The value of eXpanded Detection and Response

(To Marco Rottigni)
05/01/22

In CyberSecurity, what does it mean Expanded Detection and Response (XDR)? What features does an XDR system have? How can it help someone who has been hit by an attack?

La CyberSecurity it requires holism

One of my beliefs on the subject of CyberSecurity is that the attacks are carried out on endpoint; or, at least, that the point of contact between the digital world and the user is instrumental and fundamental for an attack to take place.

It is in fact theendpoint the place where the user - which has always been the weakest link in the defense chain - interacts with the cyber-verse, is exposed online, which is compromised by an attempted attack.

In these modern times of digital remotization and massive use of the cloud, the propagation of the effects of an attack is characterized by an impressive virality and pervasiveness.

All this puts a severe test on the ability of companies to detect and respond in adequate times to mitigate the impact, as well as very damaging consequences in terms of reputation, financial and business continuity.

In addition to the most immediate examples, the truthfulness of what is stated remains even in the most complex scenarios: a user accesses a development environment with a strong form of authentication, being responsible for the configuration of a cloud resource system; during the process of terraforming (term typically used to define the configuration phase) forgets an instruction to reduce the list of IPs that can access the configured storage instance. Here are created - again thanks to the interaction between the user and the cyber-verse via a endpoint - the ideal conditions for an attack of date leak in cloud.

Another case in point could be an architecture of Active Directory badly configured, with systems belonging to the domain not standardized and many of them out of support. In the event of an attack, it becomes important to support the resilience of the ecosystem, whose security posture is obviously not optimal, correlating indicators of anomalies with information from asset management.

Two important questions therefore arise:

  1. How to detect these anomalous events in the most holistic way possible, connecting all the dots to increase the understanding of the context and the urgency in order to prioritize the intervention?
  2. How to do this detection as quickly as possible, to speed up response and remediation?

Il dwell time

More generally, the age-old problem is in the minimization of the dwell time: this is the name of the time that elapses between the compromise of an ecosystem and the moment in which the compromise is detected.

According to a report by Mandiant in 2021, the average number of dwell time days in 2020 in EMEA increased to 66 days, from 54 in 2019. Not only is this figure a sign of an average worsening, but expanding the average figure we find a very worrying situation1, which I report in the following illustration - taken from the report.

The data that must make us think concerns the dwell time related to external attacks, i.e. those in which the organization receives notification of the compromise from the outside as it is unable to detect the compromise in time with its own resources.

In 225 days, the planet Venus completes a full circle around the Sun! Imagine the level of damage a motivated attacker could do to the organization he was able to compromise. To get a more precise picture of the damages and costs that derive from these attacks, in which the permanence offers the attacker all the time to perform any type of action in the compromised ecosystems, it is possible to refer to the Data Breach Investigation Report by Verizon.

Solve the problem: from EDR to XDR, via MDR

To mitigate this problem by enhancing the required capabilities, solutions of Endpoint Detection and Response.

The tangible help of an EDR is on two levels:

  1. detection and preventive blocking of a compromise attempt, with active actions similar to those of a sophisticated antivirus.
  2. identification of the post-compromise context, in order to simplify the detection of anomalies escaped from prevention and allow response actions to mitigate the damage: for example file quarantine, termination of running processes, controlled isolation of the infected machine in the network.

These very powerful and effective tools are often underutilized by companies due to the scarcity or incompetence of internal resources. This situation has stimulated the request and the birth of specific services that would make economies of scale in the skills and resources necessary to effectively exercise detection and response systems on behalf of third parties.

These services go by the name of Managed detection and response or MDR.

However, it was said at the beginning of how the growing complexity of digital biodiversity, which characterizes every modern organization, entails a problem of visibility of the entire IT ecosystem. Poor visibility which represents a huge limit to the detection and response activities so important for a correct posture of cybersecurity.

This holistic need has determined the evolution of the EDR concept towards an expanded detection and response to cover the entire digital landscape of an organization: hence the acronym XDR, Expanded Detection and Response.

An XDR system allows you to focus on the anomalous behavior typical of an attack strategy, considering the signals of the entire ecosystem adequately normalized and correlated to be consumable by humans.

Therefore, not only the telemetry visible on theendpoint, made up of files, processes and network communications received and initiated towards the outside; but information from the surrounding environment on the interaction thatendpoint he had with the same and with similar entities, therefore others endpoint, or IoT devices, routers, firewalls, proxies, identity management systems, cloud resources and much more.

This logic explains why XDR is considered by many CISOs a solution to long-standing problems that still affect the effectiveness and efficiency of CyberSecurity defensive.

An XDR is characterized by three important distinguishing features:

- the ability to integrate with surrounding elements in a bidirectional way: that is, by receiving information streams on the events tracked, but also by sending instructions on reactions that can only be performed by these elements. An example with a proxy system would be to block navigation to a specific website as a source of malicious downloads.

- the ability to analyze received and detected telemetry: that is to normalize and correlate huge amounts of data practically in real time, using forms of artificial intelligence (AI) that make it possible to find signals, paths of bread crumbs left by the attacker, in the midst of huge beaches of very similar grains of sand between they. This operation would certainly not be within the reach of any security operations team and is typically delegated to cloud infrastructures due to the high computational and data storage capacity it requires.

Note that artificial intelligence must be of typology supervised, that is, to benefit from a pre-education that allows to identify the malevolent from the anomalous and the normal. To learn more about the different types of AI, I refer to the interesting one article that Orazio Danilo Russo published last July.

- The ability to respond actively, using communication interfaces called API (Application Programming Interface), through the technologies with which it integrates. Normally this action takes place following precoded procedures called Playbooks, which describe the various sequences of operations in order to speed up and automate the response as much as possible.

It goes without saying that the holistic capacity deployed by an XDR system well integrated with its IT ecosystem greatly enhances specialized resources, both those within the organization and those eventually activated through an MDR service.

The question at the end of this article could therefore be: how do I measure the effectiveness of an XDR system?

The answer I would like to propose is structured in two areas: qualitative evaluation and metrics.

From a qualitative point of view the XDR should enhance three areas:

- Security Analytics, that is, the set of aggregated, correlated and processed data that support the process of monitoring the security posture and timely detection of threats to this posture.

- Proactive Threat Hunting, that is, the activity of proactively identifying threats starting from anomalies or from tenuous signals, effectively skimming the enormous background noise. How much easier does it become to connect the dots to understand - perhaps using a unique identifier for each incident - what happened retrospectively, in order to plan the continuation of operations?

- Automated Incident Response, i.e. increasing the reaction rate in the response to the incident until mitigation or remedy.

From a quantitative point of view, the adoption of an XDR solution should allow to start developing metrics on average attack detection time (MTD, from Mean Time to Detect) and mean response / remedy time (MTR, da Mean Time to Respond / Remediate).

Or refine the measures already activated in the light of the new capabilities, to verify the soundness of the investment and better balance hybrid models that involve the use of external services and combined internal resources.

1 Mandiant M-Trends 2021 Report: https://www.mandiant.com/resources/m-trends-2021

Photo: web / Mandiant