Behaviour-based detection of cyberattacks allows a rapid response to anomalies, improving IT security for companies. XDR is changing the work of security analysts in the SOC.
Text: Andreas Heer, Pictures: Adobe Stock
17 March 2023
Cyber criminals are resourceful. No sooner had Microsoft halted the execution of macros in downloaded Office documents than attackers were looking for new gateways into company networks. ZIP files, ISO images, and OneNote notes with embedded Visual Basic scripts are the new ways to deliver malicious code in phishing e-mails.
These forms of attack put companies on the back foot, especially if intrusion detection is based solely on traditional methods such as signature-based antivirus software and analysing network device log files. Security analysts also face various unknowns: Did something really happen when a suspicious website was accessed? Was it malware that triggered a PowerShell process or an administrator? With up to 11,000 warnings per day, according to research in Palo Alto, issues can be difficult to clarify and lead to alert fatigue, with common reports continually ignored because nothing has ever happened.
This is what prompted IT security providers to develop Endpoint Detection and Response (EDR). EDR scans endpoints for suspicious behaviour and anomalies, taking action automatically, such as quarantining suspicious files. However, EDR focuses on specific endpoints. A 360-degree view is only possible in this case by correlating the data in a sophisticated SIEM (Security Information and Event Management) or SOAR (Security Orchestration, Automation and Response) system.
Only XDR provides a 360-view of suspicious processes in one package, extending the EDR approach to network devices and cloud services. Yannick Schuitemaker, Security Analyst at Swisscom, describes the advantage of XDR over EDR: “XDR allows us to track events throughout the entire process and identify relationships between the individual steps.”
Schuitemaker explains how this makes life easier for security analysts: “Without XDR, we had only a limited view; based on the log files of a proxy for example. Today, we are able to see all the communication from an attacker.” XDR uses a machine learning-based correlation of events to facilitate research following an alert, enabling security professionals to react faster and – vitally – earlier. XDR’s response capabilities can be used to halt a ransomware attack before the attackers have infiltrated the company network and encrypted important company data, for example.
XDR thus offers a central platform for analysis and initial defensive steps against cyberattacks. This can potentially replace multiple individual tools in the Security Operations Center or even a complex SIEM. In addition to making work easier for security analysts, it also benefits the CFO by saving (licence) costs.
The automated correlation of alerts across the infrastructure also reduces the number of reports analysts have to deal with. “Every warning can be investigated in depth and there is less risk of alert fatigue,” says Schuitemaker.
XDR relieves security professionals of routine detection work and leverages the benefits of a cloud platform: it is designed to detect known attacks and make new detection patterns available to all users. Schuitemaker sees clear benefits to this approach: “It improves the quality of attack detection and reduces our workload at the same time. We can then use our expertise for special cases instead of having to worry about routine work.”
Despite reducing the workload of in-demand cyber security professionals, XDR does not replace them. “Decisions on any necessary response are always taken by people,” says Schuitemaker. “Because every infrastructure is different.” Human response is crucial to ensure appropriate action in the grey area of anomalies and to distinguish cyber attacks from unusual but intentional behaviour.
However, because Extended Detection and Response can detect cyberattacks across the entire infrastructure and take defensive steps, it reduces the legwork for the professionals and frees up resources for actual defence, taking a company’s security posture to the next level.