In our previous blogs, we discussed the emergence of XDR and its differentiation compared to other security solutions as well as its use cases and the role of the MITRE ATT&CK framework. In this 3rd and final blog of the XDR mini-series, we’ll discuss some challenges organizations may face while trying to implement XDR solutions.
As with any other security solution, introducing new products requires internal buy-in from stakeholders that may be resistant to change. After all, with medium-sized businesses using 50-60 security products and enterprises using up to 130, it may prove difficult for the CISO or the major decision-maker to convince the rest of his team that purchasing yet another security solution will be a worthwhile endeavor. Additionally, the biggest hurdle that XDR must overcome is collecting and correlating detections and other activity across multiple security layers, which include server, email, endpoint, network, and cloud workloads. According to Peter Firstbrook, VP Analyst at Gartner, “centralization and normalization of data also help improve detection by combining softer signals from more components to detect events that might otherwise be ignored.” The strongest capability of XDR is being able to provide a complete story from the initial breach, through lateral movement, to exfiltration of sensitive information. This hinges on accurate information funneling into a common data lake from the security layers.
Limited Automation (at first)
In the cybersecurity space, the biggest constraint is time. Resources (talent, capital) have remained stagnant while the number of breaches has increased exponentially each year, catalyzing a widespread adoption of automation for security processes. Doing the most in the least amount of time (with limited resources) has become the benchmark of success for most security organizations. With embedded artificial intelligence and machine learning, XDR aims to further reduce manual efforts and allow scarce security analysts to be as efficient as possible. However, reaping benefits from XDR will take time. Following the initial implementation of an XDR solution (this alone could take substantial time), the machine learning model will need to gain knowledge and make refinements over time to strengthen its detection capabilities. Realizing immediate ROI from adopting an XDR solution might not be pragmatic.
Integration with existing investments
One of the most prominent value props of XDR is minimizing the heavy lifting that is required from SOC analysts. According to a Ponemon report published earlier this year, 70% of respondents agreed that SOC analysts burn out quickly due to high-pressure environment and workload. While a SOC within an organization can receive up to 10,000 alerts per day, an analyst can only validate 100 per day, indicating that they spend the majority of their time sifting through an overwhelming amount of information trying to identify legitimate incidents. In an ideal scenario, an XDR solution will be the panacea that completely revolutionizes SOC processes. However, given that the field is still in its infancy and there are currently limited XDR vendors that offer ready-to-be-launched products, XDR solutions will still need to depend on existing SOC technology. Integrations with existing technologies that comprise the modern SOC will have to be a necessary trait of XDR solutions and although it may be difficult, finding that elusive balance of interoperability and innovation will be the key to successful implementation.
Interested to learn more? Join our VMworld 2020 XDR session, where our security experts, Tom Corn, SVP of Product Marketing and Strategy, and Brad Doctor, Senior Director of Information Security will discuss how VMware is extending EDR capabilities in the Carbon Black Cloud to take advantage of new sources of telemetry and enhance response capabilities to deliver Native XDR.
Sign up now and save your seat!