Extended detection and response (XDR), which has been getting a lot of focus in the cybersecurity industry, is a consolidation of tools and data that provides extended visibility, analysis, and response across endpoints, workloads, users, and networks.
XDR is an extension and natural evolution of the very well-known threat detection control system, endpoint detection and response (EDR) invented by Carbon Black around 13 years ago.
EDR provided SOC Analysts and Incident Responders with the ability to see very deeply what is happening underneath the covers of an operating system, at a process level, and built-in analytics help customers understand and identify potentially anomalous or suspicious activity.
EDR has become a real bedrock of what is used within the security operations centre or SOC.
The advantage that XDR provides to the EDR capabilities is that it extends those detection surfaces by adding additional telemetry streams, particularly network and identity telemetry streams.
XDR provides a full, 360-degree view of the security environment. This allows security analysts to more easily and rapidly identify threats - even those that leverage legitimate software, ports and protocols to gain entry. By combining endpoint, network, and identity telemetry types SOC Analysts have at their fingertips a richer and higher fidelity set of attack indicators, without the need to pivot between disparate tools.
To understand why this extended capability provided by XDR is important one needs to understand that traditional network detection and response (NDR) has been around for a long time.
Despite that, NDR has never been adopted by more than a handful of companies at the top of the pyramid in terms of security industry and customer base.
The reason for that is straightforward. Traditional NDR has typically required cumbersome and expensive physical hardware-based network taps. Customers are required to implement these network taps at multiple parts across the network, or multiple networks.
That has been something which has made NDR very difficult and prohibitively expensive for most organisations to adopt. That said, we know that network telemetry is incredibly valuable.
Why? When we look at adversary behaviour, what we see is that once adversaries gain a foothold on an initial endpoint, they will begin to hop or move laterally across the network from machine to machine, looking for the information that they want to exfiltrate or steal, looking for other places in the network, which are of value to them.
In this situation, an understanding of what is happening at the network layer is incredibly valuable from a threat-hunting perspective.
Identity
Added to this is the importance of identity. Identity telemetry (or identity intelligence) refers to event log data from an authentication perspective.
This information is really valuable for understanding adversary behaviour, again because we know that what adversaries typically do is perform account takeover, use brute force to break passwords, and look to elevate the privileges of the user identity they control.
We can observe all these things happening when we look at the authentication event telemetry stream. So, when we add network and identity data together with endpoint data, it provides threat hunters, incident responders, and SOC analysts with an additional set of tools that help to rapidly detect and respond to a threat and reduce an adversary’s dwell time.
In effect, XDR extends detection surfaces and allows incident responders to understand what is going on.
Critical parts of XDR
At VMware Carbon Black, we believe that endpoint, network, and identity are critical parts of the XDR story. We also recognise that many organisations are in the process of modernising their application stack, taking advantage of cloud-native capabilities, including containerisation, taking advantage of container orchestration capabilities, like Kubernetes.
Recognising that, we believe it is important to provide customers with deep visibility into this environment as well.
As a result, our XDR capability includes EDR, NDR, identity intelligence, and cloud-native detection and response. We provide this information to customers without requiring them to tap into the network, change the network, or hop from one console to another.
VMware Carbon Black endpoint agents can natively collect network telemetry and identity telemetry. We also provide the ability to place Carbon Black into a Kubernetes environment and bring all of that telemetry into the same console.
This provides customers the ability to hunt for threats across the entire enterprise. This reduces the time it takes to detect and respond to a threat thus minimising the adversary’s dwell time (the overall time the attacker is present from initial compromise through to complete removal). XDR makes cyber defenders more effective, and improves the SOC analyst experience.
AI cannot replace people
One major point that has been noticed over the past few months is that some security vendors have been overhyping the importance of artificial intelligence (AI).
At VMware Carbon Black, we have used machine learning and AI for over six years to help us identify anomalous behaviour at the process level with EDR. And we're applying that today with XDR.
However, some vendors have been trying to convince customers that people's expertise and skills are no longer required in SOCs. That AI is a sort of magic black box that solves all problems.
At VMware Carbon Black we don't believe that's true. Security is about people, processes and technology - in that order.
We believe that people matter. You as community of cyber defenders matter. Our promise to you here at VMware Carbon Black’s is to provide deep telemetry across all detection surfaces to help you be more effective.
Access the iTnews Asia State of Security report: Here
