In our first post on demystifying the concepts and practices behind extended detection and response (XDR) technology, Forrester analyst Allie Mellen joined Sam Adams, Rapid7's VP for Detection and Response, to outline the basic framework for XDR and highlight the key outcomes it can help security teams achieve. One of the core components of XDR is that it expands the sources of telemetry available to security operations center (SOC) teams so they have richer, more complete data to help them detect and respond to threats.

That raises the question: How do SOC analysts keep productivity high while sifting through huge volumes of data?

Automation is one of the key ways SOC teams make their processes more efficient as they identify the most relevant threats and initiate the right responses. But automation can't do everything an analyst can, and finding the right balance between machine learning and human know-how is an essential part of a successful XDR implementation.

Become the bridge

As Sam pointed out in his discussion with Allie, the security analyst acts as a bridge between what the data is saying and what the right course of action is in response to it.

“I got the alert, and you know, that's not the hard part anymore," he said. "The hard part is responding to the alert and figuring out what to do with that alert – and really, what the impact is on my company."

For Allie, XDR helps analysts find a balance between security and productivity, but not by leaning too heavily on automation. In fact, she suggested we've had a "misplaced hope" for what machine learning can help us accomplish. Instead, it's about setting up automation that augments the analysts' work by helping them ask the right questions up front — and get to the answers faster.

The expert and the end user

In addition, automation can't always tell us who the expert actually is about a particular security event. Sam gave the example of a suspicious login from Bermuda: After receiving that alert, it's actually no longer the analyst who's the expert on that incident, but the end user who was involved. The logical next step is to pick up the phone or send an email and ask that user, "Are you in Bermuda?" — and that takes a human touch rather than an automated action.

"We assume we can get everything we need from the tools," Allie pointed out, "and they abstract us away from the rest of the enterprise in that way. But it can be just as easy as turning to the person next to you and saying, 'Hey, did you log into this?'"

Allie went on to note that this is one of the main reasons why it's so important to foster a security culture throughout the whole business. When you build connections between the security team and individuals from other parts of the organization, and keep that rapport strong over time, SOC analysts can get many of the answers they need from their peers in other departments — and get to the answers much more quickly and accurately than a machine ever could.

Culture is a uniquely human thing, one that machines can never replicate or replace — and security culture is no exception. XDR broadens the data and tools that SOC teams can use to help them protect the organization, but even the best technology is no replacement for an educated team of end users who know how to implement security best practices, not to mention the sharp insights of seasoned SOC analysts. The real magic happens when all these elements, human and automated, work together — and in an XDR model, automation fills the gaps instead of taking center stage.

Want more XDR insights from our conversation with Allie? Check out the full talk.