Trustwave Blog

CISO's Corner: 5 Questions to Ask Before Implementing an XDR Program

Written by Kory Daniels | May 3, 2022

Let's dive head-first into this new security acronym, XDR, or extended detection and response. There is no shortage of vendors providing you with their definition of what XDR is. We wanted to take a slightly different tact to explore what XDR actually means to you, as a CISO, and your security team.

First, it may be helpful to calibrate between XDR, EDR, SIEM, and SOAR - since they are all acronyms being thrown into the mix by the market but they have some core differentiators. 

To start, XDR is one form of evolution of EDR (endpoint detection and response), extending the ability to provide detection and response actions beyond the traditional corporate endpoint. Alternative pathways are the security information and event management (SIEM) and security orchestration, automation & response (SOAR) technologies of the world which championed a larger data set, visibility, and toolkits to empower teams to have greater centralized visibility that extended well beyond the corporate endpoint.

The consistent vision we hear from technology vendors is that XDR technology brings all these layers into a single pane of glass, allowing analysts to see, and touch, a console that provided centralized visibility, high-fidelity threat detection, workflow and threat response automation. This is pretty cool but very technology and architecture-oriented.

So what steps do you need to take when thinking about implementing an XDR program? What does that even mean and would success represent? Even if defined, how would you explore maximizing the speed, and cost efficiencies, in XDR implementation? 

1. What Are the Benefits of XDR Technologies and Architecture?

The first step is to quickly understand what are the security posture benefits of XDR, how it delivers those benefits to your organization, and how is the XDR approach different than what you are doing today. 

Centralized threat detection, the ability for analysts to take investigative response actions, and automate manual processes, tasks, workflows and incident response playbooks provides target outcomes that you can identify the benefits that bring to capacity, speed, and threat resilience coverage over the attack surface.

EDR solutions are powerful because they allow an analyst to take response actions from a console but directly on the endpoint. So, XDR is that next evolution where we see SIEMs trying to achieve the high fidelity response value of the EDRs and EDRs trying to get expand data ingestion without degradation of response value attributed behavior like a SIEM. XDR, in theory, is right in that middle ground of unifying the best attributes that a SIEM and EDR may provide the security team. Making good on the vision of a ‘single pane of glass’ to minimize analysts' hops from one console to the next to ensure we minimize friction and latency during our investigations. To be successful, you still cant plug and play these tools and architectures without having a point of view on data visibility, awareness of the attack surface, current state workflow process and playbook efficiencies, and contextual data enrichment sources.

2. What Are the First Steps To Take When Implementing XDR?

Strongly advised, an organization must have a proper implementation plan in place prior to taking any action. Essentially, a blueprint for XDR success for the builders to leverage as they modify, or build, your security house. It may prompt the question: are we even ready to take on XDR or can we live comfortably without it?

If an organization does not generate the project charter and the plan beforehand, it could lead to poor implementation of XDR technologies. Unfortunately, we see a lot of bad implementations out there in the market, which, of course, can negatively impact the program's eventual performance and create frustration, a loss of confidence, and unnecessary financial pitfalls along the way.

There are some factors that must be considered. As an organization, are you mature enough, and what are you trying to achieve? New telemetry visibility, better mean time to detect (MTTD) & mean time to respond (MTTR), and/or capacity uplift are all frequent examples of what we see. It is critically important to understand how XDR ties into the overall strategic roadmap, note your milestone criteria to measure success, and what the benefits are to other teams, like IT, in taking on this objective.

Having these questions answered beforehand will drive the concept of what you need to do to measure success and implement the XDR program. Next, look at the people, processes, and technology under your roof and understand what sets of data sources your team has access to today. How do we feel about our process flows, and operational behaviors following them? Do we have the right incident response playbooks and are they effective enough to automate? Do we have the right data telemetry visibility today and do we know how that change over the next 12-36 months?

