While Extended Detection and Response (XDR) is seen as the next evolution of security incident detection, investigation and response, there still seems to be some confusion about what it is and what it’s not.
We sat down with Evin Hernandez, Senior Technical Marketing Manager at VMware Carbon Black, to learn more about XDR — how it’s defined, what are its benefits, how it impacts your IT and security teams, and how the role of MITRE ATT&CK framework in XDR adds value to your organization.
How would you define XDR?
XDR is an enhanced approach to what we do with traditional endpoint detection and response (EDR). It provides a model that detects attacks across our endpoints, networks, software as a service application, to cloud infrastructure, and any addressable resource.
XDR has to have visibility into all layers of the network and application stack, which will provide the event’s detection and automatic correlation. And then machine learning is layered on to reveal more actionable events.
What is the difference between XDR and SIEM?
In my opinion, they’re very similar. They’re kind of like “stepbrothers,” right? SIEM is the collection of all log data; you have a few advanced SOC analysts who sift through that data to find anomalies and attacks that have just been gathered. They would then set up some type of automation around what was discovered.
I think the biggest difference with XDR is we’re trying to take that process out of the hands of the SOC analyst and provide true efficacy when it comes to the alerts. And the data that we’re gathering specifically surrounded around security events and what automation we can take natively on the platform, and then what needs to be sent to an analyst.
What do you gain with Extended Detection and Response?
Time!
With XDR, I think time is of critical importance when you’re breached, or if there is an incident. You need to understand how that incident occurred and anything that happens rapidly before a breach notice goes out. You need to then get all the players involved. You also need to understand what, where, and how it was touched, resulting in some action being taken and alerting the appropriate team.
So, I think when it comes to mitigating risk and dwell time, and lateral movement, it’s all about time. And that’s where XDR is shining.
Can you talk a bit about the use cases? What are they?
Threat hunting, triage, and investigation are some of the use cases.
From a threat hunting perspective, XDR gives our TAU team (VMware Threat Analysis Unit™) a better understanding of how everything is communicating and how these attacks move through an environment. And by the environment, I mean public and private clouds, our applications, the endpoint, where the user is actually sitting on. So, when you have an expert that’s looking and threat hunting for all of this stuff, they don’t need to correlate that data because it is already correlated. They can focus more on how the attack campaign happened, instead of just looking at those point products and trying to put those puzzle pieces together.
Triage and investigation go hand-in-hand with threat hunting. I need to triage the alerts that are false, or not relevant to security, and be able to say that all of this network data is not really valid in the sense of XDR. If you think there is a breach, you’ll also need to be able to investigate it.
Then, once you take that investigation as far as all of the data that’s been collected, peer into those individual points, triaging them.
How do you think XDR helps security professionals, and how does it impact enterprises?
I think it gives security professionals more experience. A lot of times, security professionals have domains that they like to live in. But with XDR, you really get to learn and understand the lifecycle of an attack more clearly, as it pertains to the infrastructure and all of its involved components.
Also, you may learn something new around network security or application security, because we are combining all of that imagery in context, in a way where it is understandable from a security perspective.
What is the role of MITRE ATT&CK framework in XDR, and how does it add value?
MITRE is a great framework. It brings understanding to the space. You know, it’s not the only framework out there to understand how attacks are, but because it’s so broad and in-depth, I think it brings great understanding.
And when it comes to XDR, that understanding gets enhanced, because now we can see the kill chain in action with actionable alerts and the telemetry data. Not only one perspective either, but as a whole! This adds a lot of value because, again, when it comes to remediation incident response, you can quickly move through that framework and resolve the issue, understand the attacker better, and then provide prevention to the organization where it needs that value.
Final thoughts?
I think when it comes to XDR, if customers are looking to move to a platform, they have to understand how that platform is gathering and putting data together, and where that data is coming from. This way, they can make the data actionable in any fashion that the organization wants to use it.
Not only is this about detection, response, and prevention, but also being able to look at your organization daily and feel safe. Every morning I wake up and get in my car, I put my seatbelt on. It’s kind of like the same thing.
So, when you’re considering the platform, the security should be built into it. And those alerts should be able to understand each other from the platform perspective and be able. To take action without involving third-party tools.
—————————
Interested to learn more? Join our VMworld 2020 XDR session, where our security experts, Tom Corn, SVP of Product Marketing and Strategy, and Brad Doctor, Senior Director of Information Security will discuss how VMware is extending EDR capabilities in the Carbon Black Cloud to take advantage of new sources of telemetry and enhance response capabilities to deliver Native XDR.
Sign up now and save your seat!