Why Extended Detection and Response (XDR) and why now?

We in cybersecurity just love new, buzzy acronyms. The latest is “XDR,” otherwise known as extended detection and response. No doubt, you’ve already read an article, watched a webinar, or listened to a podcast on XDR. Jon Olstik and Dave Gruber of cybersecurity research firm, ESG, wrote several articles in the summer of 2020 in which they defined XDR as:

“. . . a method for bringing controls together to improve security telemetry collection, correlation, contextualization, and analytics. There’s also an operational side of XDR to help coordinate response and remediation across multiple controls simultaneously.” (1)

Funny thing about definitions and categories – if you talk to 10 different security analysts or vendors (and we have), you’ll get 10 different definitions. This is no less true for XDR. You’ll also get 10 different opinions on where XDR evolved from.

• Endpoint vendors will say XDR is an evolution of endpoint detection and response.
• Network security vendors will say it’s an evolution of security analytics, user behavior analytics, or SIEM.
• Others, like SOAR vendors, will say it’s an evolution of their technologies. 

And so, the conversation continues . . . However, where XDR came from is not as important as why we are even talking about it in the first place. 

To be blunt, we at AT&T do not see XDR as a new category. Rather, we see it as an evolution of current capabilities in threat detection and response. As organizations globally continue to expand and evolve their digital footprint, security staff are struggling to adapt operations quickly enough to ensure effective monitoring and response to incidents in their environment. This is made even more challenging with limited staff and expertise.

In addition, security operations teams are facing new complexities — constantly evolving hybrid architectures — that are contributing to the rise of XDR, including but certainly not limited to:

• Securing workers at home, with many now migrating in part back to the office which once again changes the playing field
• Ensuring the security of new business initiatives around edge computing
• Launching new or temporary remote locations such as a pop-up store or remote health clinic
• Spinning up (or down) cloud environments as needed by the business
• Increasing adoption of SaaS across the business

These changes are driving requirements to adjust, expand, and evolve how organizations approach security and protect the business overall — more specifically, how they monitor and address threats.

Organizations moving into the next era of compute cannot use the “same old tools” for threat detection and response. They need more telemetry, better analytics, and improved automation to sift through the deluge of data coming into their dashboard — big data is here folks — so they can quickly and accurately detect, investigate, and mitigate incidents before those incidents turn into a full-blown disaster. 

Allison Cleland, director of cybersecurity for AT&T’s global security operations centers, says, “Architectures are changing faster than ever. To keep up with that, we need as much visibility as we can get across our customer’s environment. However, the more telemetry we have, the more data we must sift through. Solid analytics, accurate and constantly updated threat intelligence, and automation are all critical to helping us not only find that threat hidden in the data, but also understand what it is and how we should respond.  We still need the expertise of our human analysts in the SOC, but those analysts are using the technology to help them be more efficient and respond in manner that is timely and precise.”

From the perspective of a security analyst, XDR can help her be more successful at her job by improving on the following: 

1. Visibility and context. She needs information about the environment and assets she’s protecting, whatever that is made of across on prem, cloud, edge, and even OT (where relevant). This requires ingesting the appropriate data about that environment, from the right places, including endpoints, mobile and IoT, network assets and flows, applications (including cloud and edge workloads), SCADA/ICS systems, etc. And, it requires that data to be continuously updated and deposited in a central location where it is standardized so it can be used for correlation, investigation, and more.
2. External information and context. She needs information about adversary behaviors and tactics. She needs to understand which exploits are active in the wild and who is targeting a particular industry — or specifically, the organization she is protecting. How are criminals changing their tactics or infrastructure, and what variations are being made to the malware they are using?  Ideally, she’s getting that updated information continuously and automatically fed into whatever systems she is using.  
3. Correlation for detection and investigation. She needs to be able combine the information about her organization with what she knows about adversaries and their behaviors in an accurate and efficient way. Today, it is impossible to be effective at scale with manual processes, especially as she is no doubt monitoring a diverse environment that is increasing in complexity by the day. Analytics and machine learning are essential, as is automation for upfront work on root cause analysis.  In addition, machines can update rules and signatures and other things that drive correlations and detections.
4. Automation or orchestration for response: Once she’s been alerted to an incident, she needs to take quick action to respond – to mitigate or remediate and recover (ideally back to a normal state). To do this, she needs to collaborate and communicate with multiple stakeholders. For those actions she is allowed to take, it’s ideal if she has “push of the button” capabilities within her dashboard — to isolate infected endpoints, change security policy or firewall rules to block threats, block a user with suspicious activity, and more.  
5. Easily report on incidents and actions. She also needs to be able to report quickly on happened, what actions were taken, and how the incident was resolved. This means sending reports to executives, the board, and regulators (for compliance) — and sending with little effort as possible, so she can focus on her core duties of monitoring and responding.  
6. Ability to hunt threats actively. Finally, she may not be actively threat hunting on a day-to-day basis, but someone on her team likely is. That individual will need a similar toolkit for the context needed in their analysis and the ability to easily detect deviations from known baseline activity.

From our perspective, the outcomes XDR can deliver are powerful, which is why we expect XDR to become an even more established category in the industry. We see our own AT&T USM Anywhere™ platform for threat detection and response — which is used within our AT&T security operations centers — as more aligned to XDR than to SIEM for the capabilities it delivers. (It’s worth noting that we declined to participate in the Gartner 2021 SIEM Magic Quadrant for this very reason.) USM Anywhere has core SIEM functionality, yes, however the platform was developed from its inception to be a broader, unified security management platform. Figure 1 shows how AT&T is extending USM capabilities in three core areas:

1. Expanding telemetry from endpoint, mobile/IoT, network, cloud, and email for improved visibility and information gathering
2. Advancing threat intelligence, security analytics, automation, and orchestration to increase detection accuracy and time to detection
3. Automating select workflows and processes to increase efficiency in security operations and ultimately shorten and improve mean-time-to detection and to response.  

We’re interested in hearing your perspective on XDR. Reach out to us at tl0999@att.com. And, watch for our next article on XDR, which will talk about the role MSSP serve in this emerging category.