Have you ever wondered why during the outbreak of war, it’s not just one of the armed forces that’s deployed — Army, Navy, Air Force, or Intelligence — but all of them? It’s the classic case of – “The whole is greater than the sum of its parts.” The same analogy applies to cybersecurity, making it pertinent for enterprises to fortify their cybersecurity posture across all possible vectors to avoid an impending breach. That’s why governments, enterprises, and other organizations would do well to re-evaluate their cybersecurity strategy.
By Vijendra Katiyar, Director – Enterprise Business, India & SAARC, Trend Micro
Notwithstanding the increase in investments in cybersecurity in the last five years, the threat landscape is burgeoning. According to a report by Verizon, the meantime to identify a breach has increased to 197 days, and containing it increased to 69 days across the industry vertical.
Traditionally, the endpoint protection platform (EPP) was considered “THE” solution to protect your organization. However, this philosophy has drastically changed with the assumption of the genuine possibility, “I will be breached.” It leads to the next question of effective detection and response strategy to deal with the threat once the network is compromised. EDR strategy has helped organizations to identify and respond to attacks they believe would have gone unnoticed. With the volume and sophistication of modern attacks, does it still hold good?
EDR an Eye-opener: Starting Point in Detection and Response Strategy
EDR was an eye-opener to the industry and a must-have starting point to redefine enterprise-wide Threat Detection and Response (TDR). EDR gives a lot of visibility on what is happening on endpoints by capturing activity data, using which we can detect and respond. However, in an enterprise, the endpoint is just one piece of an IT infrastructure, and there could be EDR blind spots like IoT, printer, contractor/ guest endpoints, etc.
While 94% of attacks start with phishing, email becomes a vital vector to consider. With the increasing cloud adoption and serverless platforms, it has become pertinent to have an effective detection and response strategy for cloud infrastructure. Additionally, there is an entire IT/OT convergence underway, where OT is increasingly becoming part of the IT infrastructure connected to the network. With this scenario, the effective detection and response strategy has to be extended beyond endpoint to email, network, cloud, and IIoT.
Going back to the analogy, to be victorious in war, enemy threats and attacks need to be confronted vehemently at all fronts (i.e., air, land, water) to avoid penetration and siege. You don’t go to war with the Army alone; you usually need the assistance of the Air Force, Navy, and Intelligence side-by-side to complement your overall combat strategy. If we were to juxtapose this analogy to cybersecurity: the endpoint in XDR is the Army; Air support is cloud security; network visibility is the Navy at sea, threat research is Military Intelligence, and the centralized console is your Unified Command.
Emergence of XDR
If you can record what happened on the endpoint, why couldn’t you record everything on the intrusion kill chain for later review? XDR expanded the EDR idea. The XDR platform would give you complete visibility at every phase of the kill chain, including the endpoints, giving enterprises the ability to monitor and account for compromise, no matter where it originates.
The dwell time (MTTD/MTTR) is adequately addressed by XDR through:
- Full visibility – the complete picture
- Speed and confidence to respond
- High fidelity alerts
- Vendor consolidation
- Correlation and collaboration
Choosing the Right XDR Solution
An attack that resulted in alerts on email, endpoint, and network can be combined into a single incident. An XDR solution’s primary goals are to increase detection accuracy and improve security operations efficiency and productivity. Effective XDR solution should have:
- Multi-prevention techniques and not rely on AI/ ML only.
- Complement existing SIEM/SOAR by sending consolidated high fidelity alerts, which minimizes the level of noise and raw information.
- Managed services to address skill shortage.
- Solution/platform to break silos and tell a story of the attack life cycle.
The XDR approach delivers faster detection and response across the multiple security layers because it breaks down the silos, and it tells a STORY instead of making noise.
When you have incomplete threat data, you see an incomplete security picture. Or worse, you may see the wrong picture. And in cybersecurity, the price to pay for seeing the wrong picture is hefty.
This story first appeared in the December issue of CISO MAG. Subscribe now!
About the Author
Vijendra Katiyar is the Director – Enterprise Business, India & SAARC, Trend Micro. He has more than 14 years of experience in technical, sales and cybersecurity consulting. He has driven strategic business decisions with practical tools and processes, translating to Trend Micro’s enterprise revenue growth to 100% in the last four years. He holds Masters of Business IT from RMIT and has successfully pursued the ISB team leadership program along with various other certifications.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.