A distinctive feature of the modern cyber threat landscape is the increasing complexity of attack technologies and the variety of tools used, from social engineering to completely legitimate utilities. The task of identifying malicious activity is becoming extremely difficult. The capabilities of traditional antiviruses are no longer sufficient to protect the company. The next-generation solutions that combine detection, response, and event processing come to the rescue. Today, I want to talk about Extended Detection and Response (XDR) systems.
For decades, antivirus programs have been the main barrier to malware. They scanned files looking for a virus-specific byte sequence – signature. The signature databases were regularly updated and sent to endpoints from the antivirus developer’s server. Later, the methods of behavioral and heuristic analysis were introduced to detect unknown threats. But all these security methods concerned only the local system.
For large networks, antivirus suites with a centralized console were introduced. Local antivirus clients started to receive settings from the control center. At the same time, endpoints sent to the server signals about detected threats.
With the development of cyber threats, traditional antiviruses’ capabilities that protect endpoints are no longer enough, as quite legitimate utilities such as PowerShell are now used for attacks. The attacks themselves have become multi-stage so that each separate malicious action does not raise red flags.
In this situation, there is an urgent need for solutions that can not only respond to different threats based on predefined rules but also act proactively in order to notify of an incident that has occurred and also to block potentially harmful activities, as well as collect information necessary to analyze a cyberattack. Such solutions belong to the EDR class – Endpoint Detection and Response.
Why do we need EDR solutions?
EDR systems extend the functionality of traditional antivirus software with a granular data collection module. This allows security analysts to answer the following questions in the event of an incident:
- Which device became the entry point for the malware?
- How did a hacker manage to penetrate the system and gain a foothold in it?
- Which file contained the malicious code?
- How many systems were affected?
- What data was stolen?
- How long did the attack take?
- What actions need to be taken?
The large amount of information collected by EDR leads to the fact that even in a medium-sized company, the security team is overwhelmed with alerts. As a result:
- It becomes difficult to identify correlations between different events.
- It takes a long time to detect attacks.
- The reaction is too late and insufficient.
- The investigation of the incident does not give a complete picture of what happened since some questions about the attack remain unanswered.
With numerous new security solutions, it still takes months to detect incidents. In modern conditions, this is an unacceptably long time. Attackers have enough time not only to steal the data they are interested in but also deeply penetrate the network, having studied in detail everything that happens in it.
It might seem that the combined use of Security Information and Event Management (SIEM) and EDR systems will allow us to detect attacks and incidents and respond to them faster. However, this is not the case. SIEM systems collect alerts from all devices connected to the network, but these alerts are still isolated from each other. Setting up correlation rules only partially solves this problem since these new alerts can get lost among other messages. Detecting an attack using SIEM requires a lot of manual work, even if you have the correlation rules configured. This happens because even a single attack can be represented by several thousand events.
EDR solutions have another significant disadvantage in the view of today’s threats. They work exclusively with endpoints – computers, servers, and mobile devices. But any organization’s network contains other components, such as printers, routers, IoT devices, network equipment, and cloud infrastructure components (containers and virtual machines). From the EDR point of view, they do not seem to exist, although a printer or router seized by attackers can pose a serious threat to a company.
How do XDR solutions work?
The next step in the development of corporate network protection was taken by the XDR solutions. XDR solutions take care not only of endpoints but also other elements of a typical network infrastructure.
XDR combines the familiar endpoint threat detection and response functionality already known (thanks to EDR) with the ability to detect modern cyberattacks carried out over the network, mail, or cloud infrastructure.
New sources of threat intelligence are an important factor that distinguishes XDR solutions. XDR’s main advantage is its powerful information collection and processing capabilities.
Implementation and form factors of XDR systems may vary from vendor to vendor. Sometimes XDR is implemented as a control panel to which the detecting components are connected:
- In-depth analysis of network traffic and detection of anomalies.
- Monitoring mailboxes for malicious emails and links.
- Endpoint protection.
- Monitoring containers and cloud infrastructure components.
Signals received from other solutions can be added to the console via an API.
Typically, all incoming information about events is collected in a single repository where it can be processed and analyzed using artificial intelligence and machine learning technologies. XDR’s built-in analytics system identifies attacks as multi-component processes, combining thousands of events into a set number of meaningful alerts.
XDR solutions allow us to visualize the attack and see:
- Where did the threat come from?
- How did it spread through the network?
- What was infected?
- How did attackers move between devices and networks?
- What commands were executed?
All this can be presented in the form of a timeline and divided into steps.
XDR does not typically use signature analysis and rules like SIEM systems. Instead, it uses behavioral models created based on thousands of detected attacks. XDR may automatically aggregate a series of minor actions into a single, high-profile event and send appropriate alerts.
What are the benefits of using XDR?
When using XDR solutions, security departments receive only meaningful and important alerts, sorted by severity. This is achieved by comparing various threats found across the organization, collecting comprehensive information about them, using artificial intelligence and big data analytics.
At the same time, the analysis of minor alerts allows us to determine indicators of compromise, which makes it possible to conduct research, create a picture of threats, quickly detect, and block them.
By automatically analyzing big amounts of data, XDR eliminates the need for manual intervention, allowing security professionals to quickly understand how attacks progress.
According to Gartner, XDR solutions are the number one trend in 2021. Large companies should seriously consider switching to such security systems since they can improve the efficiency of security operation centers and significantly increase the level of protection of the company against cyber threats.
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.