Your customers probably don’t ask how different technologies deploy heuristics to detect polymorphic threats. They just want to know how quickly you can respond in the event of a cyber threat attack.
Managed service providers are constantly striving to provide customers with low-cost solutions that provide effective cyber protection against cyberattacks. However, the task of monitoring potential breaches is only getting more daunting due to the shortage of security expertise coupled with an expanding attack surface area caused by the rapid adoption of remote work, cloud services, and IoT devices.
XDR promises to address the challenges of protecting heterogeneous environments more effectively with less expertise required. However, due to the recent emergence of the solution category, few understand the actual capabilities and benefits they can expect, with some vendors misusing the acronym to take advantage of the interest.
What is XDR and how does it improve cybersecurity?
Extended Detection and Response (XDR) is a natural evolution from Endpoint Detection and Response. Its capabilities go beyond securing the endpoint and involve other parts of the infrastructure such as network, cloud services, and email. Drawing in data from sensors across the organization, it correlates and analyzes it, providing unified and triaged incidents.
To understand the value of XDR, let’s consider the following scenario: you have an initial attack targeting a personal PC with the attacker then using Office 365 to compromise office PCs, and moving laterally to other endpoints and file servers, before deploying ransomware and exfiltrating sensitive data.
Without XDR, even the best security analyst would have to allocate multiple hours to investigate separate incidents on each endpoint. The same or different analysts would look at email, cloud, and network security. After many hours investigating silo-ed information, they would need to spend hours more to correlate the information across environments, perhaps using manual queries of their Security Information and Event Management (SIEM) tool and identify root cause and impact. After that, they would need to respond across the different tools to contain and remediate the attack.
With XDR, information across all parts of the organization is automatically correlated and a consolidated view of the potential attack is presented, showing where the attack originated and how it is spreading. At the same time further investigation and quick response options are available to rapidly contain the attack. This saves precious time in manually investigating and correlating information across different tools and provides faster and more effective detection and response.
Will XDR replace tools such as SIEM or SOAR, and is it the only option for MSPs to increase protection for customers and profitability at the same time?
The answer to all these questions is likely: no. SIEM tools will likely continue to be used by more advanced teams and perhaps will be used more to support compliance regulations while some MSPs that don’t focus on security will find more value in benefiting from XDR through a Managed Detection and Response service with an MDR vendor.
For more on this, read the MSP blueprint for efficient detection and response.
Key security pain points addressed by XDR
- Teams can accurately detect and rapidly respond to advanced attacks that often span several parts of the infrastructure involving endpoints, IoT, email, remote devices, or cloud servers and containers.
- The inability to gain unified visibility of potential attacks across the IT environment, and not just different views in silo-ed tools
- When relying on tools such as SIEM, expert analysts and intensive manual efforts are required to query data or build detection rules, driving the costs of security up
- EDR incidents lack correlation of information across all endpoints and across other parts of the infrastructure, thus slowing down threat detection and response and requiring increased manual efforts and security operations cost
- High efforts and security expertise required to either develop automatic response rules using tools such as Security Orchestration Automation and Response or to manually respond across different environments.
Addressing these problems efficiently can give your MSP an advantage, but you should carefully select the solutions you will consider as some XDR tools are only abusing the buzzword and are slightly modified EDR or SIEM solutions.
Capabilities of GravityZone XDR for MSPs
Here are some of the capabilities you should expect from a true XDR solution:
- Demonstrated best in class detection and accuracy, highly effective prevention should filter out most of the attacks
- Out of the box ability to detect attacks, no additional integrations and detection rules or third-party solution required
- The ability to automatically correlate information across sources, and not just integrate with other tools and can manually query those other tools
- Unlike the use of open XDR tools, you should not need to integrate separate workflows or SOAR tools.
- Comprehensive context around attacks: analytics must answer all the questions an analyst might ask about what happened, how did it started, why did it happened, how did it spread, and how to respond
- MSP specific integrations and multi-tenant console and usage-based licensing simplify routine tasks for service providers
Learn more about how Bitdefender delivers a leading Extended Detection and Response solution for Managed Service Providers.