Cross-Layered Detection and Response (XDR): A Welcome New Entry in the Cybersecurity Alphabet Soup

So many different security solutions exist today. Security information and event management (SIEM) tools, intrusion detection system (IDS) applications and endpoint detection and response (EDR) services are three of the most important technical solutions available. So, when a new solution – or acronym – such as cross-layered detection and response (XDR), appears, I’m often a bit reluctant to add it to my cyber lexicon.

But, XDR is pretty intriguing, and so I’ve added it. Let me tell you why

Why Cybersecurity Pros Need Cross-Layered Detection and Response (XDR)

About a month ago, I was talking with a cybersecurity professional who told me that cybersecurity workers are increasingly tasked with doing two things: correlation and normalization. I kind of balked at what she said, because I wasn’t even sure what correlation and normalization even meant to cybersecurity.

• Correlation: This is when cybersecurity pros take data and then look for meaningful information, trends and relationships. In short, they correlate data to create useful information. They then need to develop useful, accurate, convincing narratives about network activity so that they can continue protecting an organization.
• Normalization: Second, cybersecurity professionals are tasked with removing unimportant, repetitive information. This is called normalization, in technical parlance.

The problem is, many of the security tools I listed earlier are really good at gathering and visualizing data. They can even identify sophisticated problems. But they don’t provide strong correlation or normalization functions.

The result? They often cause cybersecurity pros to lose perspective – they “lose the forest for the trees,” as the old saying goes. When security solutions don’t create truly useful information but instead add to the confusion, it’s called the fog of more. This, possibly, is why we need XDR.

What Is XDR?

Cross-layered detection and response (XDR) tools are generally software as a service (SaaS)-based applications with the common characteristics shown in the table below.

Characteristic	Description
Software as a Service (SaaS)	XDR solutions are usually found natively in the cloud, and can therefore readily access sophisticated AI, machine learning and data analytics services.
Holistic and Narrative-based Analytics	XDR does more than collect data, like a SIEM does. An XDR system can provide correlated, normalized information, based on massive amounts of data.
Integration	XDR has the ability to work with various tools, including SIEM, IDS (e.g., Snort, Zeek/bro), data analytics and EDR tools.
Consolidation and Correlation	XDR helps coordinate SIEM, IDS and endpoint protection service. It can coordinate EDR tools and SIEM applications to create a go-to-first incident response capability.
Automated Response	XDR services are poised to make automated changes.

How Does XDR Work?

You could argue that XDR moves beyond mere data conglomeration (what a SIEM does) to correlation, normalization and even coordination. As shown in Figure 1, XDR coordinates and correlates information. Correlation and normalization occur during the investigation process.

Figure 1: XDR essentials

In an XDR scenario, the SaaS-based XDR application captures data from an organization’s most vital elements. This can include endpoints, cloud solutions, network edge devices and traditional/installed systems (e.g., web servers). It can also receive input from SIEM tools.

The XDR application then stores this data in a data lake, which is a vast pool of raw, undefined data. This is different than a data warehouse, which generally holds structured, filtered and processed information.

Once information is held within the data lake, the XDR application can apply investigation techniques. These can include the use of artificial intelligence (AI) and machine learning, which helps create useful correlations and narratives.

How Is XDR Different from Existing Solutions?

Some folks might think that we’re describing a security information and event management (SIEM) tool in a different way. But XDR and SIEM are two different things.

1. An XDR application can actively respond to issues. Even though a SIEM captures data from dozens of sources and sensors, it is still a passive analytical tool that issues alerts. An XDR application can actually make sophisticated changes automatically, based on correlated information.
2. An XDR can decrease response time. With a SIEM, you can still have slow incident response times. Analysts can fall into an analysis paralysis state with a SIEM. But XDR’s automated response can help break down silos and speed up responses.

An XDR application also helps break down information silos, because it attempts to correlate input from multiple sources. XDR is not another name for EDR. Endpoints represent only one type of session, or data stream.

