Decoding XDR, the latest cybersecurity trend

Jonathan Tan, Managing Director, Asia, McAfee

The state of COVID recovery across APAC differs substantially from market to market. While the governments of countries like Singapore and Taiwan are able to allow workers to return to the office, pending prevailing employer guidance, other countries returning to the office may be slightly further away.

However, whether workers are in the office or working from home, the changes wrought by COVID are apparent no matter where organisations may be, and will continue for the foreseeable future. In 2020, McAfee saw usage of cloud services like Zoom, Microsoft Teams, and Slack more than double (+350%, +300%, and +200%, respectively).

With workplaces looking to be more flexible post-COVID, these cloud services offer the promise of a distributed workforce that is productive from anywhere. The explosion of cloud services and endpoints will continue accordingly—along with myriad other changes in technology deployments.

At the same time, bad actors are swarming. To use cloud services as just one example, coinciding with the rise of COVID, the amount of threats from external actors targeting cloud services increased 630%, with the greatest concentration in collaborative services like Microsoft 365. And cloud services are just one aspect of SMEs’ rushed digital transformations; with bad actors more active than ever around all cybersecurity pain points, SMEs should continually re-evaluate and rethink their cybersecurity accordingly.

The balancing act in security operations

Many organisations, especially growing SMEs, fall in-between outsourcing their security needs to a Managed Security Service Provider, but are not yet large enough to have a team dedicated solely to security operations. Security operations teams are also affected by an immense cybersecurity skill shortage—meaning that even if you can find and build a team, investing in them and retaining them may prove difficult. Lacking a proper specialised team keeps these organisations in reactive mode, constantly forced to respond to individual alerts, and using standalone point products to patch together their cybersecurity needs.

Being reactive in the constantly-evolving threat landscape magnifies the order of difficulty for all cyberthreat management tasks. For many organisations, adding in the transition to the cloud may even be a backbreaking proposition, given that cloud security involves more risk than many other activities that an organisation may be involved in.

Also, many organisations with security operations continue to use their longstanding approach to cybersecurity, known within the industry as Security Information and Event Management (SIEM), offering data and correlation from syslogs from a range of sources monitoring for potential threats.

Those with security operations analysts are likely using detection and response tools focused on one attack vector, like an endpoint detection & response (EDR) tool. This means their detections and investigations are siloed by attack vector. This is problematic since most advanced adversaries traverse the landscape erratically to avoid discovery of their attacks.

XDR, the new buzzword

SMEs may have been hearing about extended detection & response (XDR) over the past year, as it gains popularity within the cybersecurity industry. Across the cybersecurity industry, XDRs were hailed as one of the hottest new trends; almost every major cybersecurity company introduced an XDR solution. Many end-of-year recaps and 2021 forecasts identified XDR as a key trend to know.

As the threat surface continues to expand—to web, cloud, data, network, and more—it’s too much to expect that all organisations will have the cybersecurity manpower to properly deploy and configure cybersecurity solutions, especially a patchwork of fragmented products, to adequately cover all of these vectors. But regardless of whether threats to your organisation come from your network, your systems, or your cloud services, they are all part of your organisation’s complete security picture.

XDR has been gaining momentum for its ability to automatically collect and correlate data from multiple security products, and eliminate the tedious, manual and error-prone tasks from overburdened security operations teams. The net effect of this is increasing detection accuracy and improving security operations efficiency and productivity. However, SMEs may understandably be slow to learn about XDRs, amidst everything that happened in 2020, or slow to deploy them, given how early we are in XDR’s lifecycle.

XDR: what you need to know

The first thing to know when discussing XDR is that it isn’t a single product, but rather, an assembly of multiple security products and services that comprise a unified platform. In practice, this unified platform makes cybersecurity defence easier by delivering a full complement of security capacities; everything from the first step, discovery and detection, through to investigation and response.

XDR provides a “single pane” view—meaning, one unified view—into what’s happening across the organization’s attack surfaces, including both on-premise and in the cloud. Additionally, XDR provides easy-to-follow, real-time comprehensive visibility into environments, helping organisations to keep closer pace with attackers and the threat landscape.

However, it’s important to distinguish that it’s not as simple as just flipping a switch: how effective XDR will be for an organisation will differ based on the organisation’s cybersecurity maturity, and the ability to embrace the processes that comprise XDR. For example, if your organisation is already investigating and resolving endpoint threats, then it is most likely ready for an XDR deployment.

But, if your organisation is still not to the point of monitoring endpoints, or finds itself stymied by other foundational cybersecurity processes or extreme SME limitation, then XDR may be too advanced at this stage, and your organisation may need more robust processes, as well as more experts, in place before introducing XDR.

How to shift to a proactive mindset

Thinking like an XDR can benefit your organisation, whether your organisation is in the process of deploying an XDR, or even if it’s earlier in its progress towards better cybersecurity maturity.

As XDR shows, state-of-the-art cybersecurity has progressed towards real time and single pane, evolutions that simultaneously make it easier to monitor company environments across a considerable number of data + inputs. It gives a big picture with the opportunity to drill if needed to connect the dots on the adversary’s journey. What organisations can apply now, even without purchasing an XDR, is this holistic mindset.

In today’s threat environment, it’s important to track everything, including the myriad ways that employees are accessing your data and your network. Even if you decide that an XDR is not for you at this point in time, awareness and progress towards these organisational virtues will help to increase your overall cybersecurity maturity.

As complexity continues to increase, from the number and types of threats, to the ways that your employees are working, good cybersecurity posture will mean tracking all threat vectors, and doing so in real time. By bridging these gaps, organisations will be much readier, no matter what platforms they ultimately choose.