Man
Professional
- Messages
- 3,225
- Reaction score
- 1,015
- Points
- 113
XDR (from English Extended Detection and Response, "extended detection and response") - lately we hear more and more about this abbreviation, and this class of security solutions is really gaining popularity. Much is said about its advantages, but not enough attention is paid to the details of implementation and preparation for operation of solutions of this class. In this article, we will talk about this in more detail.
It is possible to check the possibility of such risks being realized in a timely manner, for example, by organizing an external audit with penetration testing (pentest). In this way, it is possible to clearly show problem areas and areas where it is necessary to expand detection and response capabilities.
XDR is also considered when it is necessary to increase the efficiency of the existing information security system, since this class of solutions involves automation and centralization of detection and response processes.
In addition to detection, it is also important to pay attention to what response options the chosen solutions have? For example, is it possible to block the account of a user who is potentially compromised? Is it possible to isolate the nodes that were attacked? To prohibit network interactions with the Internet in terms of attacking addresses or attacker email senders? To prohibit dangerous processes? To delete dangerous files en masse? Or even to send users for training? The more response options we have, the better.
Thus, it is necessary to select a set of tools that covers each specific XDR function in the best possible way according to the technology stack. And of course, they must be compatible with each other. The more opportunities within the interaction between them are automated, the easier it is to implement the XDR concept itself.
In this context, the entire company must be ready to implement XDR. The business, starting with senior management, must confirm that continuous detection and response at all levels of the infrastructure is necessary. And all departments that will be involved in them will accept and agree on it. First of all, we are talking about the full involvement of all IT structures of the organization. But the security process will become even more effective if all functional departments (HR, logistics, production, finance, etc.) understand the importance of cybersecurity and related business processes.
A number of key requirements (for example, orders of the FSTEC of Russia No. 21, No. 17, No. 31 and No. 239) separately indicate most of those information protection tools that are required for the implementation of XDR. The difference is that in this concept, individual tools become a complete ecosystem.
To make it easier for information security specialists to track regulatory issues, Kaspersky Lab has launched the Regulatory Knowledge Hub in Information Security. It contains all the latest information on regulatory requirements for all major industries and has a convenient filter system for selecting the necessary set of information and measures to ensure compliance with regulation.
Let's look at an example. Let's imagine that an organization is attacked from several vectors at once. Files with a backdoor are sent to official emails, flash drives with malware are placed in the lobby of an office building under the guise of handouts, some users are sent phishing, disguised as an entrance to the corporate network. At the same time, the attacker tries to penetrate the infrastructure through vulnerabilities discovered on the perimeter.
Firstly, all attack vectors must be learned about in time, and secondly, each vector must be responded to in the correct manner. For example, the list of operational actions in such a situation may be as follows:
Without an ecosystem approach, there is a risk that different attack elements will be detected by different solutions with different administrators, and it may take much more time and resources from different teams to bring them together into a single picture. In addition, the response to different attack vectors will also have to be disjointed, which may impact efficiency.
Ideally, XDR should show all attacks and vectors in a single window, allow a centralized response to each of them, and create a single graph for further investigation. This becomes possible if all technological solutions are produced by a single vendor and tightly integrated with each other.
Thus, a single-vendor approach will be a big plus for this concept. And if the XDR concept is declared by the vendor itself, it is even better, it means that the manufacturer has provided for the corresponding cross-product scenarios in its solutions. For the final choice, it is already necessary to weigh such factors as the functionality of individual products within XDR, licensing, cost, experience and knowledge of the vendor itself, geographic presence, staff and independent assessments of solutions. A good practice for the actual assessment of functionality is to conduct pilot projects.
Russian users have the opportunity to build XDR using solutions from domestic vendors. For example, at the end of 2021, Kaspersky Lab, as part of a new line for business protection, introduced the Kaspersky Symphony XDR solution based on its own products to the market - the same ecosystem approach for flexible construction of comprehensive information security.
Therefore, if you build XDR, then build it as correctly as possible, ensuring its uninterrupted efficiency. To do this, each of the above aspects must be worked out - taking into account detection technologies, response capabilities, processes, infrastructure, business readiness, automation level, ecosystem and external regulatory requirements.
Source
How to Assess if There is a Need for XDR
The need for XDR comes with the understanding that a potential cyberattack can lead to serious risks for business: loss of funds, business process interruption (for example, during mass data encryption), data leakage. At the same time, the organization cannot ensure complete security of all elements of the IT infrastructure to prevent such an attack using existing means. The most unpleasant thing is to receive such an understanding after the incident.It is possible to check the possibility of such risks being realized in a timely manner, for example, by organizing an external audit with penetration testing (pentest). In this way, it is possible to clearly show problem areas and areas where it is necessary to expand detection and response capabilities.
XDR is also considered when it is necessary to increase the efficiency of the existing information security system, since this class of solutions involves automation and centralization of detection and response processes.
What is required to implement XDR
1. Technologies
After realizing the need for XDR, the next logical step is to select a solution that will implement comprehensive protection. In order to effectively identify cyber incidents at all levels of the infrastructure, first of all, an appropriate technology stack must be organized. At a minimum, this includes collection, aggregation, normalization and correlation of events, analysis of network and mail traffic, solutions for protecting network nodes and analyzing telemetry from them. Tools for detecting potentially malicious activity are needed, such as antivirus engines, sandbox, reputation lists, IDS, comparison of analyzed information with hacker techniques and tactics. In addition, a technological capability for responding to all designated data flows must be organized.In addition to detection, it is also important to pay attention to what response options the chosen solutions have? For example, is it possible to block the account of a user who is potentially compromised? Is it possible to isolate the nodes that were attacked? To prohibit network interactions with the Internet in terms of attacking addresses or attacker email senders? To prohibit dangerous processes? To delete dangerous files en masse? Or even to send users for training? The more response options we have, the better.
