Large security vendors with Extended Detection and Response, XDR offerings position their solution as integrating their own set of products. It may include a couple of third-party products already part of their suite and providing a central screen or single pane of glass to be able to see all the data. But that raises some important points.
Data can come from any of the solutions that are part of the XDR offering at any time and, given alert overload, we are probably talking about massive amounts of data. Without context from external intelligence sources, it is impossible to determine relevance and prioritisation. Because the data is not curated for the specific customer environment it could be noise, which lowers users’ confidence in the data and their ability to make the right decisions.
Some organisations are starting with a clean slate and have a variety of best-of-breed solutions across departments and teams. To deal with this, many of these larger vendors are now creating marketplaces, hoping that smaller vendors will use their APIs to build integrations with them. This is starting to happen.
“Integration is imperative for XDR, enabling effective detection and efficient response.”
But if you have been in the software industry for a while, you understand that this takes a lot of time and is not easy to maintain. And if a smaller vendor has products that compete with the main vendor, the integration may never happen.
Even if the XDR solution vendor has great APIs that are easy to write to, getting data from on-premises, legacy applications to a cloud platform is a considerable undertaking. An XDR implementation can quickly turn into a very large consulting project requiring significant time and budget.
“MDR is a growing category in cybersecurity services and is an offshoot of the traditional MSSPs.”
Alternatively, some organisations may choose to outsource the entire function to a managed detection and response, MDR, service provider that offers XDR as a service. MDR is a growing category in cybersecurity services and is an offshoot of the traditional Managed Security Service Providers, MSSPs.
Unlike MSSPs, MDR companies don’t manage traditional security tools and technologies like firewalls but are there to detect, respond and address attacks.
To help XDR solutions deliver on their promise, what is needed is a platform focused on integration, serving as a central repository for data and intelligence from internal and external sources, and as a conduit between existing security technologies and cloud-based XDR offerings.
“With pre-processed, curated data, teams have high confidence that the data is relevant.”
More than a central screen or single pane, the platform delivers a single source of truth for teams and tools, bringing in third-party intelligence to enrich data from internal tools with context and prioritise it for action. This single source of truth can prioritise and filter out noise, share knowledge, serve as organisational memory and become a custom enrichment source for all teams and tools to use to accelerate security operations.
With pre-processed, curated data, teams have high confidence that the data is relevant. Confidence in data leads to confidence in decision making which, in turn, leads to confidence in automating those decisions and actions. Because that platform also integrates with third-party security controls, relevant, prioritised threat intelligence can flow through all systems, playbooks and processes. Actions, automated or manual, are based on the right data and can be executed quickly.
Clearly, integration is imperative for XDR, enabling effective detection and efficient response.
To help XDR solutions deliver on their promise, what is needed is a platform focused on integration, explains Marc Solomon of ThreatQuotient.