The future of threat detection and response: An operation-centric approach

We are fast-approaching a full year since the outbreak of Covid-19. Over that time, we’ve undergone a number of notable changes, both in our everyday lives as well as in the working environment. Among them is the rapid transition towards remote working to accommodate for social distancing guidelines, a development that may soon become the norm. Indeed, one study has revealed that nearly half of employers intend to allow employees to work remotely full-time.

In the face of this new reality, companies must ensure that all employees are connected to their company network at any time and from anywhere, whilst doing so securely. This is a particularly arduous task as cybercriminals are also taking advantage of today’s unpredictable environment to execute their malicious schemes. From a spike in ransomware attacks to data exfiltration and crypto mining, cyber-attacks have escalated in volume as well as in their potential scope of damage.

Many existing endpoint protection (EPP) tools are simply not equipped to manage today’s threat landscape. If threats emerged as single, isolated attacks on a single company device, then organisations would be set. Unfortunately, attacks are not being carried out in this manner. They are coordinated across user identities, devices and endpoints. As such, organisations need solutions that can roll with the punches – enable real-time response -, and better yet anticipate – in order to prevent – the adversary’s next move.

In the world of cyber defence, the key question is if we can respond to an attack with accuracy. Can we fully remove the adversary without creating undue friction on the business? Put simply, we need to be able to respond, with the right response, and nothing but the right response. Unfortunately, technologies that send alerts when a suspicious activity is detected put the onerous task of determining the full, and correct response on the operator. A partial and incomplete handling of these activities may slow down the cybercriminal’s efforts but may not halt the attack as a whole. In bad cases, it could be akin to putting a Band-Aid on a bullet wound.

Organisations need a new approach to threat detection and response. The approach needs to understand and adapt to the modern enterprise: this includes devices, identities, network and SaaS. They need Extended Detection and Response, coined as XDR. But what should they be looking for in an XDR solution?

There are three key elements to consider before committing to one. Firstly, check that the technology can help you find the threats that are relevant to your business. A foundational step in security is knowing your attack surface: what does your network look like to an attacker, and what needs to be protected. An adept XDR solution should connect across your remote workforce, SaaS, IaaS, and even critical on-premises infrastructure to protect your enterprise network. Ensure the XDR solution aligns well with your overall IT strategy and can support critical systems with important protections (e.g. Anti-ransomware for Windows Servers).

Next, you will want to test if the solution can speed up your threat detection and response capabilities. The best solutions are operation-centric, which means instead of an alert on a single event, you’re presented with a highly correlated, intuitive view of the malicious operation. The technology should support machine readable threat intelligence, such as Indicators of Compromise (IOCs), or metadata associated with known-bad activity. In other words, evidence of the tools and artifacts of a breach.

More importantly, however, is the identification of Indicators of Behaviour (IOBs), or the actual actions and behaviours that take place. This might include a change of privilege or an application that instigates a process, perhaps an injection from one process to another. Hackers increasingly execute attacks with new and unique code tailored to an individual target environment. Therefore, there may not be any old indicators to suggest a compromise, offering an inaccurate assessment of your company’s security posture. Indeed, cybercriminals are using existing software already deployed across your environment for their schemes; that is, they are ‘living off the land’. With an XDR solution that can identify IOCs and IOBs across endpoint, email, identities, and cloud activity, you get a clearer picture of any malicious activity and are closer to a complete remediation.

Finally, an evaluation of the technology’s response to threats should be made. As soon as an attack is identified and understood from a macro-level, the ideal XDR solution should automatically deploy remediation actions; or at least, it should have the ability to guide you through the best response. For example, kill a process, block a user, quarantine an asset or remote shell, which can all be accomplished remotely with one, simple click. In short, seek solutions that offer flexible options and automation that aligns with your security workflows.

With a strong XDR solution, we, the defenders, can regain the upper hand with the ability to detect, correlate and stop attacks in real-time, even across complex, ever-evolving enterprise environments. Unlike SIEM or log management tools, XDR promises an experience focused on security value — better detection, easier investigation, faster response. In order to defeat an adversary that can weave between data silos and understands detection alerts, it requires an operation-centric approach. Look to XDR to help you understand your attack surface, expose the malicious operation, and take action to stop the threat.


Related posts

Scroll to Top