This knowledge will enable you to determine which data sets you need access to if action is necessary. Look at your cloud, endpoints, servers and environment, and then figure out which other datasets are critical.

An organization must incorporate SOAR-based automation in its XDR program, along with threat intelligence, asset discovery and vulnerability remediation. These are all attributes of XDR actions and are critical to consider when considering implementation to minimize future rework.

3. What Skills Must be in Place Prior to Implementation?

People are incredibly important, XDR is not a reason to replace staff it is a reason to help empower them. XDR technologies also don't run effectively on their own. Skills, and certified, team members are key to help ensure the technologies perform the way your drafted expectations and requirements expected them to.

These skills include 24/7 capability for triage, threat hunting, threat intel, and threat analytics. One of the critical skills often missed in the implementation plan is the responsibility of applying data science. The security folks need the ability to look at and understand the disparate data sets inside your environment. Experts must be able to look at the "data puzzle" created when using an XDR solution and determine if they have telemetry, correlation, and/or an automation content gap or opportunity for enhancement.

Well-defined roles and responsibilities and knowing who on your staff will perform what process, and tasks, are vital to ensure predictability, scale and success. This frames the basis for how to effectively adopt automation quickly and effectively.

Whether or not an organization has the skills in-house to manage the technology and the architecture is a question that you should answer upfront. Staffing must be evaluated to ensure the organization either has the required individuals already in-house or can find a partner that can supply that workforce and be a force amplifier to the internal cyber security staff.

4. How Do You Find the Right XDR Partner?

The continuous evolving attack surface is influenced by business innovation while we see 5G push the boundaries in operational technology (OT) and the edge of security stope is creating a big data problem. Having the right partner on board from the start can help lower the risk of a project stumbling, or failing, during its implementation phase. A partner should bring subject matter expertise, experience, intellectual property, and ready-made project plans that only need to be tailored to a particular organization before being implemented. Essentially, a strong partner has completed the heavy lifting before the project has started from their experiences.

Organizations do have to be careful during the partner selection process. The wrong partner can be disastrous because of not only the financial impacts from the technology acquisitions but added frustrations, costs, and time waste if were to implement without a partner. Challenge vendors to show what a day-in-the-life experience is like in how the vendor plans to deploy, optimize, and enhance an XDR program during the implementation. This will give you a proper sense of the value and the expected return.  

5. What Are the Challenges in Implementing XDR?

The challenges in implementing XDR include deciding which datasets are prioritized. In addition, how do you, as an organization, effectively integrate disparate technologies? Right now, there are very few homogeneous organizations that have harmonized on a single security technology platform. So, as we look at XDR as a program, we start to assess how we look at XDR attributes across people, processes and varying technologies.

Do we have the right team in place to deploy the program? Is the team certified, and do they know how to implement, or enhance, the program quickly and effectively at minimal cost and friction? Do we have the right sourcing and operating model, from a planning and strategy perspective? Does our team know what "great" looks like for XDR, given the fact that the concept is still pretty new in our space? Does the security team have practical experience or only theoretical?

Success is often too focused on the implementation which can hurt longer-term if the ongoing sustainability was not planned for. A trusted partner must be able to answer questions such as how do you sustain the XDR program? How can you ensure that your organization has a continuous improvement program that enhances the security team’s ability to adapt and use the additional functionality and features of the XDR program?

Here again, is where a partner can play an important role — having a partner who understands the data science, and automation, part of this equation of being able to prioritize and integrate additional datasets into your XDR program. Whether you use a partner or not is entirely dependent on your strategy and sourcing decisions, but please ensure to consider how you continuously plan, build, test, and sustain the XDR program holistically before making the leap into XDR!

 

WEBINAR

Evolving to XDR from EDR: How to do it and why it matters

Extended Detection & Response (XDR) has been one of the most impactful technologies in the past year. The rapid acceleration of digital transformation initiatives requires the continued evolution and growth of security postures in organizations of all sizes and industries, regardless of resources.