There’s an exciting and important new cybersecurity approach every business leader and board member should become familiar with. It’s called XDR; DR refers to detection and response, and “X” means any data source. And in our era of the Internet of Things and new types of data sources, it will give network defenders another tool in their prevention arsenal.
But first, a quick history lesson, courtesy of a landmark technical paper.
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains doesn’t exactly roll off your tongue like War and Peace or For Whom the Bell Tolls. But, in the cybersecurity world, there may have been no more important publication than that famous Lockheed Martin paper.
When it was published in 2011, the paper introduced information security professionals to the concept of the intrusion kill chain. The concept was simple—and brilliant. Instead of randomly placing security controls at various points on a network and hoping adversaries would trip over them like landmines and barbed wire on a battlefield, enterprises could put prevention controls at every place in the attack chain that they knew the adversaries had to travel to succeed in their mission: Deliver to some endpoint, compromise the endpoint, establish command and control, download more tools to help their mission, move laterally in the victim’s network looking for the data they have come to steal or destroy, and finally, once they have found it, exfiltrate it out the command and control channel.
Endpoints were one of many links in the attack chain. A few years ago, EDR—endpoint detection and response—emerged as another network defender tool in the attack chain. Think of EDR like an old-style VCR; a way to record what happened to the endpoint in case a hacker compromised it in the same way you would record old movies for later review. Network defenders could use EDR in their incident response procedures to determine what the hacker did to take control.
XDR expanded the EDR idea. If you can record what happened on the endpoint, why couldn’t you record everything on the intrusion kill chain for later review? If you did it correctly, XDR would give you complete visibility at every phase of the intrusion kill chain to include the end point. It is EDR ++.
When a security platform integrates XDR, it gives enterprises the ability to monitor and account for every change in the intrusion kill chain, no matter where it originates. And this is happening not a moment too soon, as traditional network perimeters have splintered into multiple data islands: employee computing devices like smart phones, tablets, and laptops, data centers run by the company, a raft of SaaS services like Salesforce and Gmail, a hybrid collection of IaaS services from the likes of Amazon, Microsoft, and Google, and yes, we still have a perimeter or traditional office space.
When Lockheed Martin published their paper back in 2010, we didn’t have that. We just had the perimeter. But even back then in those simpler times, network defenders needed prevention tools for every phase of the intrusion kill chain. Even small companies might have deployed 15-20 prevention tools, but large enterprises probably were likely to deploy well over 100 of them. That’s expensive, inefficient, and ridiculously complex to manage. It also leaves a lot of gaps in security defenses where one tool starts and another one leaves off. Fast forward to today with all of the data islands, each one needing its own proprietary set of prevention controls down the intrusion kill chain, and the number of tools that network defenders are expected to manage have exploded. We have reached the tipping point. We can’t consume one more tool.
But deploying XDR on the same platform keeps your IT team from deploying hundreds of products that don’t talk to each other and instead focus on a handful of services on one integrated platform.
If you’re a business executive or a board member without a graduate degree in cybersecurity, you may be wondering why XDR might impact business operations. Let’s break it down:
- XDR reduces the probability of a material impact on an organization due to cyberthreats.
- It does so by taking the intrusion kill chain to its logical extension by including all data sources in the cybersecurity ecosystem, not just traditional endpoints.
- It is implemented as a platform, rather than as an individual product you buy from a vendor and install on your network, making it easier to deploy, upgrade, extend, and manage.
- It reduces the need for widespread training and additional certifications for your already-overworked InfoSec team and SOC analysts.
- By creating a wider lens with real-time views of adversaries’ movements, it dramatically improves cybersecurity agility in a time when cyberthieves are getting smarter and more collaborative.
Back in 2011, the authors of Lockheed Martin’s paper could see the accelerating trajectory of both cyber-attacks and connected things, and they knew that the intrusion kill chain could help prepare organizations for a time when it would become increasingly difficult for the good guys to stanch the bad guys’ efforts. And at the heart of their thinking was a pragmatic, business-oriented idea: Enterprises need to raise the stakes for adversaries to continue their attempts to exploit network and endpoint vulnerabilities.
“In a kill-chain model, just one mitigation breaks the chain and thwarts the adversaries,” they wrote. “If defenders implement countermeasures faster than adversaries evolve, it raises the costs an adversary must expend to achieve their objectives. This model shows, contrary to conventional wisdom, such aggressors have no inherent advantage over defenders.” (Emphasis added.)
XDR, like the Lockheed Martin intrusion kill chain framework, is a game-changer. When implemented throughout a sophisticated cybersecurity platform and utilizing the growing ecosystem of threat intelligence services, organizations gain visibility, insight, and critical tips to help them identify where the cyber-attackers will hit, and how to slam the door on them.