Every year, more and more abbreviations come to the cybersecurity information space: EDR, MDR, NDR, XDR, MXDR... As a result, it is becoming increasingly difficult to understand what stands behind these letters and what differences are between these technologies. The hottest topic today is XDR. Every vendor that has at least a few security solutions tends to call them an XDR platform, parasitizing on user ignorance and hoping to promote outdated solutions in shiny packaging. In this article, we will finally clear away the mist on the XDR issue, considering its key features and areas of application.
eXtended Detection and Response
Shall we start from the very beginning — What is XDR? According to Forrester, XDR is "An evolution of EDR that optimizes real-time threat detection, investigation, response and hunting. XDR brings together endpoint discovery with telemetry from security and business tools such as NAV, email security, identity and access management (IAM), cloud security and others. It is a cloud-based platform built on big data infrastructure that provides security teams with flexibility, scalability and automation capabilities." In simple words, XDR is a cloud platform that, "out of the box", can integrate with many security solutions to collect security events and automate information security processes. XDR correlates collected information to detect threats automatically and also enables manual searches. Additionally, XDR goes beyond endpoint data to process information from the network, email, cloud, and beyond to account for every detail, which can lead to the detection of previously undetected threats.
It's worth considering what types of XDR solutions exist. Conventionally, they can be divided into two types – Native and Open. Native XDR relies entirely on one vendor's solutions while sacrificing integrations with other vendors. All integrations and data collectors are focused only on the solutions of their manufacturer and cannot interact in any way with third-party vendors. Pros: ● Due to a small number of integrations and working only with their products, such integrations are deeper and more thoughtful ● It often takes less time to deploy and configure such a system
Cons: ● One vendor cannot provide all types of solutions at once; for missing solutions, there will be problems with threat visibility ● If an organization already has solutions from other vendors, they will not be able to connect to Native XDR, which reduces the overall functionality of the information security platform In turn, Open XDR focuses on third-party integration, data collection, and threat response while leveraging a wide range of security solutions from multiple vendors. Pros: ● Since there is no lock-in to one vendor, all existing security solutions in an organization can be connected to Open XDR ● This provides the ability to connect all types of solutions, allowing XDR to process data from every corner of the organization Cons: ● With new products appearing on the security market daily and existing ones constantly changing, maintaining integrations with them becomes incredibly difficult, so that integrations can be superficial ● Greater freedom in integrations can lead to difficulties with the configuration process The choice of XDR type depends directly on the existing infrastructure, security solution providers and the organization's needs. Each type has advantages and disadvantages and can potentially take your organization's security to a new level.
Optimizing human labor with XDR
The development of technology inevitably entails the replacement of human labor. What previously took days and weeks, artificial intelligence processes in minutes and seconds. XDR is a prime example of such technologies.
Automatic event correlation allows you to reduce the time to detect threats and do it much more efficiently. Brew yourself a cup of coffee instead of manually comparing hundreds of thousands of events. After threats have been detected, XDR prioritizes them, showing which incidents require immediate attention and which can be delayed. It allows you to improve MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond) indicators – the time required to detect and eliminate threats. These indicators directly reflect the maturity of the information security infrastructure: the shorter the detection and response time, the more prepared organizations are for possible cyber attacks.
Over time, the entry threshold for working with information security products is decreasing. This has recently been seen with EDR, which can perform automated AI-based incident investigations from endpoints. XDR has gone even further, allowing full-fledged investigations across the entire infrastructure and high-quality elimination of threats, even for junior analysts.
All the points described above show that XDR can significantly reduce the need for human resources to save on wages and training while maintaining or even increasing the organization's cybersecurity potential. But today, it is too early to talk about a total human replacement in information security because all critical decisions are made by natural intelligence, not artificial one.
Warned means Protected
As mentioned, XDR integrates natively with other security solutions to form an XDR platform. Within the platform, it is mandatory to exchange information about threats between all components. For example, if a network security solution detects a malicious file, it will immediately report the file to the antivirus solution, mail gateway, and other components. From now on, without wasting extra computational and time resources, they will instantly block this file.
It is often impossible to get such results with multiple vendors. However, XDR can collect indicators of compromise from individual devices and distribute them to all connected devices in an organization.
This leads to all security components being consolidated and working as a single "living" organism. They share the latest threat information, and each sensor has the most up-to-date data to protect against threats.
Threat response capabilities
Hackers are increasingly using automated tools to carry out attacks. In turn, XDR offers automated tools to respond to them while considering the context of all security components. With native integrations, it offers response options that span endpoints, network, mail, DLP, SWG, and more. Often, to eliminate threats, you need to perform a set of identical, routine actions. These actions can be organized into so-called playbooks to optimize security processes. A playbook is a sequence of steps designed to respond to specific types of threats, making it easier to coordinate and respond to cyber incidents. For example, an XDR playbook might describe the following actions: ● Create a case in the ticket management system with all available information about the threat. If the case already exists, add new information to it ● Create an investigation in the EDR system ● Add detected malicious IP address to blocklist in IPS system XDR can run playbooks automatically, for example, if a specific threat or event has been detected. They can also be run manually to enter input data into the playbook (IP, hash, etc.) or if the playbook could disrupt business processes. Either automatic or manual launch of playbooks helps speed up the response process and reduce the influence of the human factor. Clearly defined steps will prevent the analyst from getting confused when detecting ransomware on the network, and automation will allow him to devote free time to other threats.
