3 Key Takeaways: What Is XDR and Do You Need It?
- An increase in the number and sophistication level of ransomware attacks is giving rise to more complex solutions.
- Managed EDR can get your network 90% of the way there and may be the right choice for organizations with constrained resources.
- A good analyst can provide network insights that AI or machine learning cannot.
NetDiligence® President Mark Greisiger and Jason Straight, the Senior Managing Director at Ankura, discuss EDR vs. XDR along with the recent uptick in ransomware attacks.
Read a synopsis of their conversation below, and watch the full interview in the video above, which is part of our continuing series of educational discussions with cyber risk experts.
MG: It seems like we’ve been seeing a resurgence of ransomware as well as attacks aimed at exfiltrating sensitive customer data. So what is your team seeing in the front trenches?
JS: We had experienced a slowdown of certain types of attacks, specifically ransomware, but now, the ransomware seems to be coming back. We know that a lot of skilled hackers were pulled into the Russia-Ukraine conflict to support their native militaries. This resulted in infighting and subsequent leaks from inside some of the biggest hacking crews operating in the ransomware area.
One of the things we learned was these operations are more organized and vertically integrated than we realized. One crew might specialize in getting initial access to a network and acquiring credentials. That group will sell access to another hacker group focused perhaps on recon data exfiltration. Finally, all that information is sold to actual ransomware crews and operators.
What we didn’t know is how each specialized group might be part of one larger organization. It suggests a level of sophistication that’s terribly concerning for those of us on the defense side.
The bright spot is more sophistication and more opportunities to detect attacker behavior before something bad happens. These attacks provide us with more indicators and detection time than we would have with an endpoint attack. And recently, we’re seeing more examples of successfully detecting this hacking behavior. That’s a huge win for us!
MG: In the cyber insurance world, we keep hearing about XDR, or extended detection and response, and that it’s the next evolution of defensive technology. What is XDR and how is it different from EDR? And also, is XDR really the right choice for a midsize organization?
JS: So, EDR, which most people are familiar with, is endpoint detection response. XDR is extended detection response. It can be defined as aggregating, collecting, and analyzing telemetry from different sources and different types of security tools and then getting them to work together for a more sophisticated response.
XDR provides more coverage and chances to detect attacker activity. By that definition, XDR may be better than EDR. However, organizations have limited resources. XDR can get very complicated quickly and some organizations are not ready to implement it.
XDR takes longer to deploy and it’s more difficult to maintain. Using a managed service partner may help but the extra time and expense of XDR may not be worth it when you can get 90% or more of what you need through a managed EDR solution.
That being said, we have had increasing situations where it’s not EDR tools that give us the first detection of an attack. It’s network traffic analytics that often provides the first clue. Maybe we see a beacon or communication back to a command and control server that wouldn’t be visible through EDR.
For organizations that have a solid network infrastructure in place including antivirus software and a firewall, the next step to up your game and really harden your defenses against ransomware is managed EDR without a doubt. And after your EDR implementation is solid, you can start thinking about adding in some XDR elements.
MG: I’ve heard you say there’s really no such thing as a fully automated defensive system that can protect you against all threats and attacks. Do you still feel that way, given everything we’re hearing about advancements in AI, ML, and the security orchestration platforms out there?
JS: Yeah, technology has really advanced in areas of automation, AI, and machine learning. We use all of those. But we have yet to see a tool replace an analyst. So it’s really about using technology to make an analyst more effective, to allow them to focus on the high-value activities while reducing distraction and alert fatigue from low-value activities.
It’s hard to perceive a day where you can eliminate humans from the process. People sometimes forget we’re being attacked by other humans. And those humans are using their brains to figure out how to exploit us. When an analyst gets to know what normal looks like in a specific network environment, they can see things AI and ML can’t. Maybe an algorithm might help, but not with the level of sophistication that humans have without even being conscious of it.
An analyst will know something looks off and they can come up with a creative way to investigate the issue. Some of our best, highest value detections are made through an analyst following their nose, going out and doing some threat hunting, reading an article, or seeing a piece of threat intelligence and saying, ‘Hmm, that reminds me of something I saw three weeks ago in this department, let me go check that out.’ Analysts knowing what to look for and what tool to bring in for the job is a huge part of our success.
Lastly, if you’re looking for a turnkey solution to help guide your organization’s response to a cyber incident, we encourage you to click for more information about Breach Plan Connect® from NetDiligence.