Last updated at Thu, 24 Feb 2022 16:01:49 GMT
Extended detection and response (XDR) is, by nature, a forward-looking technology. By adding automation to human insight, XDR rethinks and redefines the work that has been traditionally ascribed to security information and event management (SIEM) and other well-defined, widely used tools within security teams. For now, XDR can work alongside SIEM — but eventually, it may replace SIEM, once some of XDR's still-nascent use cases are fully realized.
But what about the pain points that security operations center (SOC) analysts already know so well and feel so acutely? How can XDR help alleviate those headaches right now and make analysts' lives easier today?
Fighting false positives with XDR
One of the major pain points that Sam Adams, Rapid7's VP for Detection and Response, brought to light in his recent conversation with Forrester Analyst Allie Mellen, is one that any SOC analyst is sure to know all too well: false positives. Not only does this create noise in the system, Sam pointed out, but it also generates unnecessary work and other downstream effects from the effort needed to untangle the web of confusion. To add to the frustration, you might have missed real alerts and precious opportunities to fight legitimate threats while you were spending time, energy, and money chasing down a false positive.
If, as Sam insisted, every alert is a burden, the burdens your team is bearing better be the ones that matter.
Allie offered a potential model for efficiency in the face of a noisy system: managed detection and response (MDR) providers.
“MDR providers are one of these groups that I get a lot of inspiration from when thinking about what an internal SOC should look like," she said. While an in-house SOC might not lose money to the same extent an MDR vendor would when chasing down a false positive, they would certainly lose time — a precious resource among often-understaffed and thinly stretched security teams.
One of the things that MDR providers do well is threat intelligence — without the right intel feed, they'd be inundated with far too much noise. Sam noted that XDR and SIEM vendors like Rapid7 realize this, too — that's why we acquired IntSights to deepen the threat intel capabilities of our security platform.
For Allie, the key is to operationalize threat intelligence to ensure it's relevant to your unique detection and response needs.
"It is definitely not a good idea to just hook up a threat intel feed and hope for the best," she said. The key is to keep up with the changing threat landscape and to stay ahead of bad actors rather than playing catch-up.
With XDR, curation is the cure
Of course, staying on top of shifting threat dynamics takes time — and it's not as if analysts don't already have enough on their plate. This is where XDR comes in. By bringing in a wide range of sources of telemetry, it helps SOC analysts bring together the many balls they're juggling today so they can accomplish their tasks as effectively as possible.
Allie noted that curated detections have emerged as a key feature in XDR. If you can create detections that are as targeted as possible, this lowers the likelihood of false positives and reduces the amount of time security teams have to spend getting to the bottom of alerts that don't turn out to be meaningful. Sam pointed out that one of the key ways to achieve this goal is to build detections that focus not on static indicators but on specific behaviors, which are less likely to change dramatically over time.
“Every piece of ransomware is going to try to delete the shadow copy on Windows," he said, "so it doesn't matter what the latest version of ransomware is out there – if it's going to do these three things, we're going to see it every time."
Focusing on the patterns that matter in threats helps keep noise low and efficiency high. By putting targeted detections in security analysts' hands, XDR can alleviate some of their stresses of false positives today and pave the way for the SOC to get even more honed-in in the future.
Want more XDR insights from our conversation with Allie? Check out the full talk.