Before a potential invasion, Russia has reportedly sought to destabilize Ukraine on the cyber front in recent weeks as hackers attacked and placed destructive malware inside tens of Ukrainian government agencies. This prompted the US Cybersecurity and Infrastructure Security Agency to warn critical infrastructure operators against possible cyber threats to US assets, reminding that two major cyberattacks from 2017, NotPetya and WannaCry, spiraled out of control from their initial targets (NotPetya was a Russian cyberattack against Ukraine…) and spread globally, ending up causing more than $10 billion in damages.
This, combined with the recent Log4Shell vulnerability, strengthens our view that all companies and organizations across the world will continue to face massive intrusion threats, suggesting that they’ll have to maintain high investments in intrusion detection tools and automated response solutions.
For attackers, endpoints (PCs, smartphones, printers…) can serve as an entry point into a network. Over the last two decades, businesses have put a lot of effort into securing their network perimeter and attackers have discovered that instead of targeting the network, they will directly attack endpoints as it is much easier to penetrate IT environments.
In response, the endpoint detection and response (EDR) framework was developed. It is an endpoint security practice that combines real-time continuous monitoring and gathering of endpoint data with rules-based automated reaction and analysis capabilities. In other words, it is a security system that detects and analyze suspicious activity on connected devices, relying heavily on automation to allow a swift identification and response to attacks.
The EDR software is constantly monitoring activity happening on the hardware and compares it with a set of known threat patterns, enabling a rapid detection of a potential danger. When a threat is discovered, the end-user is promptly advised with a list of preventative steps. Unlike firewalls or next generation antiviruses, EDR is not trying to keep out of the network a potential threat but is more of a reactive tool that will be triggered only after an attack has been detected.
Reactive steps are part of the response component of the software which is conceived empirically to mitigate in the best way possible the impact of an attack. If an attack of a new kind is conducted, the pattern and exploits are then fed in the ML/AI algorithms to better detect future similar threats. This makes the EDR ecosystem dynamic by nature, which is a must when it comes to cybersecurity, as malicious actors are always finding new ways to perform their attacks.
Principles of EDR operations are slowly extending further than just the endpoint. XDR as in Extended Detection and Response, applies EDR ideas to a wider range system. In addition to be present on endpoints, agents are deployed on email servers, cloud workload, and networks which enables for faster detection of threats as well as enhanced investigation and reaction times. XDR could be efficient to mitigate an attack like WannaCry which spread widely on the internet.
XDR is making its way into organizations and governments as the use of SaaS-based or cloud-delivered security solutions is rapidly increasing. Institutions’ benefits to implement these solutions are numerous. Computing scalability, reduced costs, enhanced base-level security and increased ease of use are amongst the most prevalent: XDR increases functionality for security analysts and simplifies workflows; it optimizes team efforts by speeding up or eliminating manual steps and provides access to views and analysis that cannot be performed immediately.
XDR also offers more insightful investigations, as you can make logical connections from the data provided in a single view. Seeing the graphical, attack-centric timeline can provide answers on a single dashboard, including to these questions: How did the user get infected? What was the first point of entry? What other element or user is part of the same attack? Where did the threat originate? How did the threat spread? How many other users have access to the same threat?
It is important to note that XDR companies (CrowdStrike, SentinelOne, Palo Alto Networks…) have multi-faceted skills and fields of expertise like data analytics, network architecture, pattern detection and ML/AI implementation.
In all, the need for sophisticated threat detection at scale and automation is outpacing the ability of human-led teams to secure IT networks and devices in an environment where the number of threats is rising exponentially. Google’s recent acquisition of cybersecurity firm Siemplify (details not disclosed) could pave the way to other M&A deals in the field of security automation.