EDR, MDR, NDR, XDR – how do you take your detection and response?

With Microsoft the latest big name to label their suite of security products and services with the “XDR” moniker, it might seem like those of us offering MDR services have got some catching up to do. Concerned as always that we are lined up with how our customers want to consume security services, especially our security services, I did some digging to make sure we’re not “so last year”, and I was pleased to discover that, in my view, MSSPs providing good old fashioned MDR are still right where we need to be.

The devil is in the detail. XDR, as you will know, stands for “eXtended Detection and Response” (“EDR” was taken, of course), whereas MDR refers to “Managed Detection and Response”.

XDR has been a widely used term for some time, obviously it’s not as entrenched as MDR, but several vendors have collected their technology under the XDR banner over the last couple of years, including Palo Alto Networks and now Microsoft and we’re seeing this as an accelerating trend.

The idea driving XDR is that many and disparate sources of logs, signals and events are used to provide a broad picture of your threat level and risk exposure and increase visibility of the security infrastructure and control points throughout your network, applications, data stores, end user and IoT devices. The more you ingest, the theory goes, the more powerful your correlation and the more targeted your threat hunting and remediation. In Microsoft’s words, “(XDR is) designed to deliver intelligent, automated, and integrated security across domains to help defenders connect seemingly disparate alerts and get ahead of attackers”.

For example, I can see how powerful it would be to correlate identity and authentication events with a door entry system, staff rota application and threat intelligence feeds. This underpinned by behavioural analysis output to create a normalised pool of data against which you could manually or automatically run intelligent queries to establish whether the person who just logged into a sensitive system is actually in the building and even whether they should be on that particular day. That’s without even tapping Wi-Fi controller logs to check which devices they have on them. All sounds a little bit “1984”, but from a security services provider point of view there are no such things as “bad” sources of activity and event data – each time we add a new source, our use cases and therefore the methods of detection and response available to our customers increases accordingly.

One of the key tenets of XDR is automation – and for a good reason – the volume of data, with only a few sources, can quickly become vast and the addition of a single new source can easily increase it exponentially – no two log sources are the same. Sizing these services is rapidly becoming a dark art, with the required storage for processing them getting more and more complex to accurately predict.

Logs and events are inherently unpredictable – how many there are depends on what’s happening. And anything could be happening.

The thing about automation, ironically, is that it needs a lot of person-hours to get right. It also needs continual monitoring to make sure it’s still working. Microsoft have a very powerful AI engine and a huge amount of resources to power it. Their machine learning algorithms, which are perfectly suited to normalising masses of data and looking for patterns and making correlations, results in a top-notch set of tools for security analysts. But crucially, it’s the analysts who do the really clever stuff; digging into the events the systems bring to their attention to establish what the threat is, how it works, what it means to the customer’s business and, of course, what to do.

I’ll make a concession that sometimes deciding what to do is just obvious – proven piece of malware running on a host? There’s not much debate to be had there; kill it if you have control of the endpoint and/or isolate it and go off to check the rest of your hosts and check if the method of entry is closed.

Automation could easily do much of the work in this instance, and indeed we employ it in just such circumstances. However, the precise steps the automation takes, and the order in which it takes them, needs to be carefully reviewed by a skilled human before the machine is let loose on the machines. The law of unintended consequences is such that if you don’t have people in the loop you’ll end up denying access to your production application in the middle of the day, or identifying your whole finance department as a risk and locking them out on the last day of the quarter.

For anyone of an age to remember the classic movie “Wargames”, that’s how global thermonuclear wars start.

At ITC, then, we are proud to continue to develop and offer our MDR service. Of course we develop in line with our vendor partners and the market requirements as technology changes, but we believe the value to our customers is still very firmly with the “Managed” element and that means our people are the key to providing customers with the best and most relevant services, in the context of their business appetite for risk.