Sep 24, 2020
All links and images for this episode can be found on CISO
Series (https://cisoseries.com/defense-in-depth-xdr-extended-detection-and-response/)
Is XDR changing the investigative landscape for security
professionals? The "X" in XDR extends traditional endpoint
detection and response or EDR to also include network and cloud
sensors. Having this full breadth, XDR can contextualize alerts to
tell a more cogent story as to what's going on in your
environment.
Check out this
post for the basis for our conversation on this week’s
episode which features me, David
Spark (@dspark),
producer of CISO Series, co-host Allan
Alford (@allanalfordintx), and our
guest is Dave
Bittner (@bittner),
host, The CyberWire.
Thanks to our sponsor, Hunters.
Attackers always find new ways to bypass organizational
defenses. While their traces hide in the data, they’re also
extremely difficult to detect. Hunters.AI is a
context-fueled XDR solution that harnesses top-tier threat hunting
expertise and ML to autonomously detect, investigate and correlate
attack findings across cloud, network, and endpoint.
On this episode of Defense in Depth, you’ll
learn:
- XDR extends traditional endpoint detection and response or EDR
to also include network and cloud sensors.
- XDR is viewed as a comprehensive solution that rolls up all
your critical feeds, sensors, and analytics.
- Having this full breadth, XDR can contextualize alerts to tell
a more cogent story as to what's going on in your environment.
- If you've got a greenfield security program (essentially it's
non existent), XDR is a no-brainer. But for everyone else, which is
most of us, rolling out XDR is not as clear cut a decision. How
does it integrate with your existing tech stack?
- Lots of question as to why do you need a SIEM if you have XDR?
But, most responded that the two technologies are complimentary.
Where XDR becomes redundant is if you have SIEM + SOAR + XDR +
NDR.
- XDR's real power is the ability to give you some of the
investigative details rather than just telling you that somebody
breached a certain endpoint. But it can connect the dots and
explain that a certain breach also resulted in a certain action.
This greatly reduces the time your SOC needs to spend investigating
cases.
- Don't though be fooled with solutions that sell purely on
reducing time and effort. You're only going to have that if you
have useful integrations.