Got XDR? What It Is and Why This Game-Changing Technology Is Needed Right Now
It’s been more than four years since we started Respond Software, and we continue to hold true to our mission—to help security teams right the balance between attackers and defenders by harnessing the power of software so that people can do more to defend their enterprise. We’re proud of the many successes we’ve had and the progress we’ve made. Our product does something both simple and powerful for our customers – it gives time back to security analysts and security engineers: time to perform investigations that need human involvement, time that was previously spent monitoring a console and chasing false positives, time spent writing, editing and maintaining rules and playbooks to get a platform, just to name a few.
How do we give this time back? I think it’s best illustrated by a metric we’ve collected across our customer base these past six months: our software performed the initial incident investigation on over 850 billion security events and through its powerful, consistent, and fast triage, only sent 5,534 well-vetted investigation escalations to our customers. That works out to less than 10 potential incidents per week for each security team. Those teams rely on our product to monitor and investigate the billions…while they dig into the dozens. This human-machine combo gives them more coverage, better analysis, and ultimately better security.
The Respond team previously built over 50 Security Operations Centers (SOCs) for customers, delivered untold new and upgraded software to help them manage those SOCs, and worked as former security analysts and incident responders, so we knew what kind of automation to bring to the table. Now we have an even better way to explain our product’s capabilities – it’s an Extended Detection and Response (XDR) engine.
What’s an XDR Engine and how is it different?
XDR is a relatively new term in the security tools landscape. XDR stands for Extended Detection and Response. The term has its roots in a category of products that is adding a great deal of value to cybersecurity recently, the Endpoint Detection and Response (EDR) solutions. These tools promise to create a comprehensive record of activities taking place on endpoint devices, enhancing security analysts' visibility to discover malicious activities.
EDR brings several key benefits, but security teams understand that just knowing about the endpoint is not enough. You need to extend the detection and response to be inclusive of other valuable tools in the security environment. That’s the core of what XDR is meant to do – extend visibility and analysis to include threat intelligence, telemetries, vulnerabilities, and other relevant IT information. To paraphrase Jon Oltsik from the research group ESG, “XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.”
Ok, so what does an XDR Engine do? An XDR Engine performs the unification of data that Jon described above and determines (1) the likelihood that events are malicious and actionable; (2) groups those that are related and (3) establishes a priority given the severity and impact of the potential incident.
I’ve started to use a simple analogy to explain this category of automation – a criminal investigation’s evidence board as popularized by TV and movie dramas. You all know the scene – a wall filled with seemingly unrelated bits of evidence all over the place. A detective’s job is to figure out the connections – those strings linking people to places to events - to make a case stronger or clear someone of suspicion. What detectives do with physical evidence on an evidence board, an XDR Engine does with cybersecurity data – but at machine speed and scale. It handles voluminous and rapid-fire data while automating the 3 steps described above with consistency, depth, and speed. It connects the dots and only presents investigation results that truly matter. All other evidence falls away…no sense in investigating false positives or benign events. Like a detective’s evidence board, the proverbial forest gets seen through the trees.
What makes the Respond Analyst XDR Engine different?
The Respond Analyst XDR Engine is unique in three ways:
- Open – our software was designed to work across vendor products, in a vendor-agnostic way. We did this so you could leverage the intelligence, telemetries, and controls you have today. We currently support over 65 vendor products across a wide range of categories. And we add more every month.
- Intelligent – “connecting the dots” from evidence and determining the scope, impact and priority is the core of what the Respond Analyst does. We’ve embedded expert knowledge into our data science models that perform initial investigations at machine speed, consistency and scale. And those models improve automatically with user feedback.
- Simple - The expert knowledge is already built-in. You don’t have to program it, and you don’t have to maintain it. We do that for you. That’s what a modern platform should do for security operations.
We are tremendously excited about our latest release. It enables cybersecurity teams to make a kind of quantum leap – both in terms of capabilities and cost. I invite you to engage us and see what an XDR Engine can do for you.