The speed at which malicious actors have improved their attack tactics and continue to penetrate security systems has made going bigger the major trend in cybersecurity.
Facing an evolving threat landscape, organizations have responded by building bigger security stacks, adding more tools and platforms, and making their defenses more complex—a new eBook from XDR provider Cynet (read it here).
Organizations find themselves in a virtual arms race with malicious actors. Attackers find new, stealthier ways to penetrate an organization's defenses, and organizations build higher walls, buy more technologies to protect themselves, and expand their security stacks.
Money is a key component of security success – a tough reality for leaner organizations that might not have the seemingly endless budgets of larger corporations and enterprises.
The question of what leaner security teams could do about it used to be "not a lot," but today, that's hardly the case. Even though the cybersecurity industry includes hundreds of tools, platforms, and services organizations can use to defend themselves, leaner companies are more and more discovering that having all the bells and whistles isn't always a necessity.
However, finding the right tool to replace all those technologies requires some forethought. Moreover, it requires some understanding of what goes into a large company's security stack.
What's in a Large Company Security Stack?
Modern security stacks have multiple moving parts and require specialized tools to manage the disparate platforms and service organizations install. This usually requires a dedicated team or team member to manage and ensure that things are running smoothly.
More importantly, most organizations today follow the layered protection principle – no tool is 100% effective, so redundancies are crucial for when one fails.
Practically speaking, this means that most organizations will have many (if not all) of the following tools installed:
- Next-generation antivirus (NGAV)
- Endpoint protection (EPP)
- Endpoint detection and response (EDR)
- User and entity behavior analysis (UEBA)
- Network traffic analysis (NTA)
- Email protection
- Deception technology
- Cloud access security broker (CASB)
This also means that for most organizations, the volume of data, alerts, and signals produced daily is a major concern. The next question, then, is how do organizations manage these mountains of alerts from disparate sources?
The answer is usually using a security information and event management (SIEM) platform, which can centralize and harmonize the different alerts and signals most cybersecurity tools produce into a unique location.
However, this is more of an organizational tool than a way to reduce the number of alerts. Moreover, it also adds to the resource and financial costs of a security stack, and it still requires manual intervention constantly.
Automation, but at what cost?
To get around this issue, organizations turn to security orchestration, automation, and response (SOAR) tools. SOAR platforms can automate substantial portions of the incident response process, including remediation and some of the investigation.
However, they are expensive, still require manual management, and are not always a viable option.
How XDRs can help
For lean organizations, building a large, multi-layered, and complex security stack can produce more work than it removes. Management, education, regular maintenance, and updates can take up much of a security team's valuable time.
The real answer, then is not to go bigger, but more flexible – and that's where extended detection and response (XDR) comes in.
Instead of multiple layers and displays, organizations can focus on a single pane of glass view and reduce their maintenance, management, and updating efforts.
XDRs usually achieve this with three main features:
- Prevention and detection: One of the biggest advantages an XDR offers is that it can actually reduce and manage the volume of alerts an organization must sift through. XDRs include many (and in some cases all) of these tools natively. This is beneficial in two ways. First, it means that all signals and data are standardized and already integrated. This makes it easier to process them, create a more reliable sorting and investigation method, and keep them under control. Second, it can reduce the number of false positives and provide a much faster response since the tool doing the detection is the same one responding to a potential threat.
- Automated response: Another key differentiator for XDRs is that they can automate large portions of an organization's cybersecurity efforts out of the box. By including detection, endpoint protection, and network analysis, XDRs can respond more quickly than non-centralized stacks and can get the right response more often. They also offer a much broader range of responses and remediation tools.
- Managed detection and response (MDR): Finally, most XDRs will offer an MDR service to assist organizations in handling many of the tasks that can't be automated. While many vendors will charge for this service, simply including it in an XDR offering means that teams can prioritize their limited resources into the area of most impact. MDRs can also help close both resource and knowledge gaps, helping offer a more well-rounded and robust defense.
You can read more about how XDRs can help organizations get better security on a budget here.