How threat intelligence platforms can extend detection and response
As the new year continues to unfold, cybersecurity budget holders will be deep into the process of identifying where to allocate funds to best enhance protection against cyberthreats. The good news is that budgets are rising, with industry commentators frequently reporting that companies are committing more money to strengthening their posture against persistent and sophisticated threats.
Firmly on the list of favoured approaches is extended detection and response (XDR), which has been rapidly gathering momentum in the past two years. Analysts are predicting triple-digit growth in the market as businesses aim to implement a complete, end-to-end security approach. However, before businesses dive headlong into XDR investments, it is worth exploring what we mean by XDR, how it fits with existing tools, and where threat intelligence platforms can be leveraged to help companies bridge the delta between what they have now and an ideal future state of effective XDR.
XDR – what is it?
Right now, there are several definitions aiming to capture what constitutes XDR, but we think analyst Jon Oltsik of ESG offers a strong summary, describing XDR as: "an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection and response. In other words, XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.
In effect, XDR is not just a combination of one or two security tools, such as EDR and SIEM. It must be capable of normalising and correlating data from all security tools - across multiple vendors and form factors - and automatically acting on the insights delivered.
The challenge for organisations as they explore how to implement XDR for their business is that they are all unique. Over time they have organically built a heterogeneous suite of protection technologies and tactics based on needs that have emerged and the threat they pose to the business. Tools have been procured to deal with specific aspects of cybersecurity threats and management: firewalls, anti-virus, and endpoint detection and response, to name just a few. As a result, the security estate is often sprawling, and big companies can have up to 80 vendors on the books. Some are household names, and some have been chosen as best-of-breed in their particular use case for the organisation. Many – originating before the shift in philosophy towards open APIs and integration - have locked-in their customers in a bid to retain their position in intensely competitive markets.
Unsurprisingly, the result of this is that there is very little appetite to rip and replace this legacy investment with an entirely new solution. Plus, in the fast-moving environment, new tools and vendors will continue to emerge to deal with new use cases, and businesses want to retain the flexibility to on-board new solutions as they need to. Therefore, tearing out existing systems and putting all their security eggs into one basket is not appealing.
Where threat intelligence platforms can power XDR
Instead of writing off all previous security investments, the better approach is to find a way to unlock the siloes to better integrate and operationalise the wealth of data that organisations already collect. A threat intelligence platform functions as a repository for data and intelligence from internal and external resources and should be a conduit between existing security technology and cloud-based security offerings. The power of the platform is providing seamless integrations with existing tools, allowing security teams to benefit from all the information that already exists within their security setup without suffering data overload.
Once collected, a key function of the platform is to contextualise data. By acting as a single source of truth for teams and bringing in third-party feeds, the internal data is enriched with context. When this is overlaid with policy decisions and risk analysis, alerts can be automatically prioritised. This helps security teams recognise which threats are highly relevant for them and the priority in which they need to be managed.
A well-implemented threat intelligence platform also lowers the number of false positives. For example, intelligence feeds that are known to be particularly chatty or more likely to deliver false positives can be assigned lower priority scores than an internal Splunk feed. This helps teams reduce the noise and gain confidence in the validity of the alerts they receive. This results in accelerated security operations and a better work environment for security teams.
Building corporate cybersecurity memory
Something many organisations struggle with – especially right now – is employee turnover. The human capital lost when analysts move on is significant; it can leave businesses exposed until new employees get up to speed. A threat intelligence platform builds a record of threats identified and how they were triaged and managed. This creates a corporate memory of the threats and responses the business has experienced, allowing new team members to benefit from the work of their predecessors.
Ultimately, as organisations pursue the transition to comprehensive XDR, they should consider how a Threat Intelligence Platform can power effective XDR and support their security teams to accelerate operations without writing off historical investment.