The current model for is broken. It consists of acquiring and deploying a lot of stand-alone tools, each with its own console, to analyze logs or traffic and detect anomalies that could be threats. In this model, it’s up to each security analyst to communicate with other analysts to determine whether each tool’s individual detection (each of which, by itself, may look benign), can correlate with other detections from other tools to reveal a complex attack.
This model forces enterprises to create complex security stacks consisting of , SOAR, EDR, NDR and more, for the purpose of instrumenting the enterprise, identifying threats, responding to threats, and managing risk. Acquiring all of these tools and managing their licenses is complex and expensive, and the manual correlation required to compare each tool’s detections leaves a lot of gaps in the overall security infrastructure.
Analysts are often bombarded with false positives by these systems as well, causing “alert fatigue” and job dissatisfaction. Even enterprises that declare themselves satisfied with their existing and other tools will admit that the amount of time and energy they have poured into standing up a multi-tool security infrastructure isn’t delivering the requisite results.
The Case for XDR
XDR, or , has become a catch-all definition for any technology performing detection and response, because in the acronym, X is really a variable. While X can represent “Endpoint+” or “Network+”, that disregards the present pain of the enterprise of siloed tools, uncorrelated data, and alert fatigue. The whole goal of XDR is to address this pain, and therefore X has to mean “Everything.” Everything, then, implies a platform approach to covering the entire attack surface through detection and response.
This platform approach can fix today’s broken model by converting siloed tools int ..
Support the originator by clicking the read the rest link below.
