How XDR will solve our industry’s toughest challenges
The XDR of tomorrow will automatically correlate data at the beginning of the pipeline. Instead of ingesting all data like a SIEM does and passing correlation logic to experts, XDR will ingest data specifically related to visibility and correlate that data in real-time. In this approach, retention isn’t as long as with a SIEM, data costs are lower, and the burden of staffing is lightened. Threat experts are then freed to do what is most critical in protecting their organizations.
At Cyber Sainik, we believe correlation without centralization is possible with XDR as an extended framework comprised of a correlation engine, storage schema, and the computing power to transform data from multiple intercept points at speed and scale. We believe that as the next critical layer of your security ecosystem, it will co-exist with your current security stack (EDR, SIEM, email, network, etc.). Your current ecosystem would feed data into XDR via intercept points, and XDR would transform this data in such a way that correlation would happen in real-time, and at scale. We believe no one is there yet, but that this is where the industry focus lies.
Lack of talent: XDR will use automation
One CISO we interviewed readily admits that their analysts only know 5-10 query languages out of the 30-50 technologies on their security stack. Another defends a 2-billion-dollar enterprise with only a SOC of 4. You may have already recruited a threat hunter with a $250,000 annual salary who picked up and left after 10 months.
Current security tools such as EDR and SIEM are heavily reliant on talented, experienced cybersecurity professionals. It takes an expert to understand your corporation’s network, configure tools to reduce false positives, and perform the task of investigation and remediation quickly and accurately. To solve this challenge, XDR will automate the tasks of tier 1 and tier 2 analysts, creating the context and correlation necessary for a human tier 3 analyst to decide go or no-go—or best case, to automate remediation.
Lack of standardization: XDR will remove this pain point from analysts
The current SIEM approach of “ingest all data and dump it into a database” works for experts who can preform complicated queries at ease amidst a myriad of disparate technologies. Instead of orienting to expert users, we believe XDR will orient to all. We understand that the vast majority of companies don’t have the advanced skillset required to normalize data across disparate systems. We will automate what every analyst must do for every incoming message—tailored to maximize surface coverage—rather than continuing to burden analysts with unmanageable workloads.
We also know first-hand that in many organizations, for SOC analysts to validate, enrich, and track an alert, they must manually copy and paste the alert out of a SIEM and into their EDR—just another effect of non-standardization. XDR will solve this problem by normalizing data from all sources via the Open Cybersecurity Schema Framework (OCSF), a joint initiative by industry leaders in cybersecurity. XDR will not support vendor lock-in for data formats as a differentiating factor.
Lack of budget: XDR will be cost-effective
We’ve seen CISOs hit with a 4x cost increase for SIEM in a year, and this is not the exception. The cost of data ingestion has been an issue for the last 10+ years.
Instead of paying for data multiple times—in the cloud, on-prem, in your SIEM, in every point solution—XDR will not require data to be centralized. With a combination of data transformation algorithms and strategically-placed intercept points, XDR will correlate your data without the need for re-ingestion of data. This solution will scale as your business grows, unlike the current model of data ingestion today.
It looks and talks like XDR, but is it XDR?
We believe current technology has its purpose, but it’s not in XDR. To quote our CTO Dean Teffer, “We don’t want our clients to stand up legacy SIEM in a cloud. We don’t want our clients doing tier 1 and tier 2 resolution. We need to correlate network data, email, vulnerability information, EDR, and everything in the SIEM, and to do that, we need XDR as the next layer across the entire stack.”
Why SIEM can’t be XDR
Let’s assume you eat the costs and re-ingest everything back into your SIEM. When you attempt to correlate, you’ll soon realize it is impossible. First, federated search doesn’t exist; you cannot apply a single query in SIEM and get results back from platforms from different vendors in a standardized output. Second, you can’t do this at scale. You still must manually cross-correlate and normalize your data. With the volume of data coming in daily and our digital footprint expanding, labor alone cannot succeed. The only way you can correlate at scale and speed is to automate effectively, transform data using modern technology approaches vs. the technology of SIEM.
Why XDR is not next-gen EDR
If XDR sounds like just adding more data beyond endpoint, you may think, why not plug a couple of other sources into EDR and call it XDR? That’s exactly what some MDR providers are thinking. In this solution, your current security stack of EDR plus any other attack surface areas like email, active directory, network, etc., would be centralized into one product. You’d still run into issues with correlation at scale; unless MDR providers figure out a way to correlate data at scale, you would still run into the same issues as using a SIEM, except with vendor lock-in.
A world where defenders have the edge
Our entire industry faces the same challenges: lack of talent, lack of standardization, and lack of resources. To solve these challenges, we need technology that’s vendor-agnostic, capable of correlating your data at speed and at scale, and does so without the need for data re-ingestion. We believe that’s possible with our vision of the XDR of tomorrow. XDR will reveal your blind spots, reduce your attack surfaces, and free your analysts to focus on the most urgent and the most damaging of attacks—the ones that can put you out of business.
Imagine that your tier 3 SOC analyst is watching their son or daughter’s soccer game and receives a phishing alert on their phone. Right now, they need to determine (1) who has seen this email (2) who else has opened it (3) has the threat actor infiltrated my active directory (4) have they made lateral movement and (5) are they already exfiltrating data? They’ll painstakingly pull together the footprints of an attack from data in multiple formats from multiple sources, record where things went wrong, and finally, decide what to do next.
Imagine instead: your analyst looks at their phone, scans a pre-validated and enriched alert, and is prompted to take action: do they want to shut it down or not? Do they want to give a provider the authority to act? No tool can enrich an alert like that now, but we believe the XDR of tomorrow will be able to. With one click, a crisis is averted, and your analyst can go back to watching the game.