5 Questions to Ask Before Implementing an XDR Program
2022-5-3 08:0:0 Author: www.trustwave.com(查看原文) 阅读量:15 收藏

Ladies and gentlemen of all ages and security roles, let us dive head-first into this newish thing called XDR. There is no shortage of vendors, and researchers, providing you their definition on what XDR actually represents so it becomes is there one you agree with or not. Taking a slightly different tact to explore what does XDR mean to you, and your security team.  First, may be helpful to calibrate our minds together as XDR, EDR, SIEM, and SOAR are all acronyms being thrown into the soup by vendors, and analysts.

To start,  extended detection and response (XDR) is  one form of evolution from EDR (endpoint detection and response), extending the ability to provide detection and response actions beyond the traditional corporate endpoint. An alternative pathway are the SIEM and SOAR technologies of the world who championed a larger data set, visibility, and toolkits to empower teams to have greater centralized visibility that extended well beyond the corporate endpoint.

The consistent vision we hear from technology vendors is that XDR technology brings all these layers into a single pane of glass, allowing analysts to see, and touch, a console that provided centralized visibility, high fidelity threat detection, worlfow and threat response automation…pretty cool but very technology and architecture oriented.

So what about a concept of an XDR program? What does that even mean and would would success represent? Even if defined, how would you explore maximizing the speed, and cost efficiencies, in implementing? To break this complicated question down into its base components, we sat down and had an in-depth conversation with Trustwave CISO Kory Daniels.

1. What are the benefits of XDR technologies and architecture?

The first step is to quickly understand what are the benefits XDR can deliver to your organization, and how is that different that what you are doing today?

Centalized threat detection, ability for analysts to take investigative response actions, and automate manual process, and tasks, workflows and incident response playbooks provides target outcomes that you can identify what benefits that brings to capacity, speed, and threat resilience coverage over the attack surface.

EDR solutions are powerful because  they allow an analyst to take response actions from a console but directly on the endpoint. So, XDR is that next evolution where we see SIEMs trying to achieve the high fidelity response value of the EDRs and EDRs trying to get expand data ingestion without degradation of response value attributed behavior like a SIEM. XDR, in theory, is right in that middle ground of unifying the best attributes that a SIEM and EDR may provide the security team. Making good on the vision of a ‘single pane of glass’ to minimize analysts hops from one console to the next to ensure we minimize friction and latency during our investigations. To be successful, you still cant plug and play these tools and architectures without having a point of view in data visibility, awareness of the attack surface, current state workflow process and playbook efficiencies, and contextual data enrichment sources.

2. What are the First Steps to Take When Implementing XDR

Strongly advised, an organization must have a proper implantation plan in place prior to taking any action. Essentially, a blueprint for XDR success for the builders to leverage as they modify, or build, your security house. It may prompt the question are we even ready to take on XDR or can we live comfortably without it?

If an organization does not generate the project charter and the plan beforehand, it could lead to poor implementation of XDR technologies. Unfortunately, we see a lot of bad implementations out there in the market, which, of course, can negatively impact the program's eventual performance and create frustration, a loss of confidence, and unnecessary financial pitfalls along the way.

There are some factors that must be considered. As an organization, are you mature enough, and what are you trying to achieve? New telemetry visibility, better MTTD & MTTR, and/or capacity uplift all frequent examples of what we see. It is critically important to understand how XDR ties into overall strategic roadmap, note your milestone criteria to measure success, and what are the benefits to other teams, like IT, in taking on this objective.

Having these questions answered beforehand will drive the concept of what you need to do to measure success and implement the XDR program. Next, look at the people, processes, and technology under your roof and understand what sets of data sources your team has access to today. How do we feel about our process flows, and operational behaviors following them? Do we have the right incident response playbooks and are they effective enough to automate? Do we have the right data telemetry visibility today and do we know how that change over the next 12-36 months?

This knowledge will enable you to determine which data sets you need access to if action is necessary. Look at your cloud, endpoints, servers and environment, and then figure out which other datasets are critical.

 An organization must incorporate Security Orchestration, Automation and Response (SOAR) based automations in its XDR program, along with threat intelligence, asset discovery and vulnerability remediation. These are all attributes of extended detection and response actions and are critical to consider when considering implementation to minimize future rework.

3. What Skills Must be in Place Prior to Implementation?

People are incredibly important, XDR is not a reason to replace staff it is a reason to help empower them. XDR technologies also don't run effectively on their own. Skills, and certified, team members are a key to help ensure the technologies perform the way your drafted expectations and requiresments expected them to.

These skills include 24/7 capability for triage, threat hunting, threat intel, and threat analytics. One of the critical skills often missed in the implementation plan is the responsibility of applying data science. The security folks need the ability to look at and understand the disparate data sets inside your environment. Experts must be able to look at the "data puzzle" created when using an XDR solution and determine do we have a telemetry, correlation, and/or a automation content gap or opportunity for enhancement.

Well-defined roles and responsibilities and knowing who on your staff will perform what process, and tasks, are vital to ensure predictability, scale and success. This frames the basis for how to effectively adopt automation quickly and effectively.

Whether or not an organization has the skills in-house to manage the technology and the architecture is a question that you should answer upfront. Staffing must be evaluated to ensure the organization either has the required individuals already in-house or can find a partner that can supply that workforce and be a force amplifier to the internal cyber security staff.

4. How Do You Find the Right XDR Partner?

The continuous evolving attack surface influenced by business innovation while we see 5G push the boundaries in OT and the edge of secrurity stope is creating a big data problem. Having the right partner on board from the start can help lower the risk of a project stumbling, or failing, during its implementation phase. A partner should bring subject matter expertise, experience, intellectual property, and ready-made project plans that only need to be tailored to a particular organization before being implemented. Essentially, a strong partner has completed the heavy lifting before the project has started from their experiences.

Organizations do have to be careful during the partner selection process. The wrong partner can be disastrous because of not only the financial impacts from the technology aqusitions but added frustrations, costs, and time-waste if were to implement without a partner. Challenge vendors to show what a day in the life experience is like in how the vendor plans to deploy, optimize, and enhance an XDR program during the implementation. This will give you a proper sense of the value and the expected return.  

5. What are the challenges in implementing XDR?

The challenges in implementing XDR include deciding which datasets are prioritized. In addition, how do you, as an organization, effectively integrate disparate technologies? Right now, there are very few homogeneous organizations that have harmonized on a single security technology platform. So, as we look at XDR as a program, we start to assess how we look at extended detection response attribuets across people, process, and varying technologies.

Do we have the right team in place to deploy the program? Is the team certified, and do they know how to implement, or enhance, the program quickly and effectively at minimal cost and friction? Do we have the right sourcing and operating model, from a planning and strategy perspective? Does our team know what "great" looks like for XDR, given the fact that the concept is still pretty new in our space? Does the security team have practical experience or only theoretical?

Success to often too focused on the implementation which can hurt longer term if the ongoing sustainability was not planned for. A trusted  partner must be able to answer questions such as how do you sustain the XDR program? How can you ensure that your organization has a continuous improvement program that enhances the security team’s ability to adapt and use the additional functionality and features of the XDR program?

Here again, is where a partner can play an important role—having a partner who understands the data science, and automation, part of this equation of being able to prioritize and integrate additional datasets into your XDR program. Whether you use a partner or not is entire dependent on your strategy and sourcing decesions, but please ensure to consider how you continuously plan, build, test, and sustain the XDR program holisitically before making the leap into XDR.


文章来源: https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/5-questions-to-ask-before-implementing-an-xdr-program/
如有侵权请联系:admin#unsafe.sh