How an Extended Detection and Response (XDR) Works

It’s a busy shopping day, and your critical system, such as the billing system, is down. Everything you’ve worked for is going up in smoke because the business has shut down due to an attack. This is happening when you least can afford it. You’ve been hacked. That’s a simple fact. How do you know who did it? Do you know what was taken? Do you know if they’re still in your system? You know where they came from. Ultimately, can you stop the bleeding? A solution called extended detection and response, or XDR, could help with this. What is XDR, and how does it work? That’s what I’m going to cover in this article.

First of all, let’s talk about the definition. The definition depends on whom you ask. For instance, if you were to ask IDC, they would tell you that it involves gathering security telemetry and security information, running it through an analytics engine, which then produces a detection of malicious activities and then ultimately a response to those activities. Forrester adds to that definition and says it’s an evolution of EDR. EDR as endpoint detection and response. That’s a capability on laptops, desktops, and other systems, to block security events. They also add to the definition of threat hunting and investigation. So, proactively looking for problems and then reactively responding to them. Gartner adds to the definition further still and says it’s a cloud-based platform and that it reduces security tools and sprawl, it also reduces alert fatigue, and ultimately reduces operational cost.
So that’s great. How do we make a system to do all of those things?
What does an XDR system look like? Well, it could look like this.
So we have lots of different types of systems. For example, we have an endpoint system, an EDR, that can talk to those. Remember I mentioned that earlier, EDR would talk to all your desktops, laptops, and things like that, gather information from them and report on that. What else could I have in this system? I’ve got a network! Therefore, I could have a network detection and response system, NDR. NDR is looking at the view of security from the network perspective. Then we could have something that we call security information, an event management system, SIEM, and a SIEM could gather information from sources such as a database, an application, other security appliances, and security components. A SIEM could also collect information from an EDR and an NDR. But in this example, we’ll leave them all as separate peer systems just for this exercise. And then also, we might take threat-related information that is a feed that comes to us from several different sources potentially telling us what’s happening in the security world right now.

What exploits are being used more actively these days than on other days? Then I’d like to take all that information and put it into a higher-level system. This higher-level system is the XDR. So I will take the information from my EDR, my NDR, my SIEM, and the threat intelligence feed and put all of those things up here into the XDR, which has many different components. XDR is going to correlate. It will take the information across all of these systems, correlate them, and give you a single view of this rather than many different views. It’s going to also add to this the ability to analyze information.

We might use artificial intelligence to increase our ability to understand the underlying cause of the threat. We might also add a system called a UBA, a user behavior analytics capability that looks for abnormal activities that a particular user is doing that don’t match their peer groups. For example, we could also add the ability to investigate the system.
So that’s a reactive activity. We’ve just been hacked. We’ll go out and see who’s doing this and the extent of the damage. That’s the investigative part. How about threat hunting?

I mentioned that earlier. This is the more proactive version of that. It’s going out and seeing what might be happening. In my environment, I don’t have any indicators. No alarm bells have gone off, but I’m curious if somebody is doing this or that. So I formulated a hypothesis and investigated proactively what could also be in this platform. And then ultimately respond. This is where we bring in the notion of a SOAR. A security orchestration, automation, and response capability that allows us to manage cases will enable us to figure out who’s doing what to whom and what actions I need to take ultimately to stop the bleeding, to figure out what I need to do to get us back up and operational? We’ve used a dynamic playbook to guide the security analyst’s activities through this process. Depending on your definition, these systems might add a few other things. We might add something called attack surface management. And have that feed into the system.

We could also use vulnerability management, things that look for scans in our network and tell us, okay, it looks like you’re vulnerable here. This area has a soft underbelly that you need to look at. All of this ultimately is designed to create, for a security analyst, a single pane of glass, a single place where I can go and manage all of this. And if we do it well, it becomes a single pane of glass. If we do it poorly, it becomes a single glass of pain. We want to do this right, do an XDR the right way, and you’ll be able to stay out in front of the attack. Hopefully, it will avoid the hacking scenario that I talked about at the beginning of the article and be able to investigate whenever an attack does occur.

Conclusively, Extended detection and response (XDR) is a security strategy that combines multiple security technologies and processes to detect, investigate, and respond to cyber threats. It aims to provide a comprehensive view of an organization’s security posture and enable a rapid response to potential threats.
XDR integrates data from various security systems, such as firewalls, endpoint protection, intrusion detection and prevention systems (IDPS), and security information and event management (SIEM) tools. Machine learning algorithms and security analysts then analyze this data to identify potential threats and suspicious activity.

Once a potential threat is detected, XDR initiates an automatic response or alerts security analysts to take action. This can include quarantining a malicious file, blocking a malicious IP address, or triggering an investigation to determine the scope and impact of the threat.
In addition to providing real-time protection, XDR includes forensic capabilities to identify the source and motivations behind an attack and assess the damage caused. This information can strengthen the organization’s security posture and prevent future attacks.
Overall, the goal of XDR is to provide a comprehensive approach to security that enables organizations to detect and respond to threats quickly and effectively, reducing the risk of a successful attack and minimizing the impact on the organization.