Damage caused by advanced exploits, such as Log4Shell and Spring4Shell, has been widely documented. These came out of nowhere and seemingly crippled many organizations. This happened despite record cybersecurity industry budgets that will clear $146B in 2022. This post from Palo Alto Networks highlights that, based on telemetry, the company observed more than 125 million hits that had the associated packet capture that triggered the signature. It certainly begs the question of why breaches are becoming more common and more damaging despite security spending at an all-time high.
The answer to this lies in the approach many businesses have taken to threat protection. Traditional security is based on perceived best-of-breed products being used for specific functions. For example, firewalls protect the network, EDR protects endpoints, CASB protects the cloud, and so on. Most of these tools do a great job within their domains, but the reality is that exploits are not limited to one specific domain, so the silo-like nature of security creates many blind spots.
For example, EDR tools are meant to find threats on endpoints, and they are effective at that specific task but have no visibility outside the endpoint. So if the breach occurred elsewhere, there is no way of knowing where and when. This is why so many EDR tools are excellent at detection but poor in response. The same can be said with firewalls that generally know everything that's happening on a network but have no insight into an endpoint or many cloud services.
Solving this problem lies in embracing the concept of XDR. Definitionally, I want to be clear that the X in XDR means "all" versus "eXtended," the latter of which has been pushed by many of the point product vendors. Security pros need to understand that an upgraded EDR or SIEM tool is not XDR; it is merely a legacy tool with a little more visibility.
True XDR is about taking data across the end-to-end infrastructure and correlating the information to find exploits and threats. This would allow for an exploit to be quickly identified and tracked across the infrastructure so all infected devices can be identified. While it's impractical to assume that an organization would purchase all its infrastructure from a single vendor, I do believe that organizations should look to consolidate a minimum of network, endpoint and cloud security from a single vendor and treat that as the foundational platform for XDR. This would ensure that the vendor interoperates with other security providers to ingest the necessary data.
Another benefit of XDR is that it provides a single source of truth across all security functions, which is vastly different from traditional security – where the security team has multiple tools, each with its own set of data and insights. The only way one could correlate the information is to do it manually, which is impossible today, given the massive amount of security data being collected. People can't work fast enough, but an XDR solution, powered by artificial intelligence, can provide insights to a range of security analysts.
A good visualization of the value of XDR is depicted on Palo Alto Networks' Log4j Incident Response Simulation page. It features three different SOC roles and how XDR can aid their jobs. Specifically, the site does a deep dive on the following functions:
Guy, the Threat Hunter: His job is to hunt for sophisticated attacks and those difficult to find low, slow threats that fly under the radar of traditional security tools. His job is to find unusual activities and other anomalies that are indicators of compromise. Cortex XDR makes threat hunting easier as it correlates data across endpoints, network, cloud and identity. Guy can then use an advanced XQL query language to aggregate, visualize and filter results that can quickly identify affected assets.
Peter, the Tier 2 SOC Analyst: His function is to monitor, prioritize and investigate alerts. His work is used to resolve incidents and remediate threats. The problem is that most SOC tools provide far too many false positives making the information useless. This is why it's my belief that the traditional SIEM needs a major overhaul. XDR uses machine learning and behavioral analytics to uncover advanced zero-day threats. Many SIEMS claim to do this, but most are just basic rules-based engines that need continual updating. With XDR, the investigation of the threats is accelerated by grouping-related alerts into incidents, and then the root cause is revealed through cross-data insights.
Kasey, Director of Vulnerability Management: Her job is to discover, analyze the application, system, network and other IT vulnerabilities, and then assess and prioritize risk. Once that analysis is done, patching and resolving vulnerabilities can be performed. This is difficult, if not impossible, to do with point products because there is no way to understand the impact of a threat across systems. XDR can be combined with other tools, such as attack-surface management (ASM), to find and mitigate software vulnerable to Log4J and other exploits across the organization.
In summary, I'll go back to a conversation I had with a CISO a few months ago who told me that he finally understood that best of breed everywhere does not lead to best-in-class threat protection. In fact, the average of 30+ security vendors that businesses use today creates a management mess and leads to suboptimal protection. The path forward must be XDR, because it's the only way to correlate historically siloed data to find threats and quickly remediate them before they cripple the business.
A good resource for security professionals, particularly Palo Alto Networks customers, is the upcoming Palo Alto Networks Symphony 2022, on May 18 and 19. While this is a vendor event, it's filled with information on how to revamp security operations to keep them in line with current trends.