Did you know that the average organization receives 10,000 security alerts every day? A large organization, such as a bank, receives 100,000 – 200,000 alerts. This volume of alerts is causing alert fatigue as it is tedious to look at SIEM logs, co-relate events, and try to identify actual threats. It is also causing stress among personnel at Security Operations Centers (SOCs) who scan these logs for several hours every day. A Gartner report titled “Innovation Insight for Extended Detection and Response,” released earlier this year, says SIEM tools are good at collecting logs, but rarely improve “detection fidelity.” What is therefore needed is a tool that offers high fidelity in reporting threats for quicker detection and response. It will greatly reduce alert fatigue and improve detection rates and response time. And Trend Micro’s new XDR (Extended Detection Response) tool comes with this feature.
By Brian Pereira, Principal Editor, CISO MAG
“It has become a huge challenge for organizations to detect the actual alerts and 76% of organizations agree that threat detection is more difficult today than it was two years ago. This is because 80% of those alerts are false positives,” said David Ng, Head of Enterprise Business, Singapore, Trend Micro. He was speaking at the virtual launch of Trend Micro XDR (Extended Detection and Response) on August 24, 2020.
David also quoted a study from the Ponemon Institute that reveled 65% of SOC professionals felt like quitting their jobs due to burnout and lack of visibility. And the security skills gap is compounding the problem.
“EDR technology was supposed to reduce the meantime to detect threats. But we don’t see that happening. In fact, there was a marginal increase over the last three years, and that will lead to a longer mean time to respond,” David added. “Today an incident takes 3.5 days to respond.”
The other problem is uninvestigated alerts and 70% of alerts go uninvestigated.
“There are too many alerts in the SIEM, and security professionals are unable to detect these,” said David. “This will lead to cost fatigue.”
A key finding of the Gartner report shows that “Security and risk management leaders are struggling with too many security tools from different vendors with little integration of data or incident response.”
What is Extended Detection and Response (XDR)?
Gartner defines XDR as a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.
According to Gartner, XDR products:
- …are beginning to have real value in improving security operations productivity with alert and incident correlation, as well as built-in automation.
- …may be able to reduce the complexity of security configuration and incident response to provide a better security outcome than isolated best-of-breed components.
- …have significant promise, but also carry risks such as vendor lock-in. The XDR market is immature, and capabilities vary widely across products from different vendors.
Gartner also says that while XDR overcomes some of the limitations of SIEM, it is not a replacement for decades-old SIEM technology. XDR is not a replacement for all SIEM use cases, such as generic log storage or compliance.
However, XDRs are differentiated by the level of integration of their products at deployment, and they focus on threat detection and incident response use cases.
Moreover, while the SIEM solution is now delivered as SaaS, most XDR products are developed using new cloud-native architectures and services, making them an emerging alternative or complement to existing SIEM tools. And since businesses are moving more infrastructure to the cloud, XDR is better suited to protect their cloud-native environments.