The next gen future of EDR: XDR (Extended detection and response)

-

What is XDR (Extended detection and response)

We all know the prominence of EDR solutions. However the latest technology to enter the space is now: extended detection and response (XDR) which is the result of evolution from endpoint detection and response (EDR). XDR can be considered as the upgraded EDR but with further unified capabilities with other security tools as well to provide combined security analysis visibility, highly efficient detection, and a vastly improved correlation, investigation, and response.

 

Background and reason for developing XDR:

EDR served as the baby steps towards the journey of XDR.

In every way, EDR solutions did help to provide effective endpoint detection and response integrating a number of threat detection solutions.

However, on the bigger picture, the question still remained about the security team’s challenges around the best possible way to leverage combined capabilities around analytics platforms, security information, and event management (SIEM) solutions and backend data lakes to integrate data from other parts of the environment. The loose ends however consisted of extremely high resource consumption and false positives with bulk data consumption.

 

Enter XDR:

XDR was built to unify EDR with other security toolkits giving enhanced visibility and control to other parts of the business via integrations and providing collection and co-relation based detection and deep activity data across email, endpoint, server, cloud workloads, and the underlying infrastructure.

This ultimately leads to automated analysis of this combined set of data helps detect threats faster.

 

XDR vs. EDR

While endpoint detection and response (EDR) has been enormously valuable, at the end of the day, it gets restricted to the fact it can only look at managed endpoints thereby limiting its scope of threats that can be detected like other security tools.

XDR represents the evolution of detection and response beyond the current point-solution, single-vector approach.

Clearly, XDR evolves detection and response into a consolidated, centralized activity that delivers results greater than the sum of the parts. It can help collect deep activity data and feeds for transforming the information into a data lake for cross-layer sweeping, hunting, and investigation.

This further is fine-tuned by applying AI and expert analytics to the rich data set enables fewer, context-rich alerts, which can be sent to a company’s SIEM the solution further augmenting it, reducing the time required by security analysts to assess relevant alerts and logs and decide what needs attention and warrants deeper investigations.

 A interesting comparison between different security analytics platforms vs SOAR and EDR can be illustrated as below:

Img Source: Forrester report: Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR

XDR Capabilities:


·        XDR broadens the scope of detection and response across more than just endpoints. It extends EDR to important additional activity areas such as email security

·        XDR feeds activity data from multiple layers to a data lake. All applicable information is made available for effective correlation and analysis in the most relevant structure.

·        Pulling from a single vendor’s native security stack prevents vendor/solution proliferation. It also provides for an unmatched depth of integration and interaction between detection, investigation, and response capabilities.

·        Integration with SIEM and security orchestration, automation and response (SOAR) enables analysts to orchestrate XDR insight with the broader security ecosystem.

·        Purpose-built AI and expert security analytics with enhanced data collection and faster detection is XDR’s end goal.

·        Single, integrated and automated platform for complete visibility

·        Provide insightful investigations with a consolidated view of:

o   How the user got infected

o   What the first point of entry was

o   What or who else is part of the same attack

o   Where the threat originated

o   How the threat spread

o   How many other users have access to the same threat


Automation towards incident response:


XDR allows a vastly automated approach throughout each stage of the incident response lifecycle with enhanced root-cause analysis and attack co-relation as follows:



As we can see the underlying benefit is not only having managed endpoint protection but also a host of other security capabilities built inside such as email security, cloud security, behavioral detection, threat hunting capabilities, and many more.

Hope this was an informative read for all of you!


References:

·        https://www.trendmicro.com/en_ae/what-is/xdr.html

·        Forrester report: Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR

 

Comments

Post a Comment

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this. Title of the Vulnerability:   Arbitrary File Upload Vulnerability Class: Security Misconfiguration Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover. CVE ID allocated :  CVE-2017-14521 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Ma
Read more

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

-
Image
By- Navina Asrani Hi Readers, Recently while tinkering with my wifi router, I was curious to find if it has possible loopholes and vulnerabilities. Curious to explore its functionalities, I started probing with the options. Title of the Vulnerability:   Cross Site Request Forgery Vulnerability Class: Code Execution/ Privilege Escalation Technical Details & Description: The firmware allows malicious request to be executed without verifying source of request. This leads to arbitrary execution with malicious request which will lead to the creation of a privileged user. CVE ID allocated: -  CVE-2018-12529 Product & Service Introduction: Intex Router Steps to Re-Produce – 1.        Visit the application 2.         Go to any router setting modification page and change the values, create a request and observe the lack of CSRF tokens. 3.        Craft an html page with all the details for the built-in admin user creation and host it on a server
Read more

Stored XSS in Wonder CMS- CVE-2017-14522

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of security mechanism to filter any user input and accepted and stored in blindly without any sort of input validation Title of the Vulnerability:   Stored XSS Common Vulnerability Scoring System:  7.0 Vulnerability Class:  Injection Technical Details & Description:  The application source code is coded in a way which allows user input values to be stored and processed by the application. CVE ID allocated :  CVE-2017-14522 Product & Service Introduction:  Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive). WonderCMS doesn't require any configuration and can be simply unzipped a
Read more