The speed at which malicious actors have improved their attack
tactics and continue to penetrate security systems has made going
bigger the major trend in cybersecurity.
Facing an evolving threat landscape, organizations have
responded by building bigger security stacks, adding more tools and
platforms, and making their defenses more complex—a new eBook from
XDR provider Cynet (read it here[1]).
Organizations find themselves in a virtual arms race with
malicious actors. Attackers find new, stealthier ways to penetrate
an organization’s defenses, and organizations build higher walls,
buy more technologies to protect themselves, and expand their
security stacks.
Money is a key component of security success – a tough reality
for leaner organizations that might not have the seemingly endless
budgets of larger corporations and enterprises.
The question of what leaner security teams could do about it
used to be “not a lot,” but today, that’s hardly the case. Even
though the cybersecurity industry includes hundreds of tools,
platforms, and services organizations can use to defend themselves,
leaner companies are more and more discovering that having all the
bells and whistles isn’t always a necessity.
However, finding the right tool to replace all those
technologies requires some forethought. Moreover, it requires some
understanding of what goes into a large company’s security
stack.
What’s in a Large Company Security Stack?
Modern security stacks have multiple moving parts and require
specialized tools to manage the disparate platforms and service
organizations install. This usually requires a dedicated team or
team member to manage and ensure that things are running
smoothly.
More importantly, most organizations today follow the layered
protection principle – no tool is 100% effective, so redundancies
are crucial for when one fails.
Practically speaking, this means that most organizations will
have many (if not all) of the following tools installed:
- Next-generation antivirus (NGAV)
- Endpoint protection (EPP)
- Endpoint detection and response (EDR)
- User and entity behavior analysis (UEBA)
- Network traffic analysis (NTA)
- Email protection
- Deception technology
- Cloud access security broker (CASB)
This also means that for most organizations, the volume of data,
alerts, and signals produced daily is a major concern. The next
question, then, is how do organizations manage these mountains of
alerts from disparate sources?
The answer is usually using a security information and event
management (SIEM) platform, which can centralize and harmonize the
different alerts and signals most cybersecurity tools produce into
a unique location.
However, this is more of an organizational tool than a way to
reduce the number of alerts. Moreover, it also adds to the resource
and financial costs of a security stack, and it still requires
manual intervention constantly.
Automation, but at what cost?
To get around this issue, organizations turn to security
orchestration, automation, and response (SOAR) tools. SOAR
platforms can automate substantial portions of the incident
response process, including remediation and some of the
investigation.
However, they are expensive, still require manual management,
and are not always a viable option.
How XDRs can help
For lean organizations, building a large, multi-layered, and
complex security stack can produce more work than it removes.
Management, education, regular maintenance, and updates can take up
much of a security team’s valuable time.
The real answer, then is not to go bigger, but more flexible –
and that’s where extended detection and response (XDR) comes
in.
Instead of multiple layers and displays, organizations can focus
on a single pane of glass view and reduce their maintenance,
management, and updating efforts.
XDRs usually achieve this with three main features:
- Prevention and detection: One of the biggest
advantages an XDR offers is that it can actually reduce and manage
the volume of alerts an organization must sift through. XDRs
include many (and in some cases all) of these tools natively. This
is beneficial in two ways. First, it means that all signals and
data are standardized and already integrated. This makes it easier
to process them, create a more reliable sorting and investigation
method, and keep them under control. Second, it can reduce the
number of false positives and provide a much faster response since
the tool doing the detection is the same one responding to a
potential threat. - Automated response: Another key differentiator
for XDRs is that they can automate large portions of an
organization’s cybersecurity efforts out of the box. By including
detection, endpoint protection, and network analysis, XDRs can
respond more quickly than non-centralized stacks and can get the
right response more often. They also offer a much broader range of
responses and remediation tools. - Managed detection and response (MDR): Finally,
most XDRs will offer an MDR service to assist organizations in
handling many of the tasks that can’t be automated. While many
vendors will charge for this service, simply including it in an XDR
offering means that teams can prioritize their limited resources
into the area of most impact. MDRs can also help close both
resource and knowledge gaps, helping offer a more well-rounded and
robust defense.
You can read more about how XDRs can help organizations get better security on a budget
here[2].
References
- ^
read it
here (info.cynet.com) - ^
get
better security on a budget here
(info.cynet.com)