Will XDR improve security?

By: Jon Clay, Director of Global Threat Communications, Trend Micro (First published on Trend Micro)

Will XDR improve security?

Cybercriminals and malicious hackers have been shifting their tactics, techniques, and procedures (TTPs) to improve their ability to infiltrate an organisation and stay under the radar of security professionals and solutions. Moving to more targeted attack methods appears to be a mainstay among threat actors, which requires organisations to improve their visibility into the entire attack lifecycle. Gone are the days in which these attacks only target the endpoint, and as such, an expanded connected threat defence is paramount.

Many organisations have been adopting EDR (Endpoint Detection & Response) as a way to obtain more data about attacks on the endpoint. But as we’ve seen with even ransomware actors, the endpoint is being targeted less. Rather, attacks are laterally moving within an organisation to find critical systems that will allow them to increase their chance of the organisation paying the ransom. (See my recent webinar on trends in ransomware.)

This means the actors behind many financially motivated and targeted attacks will move across the network, and their tracks will be left in other areas of their network, not just on the endpoint. Expanding EDR to include other areas is the definition of XDR. The X could be network data, email or web data, data from cloud instances, and others. This would allow an organisation to get visibility into the entire attack lifecycle, including infiltration, lateral movement, and exfiltration. This will improve the organisation’s ability to prevent critical data exfiltration or the compromise of critical systems within their network.

The ability to do this requires a number of key components:

  1. A security vendor who has solutions across the entire network, including cloud, gateway (email & web), network, server, endpoint (includes mobile), and IoT/IIoT
  2. Support for threat intelligence and data analytics. This should be as automated as possible and should include 3rd party threat intelligence (i.e. CERT, ISAC, ISAO feeds)
  3. History of expertise in correlating multiple threat vectors and the use of AI and Machine Learning

This will require a major shift from traditional security practices, as many organisations have supported a best-of-breed approach, utilising multiple vendors (some say 50-100 security applications on average within a large enterprise). Instead, the future is moving to a more consolidated approach with fewer vendors. Having multiple vendors for different areas of security results in silos and segmentation due to a lack of integration across the security industry, but XDR could bring a shift in this practice as they include more support for 3rd party intelligence feeds.

Trend Micro has been innovating for 30 years and our breadth of security products allows us to successfully build an XDR solution. Also, our almost 15 years of investing in and building AI/Machine Learning technologies into our backend and frontend products will allow us to have the data analytics piece covered. Lastly, we have an extensive array of global threat intelligence that will allow us to ensure we can proactively detect and protect our customers.