In recent years workforces have become increasingly mobile, with employees using laptops at home, airports, cafes etc. Then, with the onset of COVID-19, the number of people accessing corporate resources from devices outside the corporate network increased enormously. All the expectations are that these work patterns are here to stay.
This trend has increased the risks, and the security challenges for IT, enormously. Where a good firewall could protect everything within the corporate network, there are now a huge number of endpoints outside the core environment that can be compromised by cybercriminals to gain access to valuable and sensitive company data and business critical applications.
And, thanks to the now widespread use of cloud computing services, some company data and applications — and the traffic to and from them — are completely outside corporate networks.
To counter threats that seek to compromise endpoints many vendors have developed endpoint detection and response (EDR) tools. These are able to detect and block attacks on endpoints, and are an essential element of any cybersecurity strategy. However, if the attacker is successful in moving beyond that point of entry, they provide little help to security teams who need to understand exactly what an attack seeks to achieve and how it is propagating so they can take steps to neutralise it expeditiously. To achieve these outcomes requires the use of extended detection and response (XDR) tools.
The challenge of securing distributed environments
While EDR can provide a valuable first line of defence against cyber attacks, there are limitations to the amount of context it can provide for complex attacks. Once that first line is breached and the threat has propagated beyond its point of entry, it is essential to have network-wide visibility to understand the extent and impact of the attack. It is also necessary to be able to look back in time, to identify the point and time of entry and track the subsequent progress of the attack.
These goals can only be achieved by analysing the large volumes of data generated across the network over time. And this is a race against time: to understand the nature of an attack and implement countermeasures before it can do damage.
It is quite likely different countermeasures will be needed to neutralise the threat in different parts of the system, and protect data in multiple locations. It is equally likely that management responsibility for these will reside in different business silos.
All these factors make it difficult to effectively understand and counter an attack sufficiently rapidly to prevent it doing damage. Effective extended detection and response (XDR) tools can help organisations overcome all these challenges.
XDR is a suite of tools that act in concert to gather data about an attack, analyse that data and provide actionable insights to enable IT teams to understand the nature of the attack, what it is trying to achieve, to forestall its intent and neutralise it by automating countermeasures as much as possible.
XDR tools enhance EDR with telemetry from the network and identity and access management systems. They bring all this information together, use AI tools and human intelligence to analyse and correlate data to detect network events that could indicate an attack, such as lateral movement, anomalous connections, data exfiltration and malicious software, and put this the information onto a single console.
By gathering and analysing large volumes of data from endpoints, servers and the cloud XDR can filter out the noise and present security teams with only those alerts that require a priority response.
XDR’s comprehensive data gathering and analysis enables it to establish a baseline of normal behaviour in an environment and to block any abnormal behaviour enabling that behaviour to be investigated as a potential threat.
XDR gathers momentum
The concept of XDR is relatively new. The term was coined in 2018 and it has gained momentum rapidly. A November 2020 survey by Enterprise Strategy Group, The Impact of XDR in the Modern SOC, found more than two-thirds of organisations surveyed expecting to make XDR investments in the next six to 12 months. It said they saw XDR as having the potential to help them detect, identify and understand complex attacks across the kill chain.
The report’s authors concluded that XDR could be become a ‘SOC modernisation catalyst’ by improving threat detection and response and helping to integrate and automate security operations processes.
The growing realisation of the power of XDR is reflected in market forecasts. A March 2023 report from Research and Data forecast 20 percent CAGR in the XDR market, from $US755m in 2022 to almost $US4 billion by 2030. The report identified the rising sophistication and frequency of cyberattacks as key factors driving revenue growth.
Enhanced protection for today’s workplaces
While the rising sophistication and frequency of cyberattacks might be the main driver of the XDR market, there is no doubt the growing attack surface will be a factor as hybrid working becomes established as a permanent feature of the IT landscape.
In 2021, in the midst of the COVID-19 pandemic, a survey conducted by PwC found 55 percent of employees would prefer a hybrid model of working post-pandemic, and a report by McKinsey found 25 percent of workforces likely to be working remotely three to five days per week post-pandemic.
With the increasing scale and complexity of corporate networks and the growing frequency and sophistication of cyber attacks security teams will need XDR to rapidly gather and analyse vast amounts of data and deliver the insights and intelligence needed to rapidly understand and counter them.