response

Today, given the level of stress faced by security professionals in the region, cybersecurity response has as much to do with triage as anything else. Given limited resources, how do you decide what to go after? With the rise of supply-chain attacks and the persistent headache of software vulnerabilities, XDR platforms present a much-needed respite from the triage issue. First, XDR automates the critical, manual investigative tasks and endures all the associated tedium and false starts on behalf of analysts. Secondly, it automates the playbook in the event of finding an anomaly. When alerts reach the analyst, they are significantly less likely to be a waste of their time. In other words, XDR alerts are more actionable.

It starts with an investigation. Having detected something truly worth pursuing, the XDR solution identifies IOCs such as hashes, links, IP addresses, domains, and URLs. It goes on to validate these IOCs against trusted sources. Once a malware strain is confirmed, XDR tries to identify other IOCs by allowing the sample to run its course inside a sandbox. By allowing it to exhibit its designed behavior, XDR can automatically sift out a range of other important information, such as which network connections the strain tries to make, and what registry modifications and file drops it performs. All this information allows SecOps teams to scope the incident and detect lateral movement.

At this stage, the XDR platform will have singled out endpoints that may have been impacted by lateral movement, thus supplying analysts with actionable alerts. The platform would also be capable of automatically scanning the environment and performing updates such as endpoint security engines’ rulesets and policies and network solutions’ IOC catalogs. XDR would search for more IOCs in endpoints, SIEM solutions, firewalls, proxy servers, and DNS logs. At the end of the investigation, the level of data leakage will have been determined.

After the investigation, XDR moves on to containment and, if possible, eradication. It is capable of automatically containing infections at the endpoint level and removing or shutting down virtual interfaces. The platform will quarantine compromised endpoints in dirty VLANs or shut down switch ports. It can create prevention rules and policies in firewalls, proxy servers, and other solutions to render the malware useless for future campaigns. XDR can also enforce endpoint solution (or agent) installation on affected devices.

When the dust has settled, lessons must be learned. Reporting is also automated in XDR. Actions taken; hosts affected; URLs investigated; domains, IPs, files, and hashes probed. All are included, along with details of any data leakage and any changes made to policies.

Safe at last?

XDR is not an install-and-forget technology. It is a way of life —` a way of operating, a way of thinking. Just as XDR empowers constant vigilance, it also requires it. Roles, processes, information sharing, and organic updating of all of these must come together to ensure that the digital environment and all those who use it are safe today, tomorrow, and for the foreseeable future.

Previous ArticleNext Article


The free newsletter covering the top industry headlines