All of the above are general requirements for XDR, promoted by leading analyst agencies such as Gartner and Forrester. Most manufacturers who decide to start developing their own XDR platform are trying to bring the capabilities of their XDR to meet these requirements. At the same time, there is a battle-hardened vendor on the market that, even before the term XDR appeared, had its key capabilities, which do not adapt to market requirements but shape them. And this vendor is Trellix.
Here are a few facts about Trellix: ● Trellix is listed in the most significant number of XDR and security reports published by Gartner, Forrester and IDC. ● Trellix is the XDR vendor with the most security reviews on Gartner Peer Insights. ● Trellix ranks 6th among security software vendors by total revenue in Market Share Analysis: Security Software, Worldwide, 2021. ● Trellix is ranked #3 among modern endpoint security vendors in the IDC Worldwide Modern Endpoint Security Market Shares, July 2021-June 2022 report.
Trellix XDR is a cloud-based platform that helps security teams rapidly detect, investigate and respond to threats. Its uniqueness is in a combination of both types of XDR – Native and Open. Trellix XDR has the best of both worlds, namely integrations with over 1000 data sources (like Open XDR) and deep integrations within the Trellix platform (like Native XDR). Trellix XDR is easy to deploy, integrates into your existing security platform, and is backed by Trellix's extensive solutions portfolio.
Trellix security platform
Talking about an extensive portfolio, Trellix products cover circa 70% of organizations' information security needs. Together, they detect and block threats, share information about threats among themselves, and transfer all collected telemetry to Trellix XDR for further processing and analysis.
The full power of the Trellix XDR platform is enriched with data from the Trellix Advanced Research Center, which consists of leading information security professionals. They carefully examine incoming telemetry, study the latest threats, and continually improve the quality of Trellix products.
Third-party solutions connect to the XDR platform through multiple integrations, further enriching Trellix XDR with security events and telemetry.
The binding component from an interface perspective is XConsole, which unites key Trellix solutions into a single console. You no longer need to keep 100,500 browser tabs open and drown in an ocean of information noise; all the most important controls are in the XConsole.
As a result, the Trellix XDR security platform looks like this:
Now, let's move on to the review of Trellix XDR. You start to work with it by connecting data sources. For example, you can connect the following to Trellix XDR: ● products for protecting endpoints, networks, mail, clouds, mobile devices ● vulnerability and asset management products ● cloud providers such as AWS and Azure ● events with Windows and Active Directory ● and many, many others Trellix XDR uses Cloud Connect to join cloud products from various vendors. It is designed to allow integration to happen quickly and without reading 100 volumes of documentation. This is true for both Trellix products and third-party vendors. Here are some available integrations:
Then, in the XDR console, you can see all connected sources and how many events they generate and also start searching for data from a specific source in one click.
Threat hunting in Trellix XDR
Information collected from devices can be processed in several ways – automatically and manually.
Threats can be automatically detected using correlation rules, artificial intelligence, and behavioral analysis of users and assets:
For practical manual analysis and threat hunting, Trellix XDR also has several technologies – Trellix Query Language and Investigation Tips. Trellix develops Trellix Query Language (TQL) which: ● Has a simple syntax that allows you to quickly create complex point queries ● Has the TQL engine that processes the query and searches through millions of events in seconds ● Thanks to TQL, allows you to find both individual events and track entire chains of attacks Having the ability to quickly find the information you need is fine, but sometimes it's unclear what exactly you need to look for. This problem is familiar to both newcomers and experienced analysts in information security. Investigation Tips let you understand which direction to move next at each investigation stage. Imagine that you are investigating an incident with a leading Trellix expert who helps you find the true cause of the incident due to leading questions.
For example, we have an incident at the network level. Trellix XDR takes the IP address of the attacked workstation and provides information about detected threats from other security solutions for that system. After this, it becomes clear, for example, which file could have generated malicious network activity and whether there were similar incidents that are worth paying attention to. As a result, Investigation Tips improve the skill level of analysts and the speed and quality of incident processing.
Automation in Trellix XDR
A substantial part of Trellix XDR is its playbooks. All of them are aimed at high-quality threat elimination for various platforms and needs. Creating playbooks is not easy, so Trellix takes on this work itself, constantly developing and adding new features to the system. Often, playbooks are universal and will suit most organizations. If, suddenly, the out-of-the-box capabilities are not enough, you can create your playbooks that consider your specific security solutions and tasks.
For example, Trellix XDR comes pre-installed with the following playbooks: ● Determine the name of the attacked user from the incident and block him via Azure AD ● Determine IP address from the incident, create an automated investigation in Trellix EDR ● Identify the attacked workstation, assign a tag to it that will apply the strictest policies and isolate it from the network As a result, Trellix XDR automation capabilities play an essential role in building security processes. They help speed up the threat response process and improve its quality.
XDR is a promising technology integrating multiple security solutions and automating threat detection and response processes. XDR's main benefit is reducing the time and improving the quality of threat detection and response.
Trellix XDR is an example of a mature XDR that is at the center of Trellix's powerful security platform. Within this platform, solutions are tightly integrated, allowing them to share the latest threat information and block threats more effectively. Moreover, with Trellix XDR integrations, third-party solutions connect to the platform, giving you more visibility and context to identify the stealthiest attackers.
Trellix XDR provides a variety of threat detection tools. Automatic correlation will do most of the work for the analyst. If this is not enough, Trellix XDR will allow you to search through all the collected information using Trellix Query Language and also suggest investigative tips.
To eliminate detected threats, Trellix XDR offers a variety of pre-installed playbooks that will help you act faster and smarter at this stage.
Altogether, Trellix XDR is a solution that will take an organization's security to a whole new level while educating staff on information security best practices.