Thus, it is necessary to select a set of tools that covers each specific XDR function in the best possible way according to the technology stack. And of course, they must be compatible with each other. The more opportunities within the interaction between them are automated, the easier it is to implement the XDR concept itself.
2. Processes
In addition to technologies, a company planning to implement XDR must have a certain level of information security maturity (or the intention to achieve it). First of all, we are talking about the Security Operation Center (SOC) processes and information security incident management. That is, the company must draw up a detailed list of processes, a list of people involved in them with their responsibilities, and have competencies on staff that will correspond to these processes. Only after preparatory work can you launch and support these processes, already based on the technology stack.In this context, the entire company must be ready to implement XDR. The business, starting with senior management, must confirm that continuous detection and response at all levels of the infrastructure is necessary. And all departments that will be involved in them will accept and agree on it. First of all, we are talking about the full involvement of all IT structures of the organization. But the security process will become even more effective if all functional departments (HR, logistics, production, finance, etc.) understand the importance of cybersecurity and related business processes.
3. Infrastructure
It is equally important to assess the readiness of the IT infrastructure and resources for the implementation of all technologies before implementing XDR. After all, each solution is, as a rule, a separate subsystem consisting of several components, and each component may require a separate server. As for the readiness of the IT infrastructure itself, it must meet the requirements of each specific solution (CPU/RAM/HDD resources, supported operating systems, access level, etc.). Obviously, the fewer resources the solution requires, the better. The maturity of the IT department itself also plays an important role. Outdated equipment, incorrect settings, outdated software will complicate the implementation of XDR.4. Compliance with regulatory requirements
It is necessary to remember the realities associated with state and industry regulation: in addition to prepared processes, resources and technologies, the issue of closing regulatory requirements relevant to the company's activities must be worked out. This often requires, among other things, the creation or revision of internal regulations that will influence the choice of solution.A number of key requirements (for example, orders of the FSTEC of Russia No. 21, No. 17, No. 31 and No. 239) separately indicate most of those information protection tools that are required for the implementation of XDR. The difference is that in this concept, individual tools become a complete ecosystem.
To make it easier for information security specialists to track regulatory issues, Kaspersky Lab has launched the Regulatory Knowledge Hub in Information Security. It contains all the latest information on regulatory requirements for all major industries and has a convenient filter system for selecting the necessary set of information and measures to ensure compliance with regulation.
Ecosystem approach
There are several classifications of XDR types and approaches to its implementation: open/closed, native/hybrid, multivendor/monovendor. Their pros and cons can be studied in special articles. XDR can be any, including flexible modification, but one of the main principles of effective protection is ecosystem. That is, all the tools in its composition must be integrated and create a single environment for countering cyber threats.Let's look at an example. Let's imagine that an organization is attacked from several vectors at once. Files with a backdoor are sent to official emails, flash drives with malware are placed in the lobby of an office building under the guise of handouts, some users are sent phishing, disguised as an entrance to the corporate network. At the same time, the attacker tries to penetrate the infrastructure through vulnerabilities discovered on the perimeter.
Firstly, all attack vectors must be learned about in time, and secondly, each vector must be responded to in the correct manner. For example, the list of operational actions in such a situation may be as follows:
- block senders of malware and phishing;
- check whether the security system worked on all the attacked subjects;
- block flash drives or USB ports;
- prevent specific files from running;
- block the accounts of those who were under attack;
- isolate those nodes that were potentially attacked;
- block all IP addresses of those who try to exploit vulnerabilities;
- send everyone who received malicious emails to additional training.
Without an ecosystem approach, there is a risk that different attack elements will be detected by different solutions with different administrators, and it may take much more time and resources from different teams to bring them together into a single picture. In addition, the response to different attack vectors will also have to be disjointed, which may impact efficiency.
Ideally, XDR should show all attacks and vectors in a single window, allow a centralized response to each of them, and create a single graph for further investigation. This becomes possible if all technological solutions are produced by a single vendor and tightly integrated with each other.
Thus, a single-vendor approach will be a big plus for this concept. And if the XDR concept is declared by the vendor itself, it is even better, it means that the manufacturer has provided for the corresponding cross-product scenarios in its solutions. For the final choice, it is already necessary to weigh such factors as the functionality of individual products within XDR, licensing, cost, experience and knowledge of the vendor itself, geographic presence, staff and independent assessments of solutions. A good practice for the actual assessment of functionality is to conduct pilot projects.
Russian users have the opportunity to build XDR using solutions from domestic vendors. For example, at the end of 2021, Kaspersky Lab, as part of a new line for business protection, introduced the Kaspersky Symphony XDR solution based on its own products to the market - the same ecosystem approach for flexible construction of comprehensive information security.
Conclusion
XDR as a class of solutions is not easy to implement, but it is the most advanced way to ensure comprehensive cybersecurity today. Attackers are using increasingly sophisticated techniques and tactics, automating their tools. To counter them, an appropriate level of detection and response to any cybersecurity incidents is required.Therefore, if you build XDR, then build it as correctly as possible, ensuring its uninterrupted efficiency. To do this, each of the above aspects must be worked out - taking into account detection technologies, response capabilities, processes, infrastructure, business readiness, automation level, ecosystem and external regulatory requirements.
Source