How do you Detect and Respond to Security Incidents?

Photo by CDC on Unsplash

Or “Why you still cannot respond quickly to new threats, despite your massive investments in Security”.

./TL;DR

If you lack integration between your security products, you need an “XDR” (Extended Detection and Response) solution. Many vendors now offer XDR on their portfolio. Make sure you choose one that supports 3rd party solutions.

./evolution

Blue team tools have gone a long way since traditional firewalls and antivirus. In the past decade alone we have seen the concentration of edge services for branch offices on single appliances, have seen the advent of software-defined WAN policies on firewalls as well — now we’re seeing security for services at the edge.

On Endpoint security we had tools that offer full visibility into processes and network traffic running on them, restrospectively and that can co-relate and search for threats across your entire deployment in a matter of seconds.

At the core of your network you’ve had new authentication protocols implemented, if not then you’re surely using a token-based authentication — maybe with some of your credentials residing somewhere else other than on-premises.

Your email filter has had new capabilities added and it’s very likely you’re authenticating domains before you accept or trust emails. You’re also inspecting emails with the same threat intelligence running at the rest of your network.

Network analytics is telling you if any packets in it deviate from the norm, while also being able to tell if there’s malicious traffic without even needing to decrypt traffic.

Your users are accessing cloud-applications for most of their daily tasks and that is driving you crazy as System Engineer/Security Analyst/CISO.

And that is progress, ladies and gentlemen! Thank your divine entity now.

Of course all of that happened due to increasing threats, that need less time to act and to cause damage.

The next evolution on your infosec tool stack is looking to integrate all these tools and their data — thus, simplifying management and reporting on all of them to make your Incident Response team able to act faster.

Let’s then briefly look at Detection and Remediation tools in the past few years.

Endpoint Detection and Response tools (EDR) which are tools that allow your team to perform Incident response by yourselves on Endpoints only. EDRs include capabilities including offline antivirus, network traffic visibility, file inspection via sandbox, co-relation of data, ransomware activity blocking and even device IOC/vulnerability inspection.

Network Detection and Response (NDR) are tools that look at network devices and provide response once threats are found — think of a central authentication and posture manager that can push authorization changes when a device posture changes due to its antimalware (or EDR) flagging that endpoint is infected.

Managed Detection and Response (MDR) is a managed service based on a dedicated, external team, that performs Detection and response on your environment utilizing multiple tools.

We’re now reaching a point in time where your Blue team will be capable of quickly performing incident responses by themselves, by relying on tools that vendors are offering. These are:

Extended Detection and Response (XDR) tools. According to Gartner, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”.

These are Cross-layered tools that include API integrations with multiple vendors’ applications and even open source tools. You must expect that whatever XDR platform you choose to be “Agnostic” from that perspective, so that it can aggregate data from multiple sources and products in and outside your network even.

./xdr

A good XDR platform will provide you with:

  • Single pane of glass to gather reports and (hopefully) manage your products.
  • Integrated visibility across all your environment.
  • Unified Threat hunting capabilities — giving your team the ability to perform Incident response from within the tool.
  • Orchestration capabilities — allowing your team to save time by creating workflows that are triggered based on events or certain time of the day.
  • Agnostic, support for multiple vendors’ products.

A true convergence of all your Security tools.

Photo by Florian Olivo on Unsplash

./production

There are multiple ways to join the XDR club.

Cisco will have their SecureX platform, which tips its toes into this kind of solution. It is included with most of their security products so you don’t have to worry about buying it, just enable it (take a look at this video if you want to learn more about it).

Palo alto is investing heavily on Cortex.

Trend Micro offers “Vision One”.

Checkpoint supports, but does not have a product at the moment.

Fortinet does not have a product at the moment.

Mandiant offers an XDR-like service.

Network and Cloud Security engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store