In part one of this series we laid out the differences between network detection and response (NDR) and extended detection and response (XDR). As previously mentioned, XDR is generally built on top of a single vendor combination of EDR and NGFW technologies.
However both EDR and NGFW technologies suffer from inherent limitations such as throughput, visibility, and supported platforms. These limitations create gaps in both protection and visibility, resulting in blind spots that are difficult to address.
EDR & NGFW Limitations
Endpoint detection and response (EDR) requires an agent on each endpoint and is focused on endpoint file system, processes, and network traffic to and from the specific endpoint only. There are several best-in-class EDR technologies on the market, yet due to their inability to deploy agents on devices like printers, IP phones, thermostats, security cameras, and more, large organizations often encounter issues achieving full deployment coverage. Further, if a new endpoint is deployed, it is not always done properly and may go unmonitored for a long time.
NGFW technologies are critical to securing the enterprise gateway, blocking inbound and outbound traffic, applying IDPS signature rule sets and allowing for the enforcement of IP-block and allow lists. The feature sets for these appliances is extensive, but due to the high computational overhead of ML and full packet inspection, it's difficult if not impossible for NGFW appliances to fully evaluate network traffic on all potential metrics, let alone perform UEBA or high-fidelity ML against traffic.
NGFW platforms also suffer from traffic throughput issues when activating multiple advanced features, creating a traffic bottleneck that is expensive to overcome. The result is a high level logging view of traffic allow/block and log data for which IDPS rules were encountered for a given traffic stream. While this type of analysis certainly serves to improve security posture, it lacks in-depth analysis provided by purpose-built, out-of-band technologies such as NDR.
While some companies use NGFW technologies to segment important sections of their corporate networks, these appliances are too expensive for the type of zero-trust deployment model required to capture log data for the majority of east-west network traffic.
To Do XDR Right, You Need a Totally Open Architecture
While XDR platforms provide a variety of benefits, vendor lock-in can be a detriment to security practitioners. By leveraging second and third tier tools in order to take advantage of an XDR platform, security practitioners are actually compromising their network's security in exchange for the simplicity XDR claims to provide.
XDR's promises of analyst efficiency seem to make sense on the surface, but there are security risks created by not using best-in-class solutions. An extra burden is placed on analysts who will have to turn to other tools to gain the visibility they need to do their jobs.
Additionally, XDR vendor lock-in creates new hurdles for security teams looking to migrate to best-of-breed tools, forcing customers to consider the inherent costs of wide-spread toolkit replacement rather than replacing point products. While this might seem cheaper on the surface, security practitioners should be wary of buying into the promises of any XDR platform that prevents the ability to leverage and integrate best in class tools.
Looking to the Future
As we look toward the future of the security industry we must keep in mind the trends of the past. The last twenty years of industry evolution has resulted in a shift from tools simply collecting and storing data to high-fidelity, ML-based detection and response capabilities.
EDR is constantly working to build in response and recovery–based automation with in-depth investigative and forensic tools, allowing analysts to do their jobs more efficiently. SIEM and SOAR products allow for broad-based tool integration wrapped around machine learning and and playbooks for vendor-agnostic automated response capabilities.
With XDR we see the next generation of the SIEM and SOAR products. They combine vendor-specific log data with vendor-specific machine learning capabilities for higher-fidelity data and log aggregation. The goal of providing a unified analysis that helps security teams understand the broader picture of what's happening across different data sources is a good one, but trying to achieve that through a single vendor is too limiting.
XDR has the potential to deliver a solution that enables the analyst by providing that one touch analysis and forensics interface, but only when vendors work to provide open interfaces, enabling integrations with best-of-breed tools to enhance a vendor's native detection and response capabilities.
ExtraHop has taken the position for a while now that intelligent integrations are the best option for sophisticated security operations. All-in-one solutions too often function as a jack of all trades but a master of none. Reveal(x) is, in our (admittedly biased) opinion, the best-of-breed network detection and response solution.
NDR is a critical component of security because it provides coverage in ways that are just not possible using any other data source. Detection and response is the future of cybersecurity, and the network is the key data source for that future.