XDR can include input from various streams and sessions, including the following:

1. Endpoint traffic (e.g., workstations, laptops, phones)
2. Network edge traffic (e.g., routers, firewalls, switches, 5G nodes)
3. Cloud application, platform and service behaviors
4. Servers (e.g., web, database)

An XDR implementation can then correlate traffic across multiple streams and identify steps of the hacker lifecycle throughout these streams.

The Benefits of XDR

XDR promises users the ability to delve deeper into endpoint and network traffic and to identify trends. The promise is that XDR is capable of revealing complex patterns and techniques that adversaries use instead of relying on signature-based detection (e.g., Snort), or even heuristic network analysis (Zeke/bro).

Threat hunters and other cybersecurity professionals have long lamented that they easily get lost in the fog of more when it comes to discovering unique threats. XDR software, it is hoped, can help cut through all of the useless data and identify actual threats.

XDR applications also strive to visualize the entire attack lifecycle. So, in addition to normalizing, centralizing and correlating data, XDR applications have the ability to visualize pivot points and identify actual tactics, techniques and procedures (TTPs) used in an attack. The tactics are the tools – like Metasploit. The techniques are how the tool is used – reconnaissance, lateral movement, exploitation, etc. And the procedures relate to what the tool does – pivoting, bot creation or ransomware deployment, for example.

Figure 2: Tactics, Techniques and Procedures (TTPS)

Cybersecurity professionals have long been interested in finding the unique TTPs used in sophisticated attacks. Perhaps XDR will make that possible.

XDR vs. SIEM: A Focus on Response

There’s another major factor involved in the promise of XDR: Response. The investigation portion is important to understand because it helps explain the difference between SIEM and XDR.

The inspection can include any of the following:

AI-derived analysis: Because XDR is cloud native, it can have access to AI-driven solutions from major cloud providers.

Human-led analysis: It allows humans the opportunity to record findings. This helps XDR applications avoid the either/or choice of using AI or human-generated input.

Response calculation: Where humans and/or AI determines the appropriate steps to take next. This can include orchestrated and automated responses or decisions to work with members of the organization concerning. Collaboration with humans is vital in the response stage.Types of responses can include the following:

• Alerting: The recent CompTIA State of Cybersecurity 2020 report uses the phrase “cybersecurity chain” to explain how cybersecurity needs to involve more than IT and security workers – upper management, CEOs and board members are now being included in decisions and responses. An XDR application can help organizations determine who in the cybersecurity chain needs to be involved in a particular response.
• Configuration changes: XDR applications can work with EDR applications, IDS applications and networking devices to enable network segmentation and access control services.
• Remediation: Given enough data, an XDR service can help identify and resolve serious security lapses automatically.

The idea is that all of these things can occur automatically, once the XDR application has been properly configured and primed.

Will XDR Replace Cybersecurity Pros?

Each time a cutting-edge idea shows up in the IT space, one of the questions inevitably asked is “Does this mean we don’t need cybersecurity workers?”

Suffice it to say, we still need people. But, with XDR, maybe those workers won’t be burdened with reading random log files. Instead, it’s hoped that XDR-like services can help free up IT pros so that they can focus on more unique threat actors and the problems that they cause.

This is why we need threat hunters, security analysts and pen testers. They can help fine-tune XDR applications and prime them to better provide IT pros with useful, contextualized information. I suppose if an organization doesn’t have its cybersecurity ducks in a row, no new acronym or service will solve that problem. But, all things being equal, XDR is a pretty intriguing idea.

Yes, the cybersecurity world is full of acronyms, and I’ve just proposed a new one to you. Over time, we might see how XDR becomes integrated with SIEM and EDR tools (or vice versa). But, it seems that this new acronym is a welcome addition to the cybersecurity pro’s vocabulary.

For more articles about how to use cybersecurity tools to protect your organization visit the CompTIA Cybersecurity Resource Center!