Putting the Pieces Together for Extended Detection and Response
Pulling the Right Data From the Right Tools Allows You to Validate a Detection and Respond Effectively
The Data Breach Investigations Report (DBIR) from Verizon has evolved significantly since it was first published. But one thing that hasn’t changed over the last dozen years is the consistent finding that security professionals have the tools to detect many of the breaches they face. In fact, the very first report back in 2008 found that 87% of the breaches were considered avoidable through reasonable controls. The indicators exist in logs in various security technologies. The challenge is that they’re hard to see because logs are cluttered, and most security departments don’t have enough people to sift through them and make sense of the data.
Fast forward to the 2020 DBIR and approximately two-thirds of breaches are being detected in days or less. So, the good news is that we’re becoming more effective at using these tools to detect breaches. But what about the other third? And of the two-thirds detected, did we detect the entire scope of the attack, or were certain indicators missed and is the adversary still lurking, waiting to re-emerge later?
The definition of detection is very relevant as extended detection and response (XDR) solutions become the next hot topic in the security industry. Because how we define detection will drive the outcome of XDR and, ultimately, the other key component – response.
What is meant by extended detection? Is it detecting something new, or finding all the indicators and pulling them together so you can get a complete picture of what is happening and respond effectively? The answer is clear if you back into it. For response to be effective, it needs to flow throughout the entire ecosystem to create a truly integrated defense. This points to the second definition: finding all the indicators across the entire ecosystem so you can gain a comprehensive understanding of the threat you are facing and know what you must defend. Pulling the right data from the right tools allows you to validate the detection and respond effectively. So, how do you do this?
Let’s take a simple example (numbers made up for ease of explanation). Say one of the pieces of data a detection tool finds is an IP address you don’t recognize. More observables will help you build a broader picture to understand what is going on, but you need to be surgical and target your search. So, you look at external threat intelligence and see that the IP address is associated with a specific adversary. Now you can pivot to that adversary and learn that there are 50 additional IP addresses related to that adversary. Searching across your other tools, you find 20 of the 50 associated IP addresses. That’s a good indication that something may be going on and you need to expand your investigation for a deeper understanding – but that’s a topic for another article.
The point is that your tools are doing their job – they’ve detected indicators of a threat. You’re just not able to see all the relevant indicators, put the pieces together and make sense of them. What you need is a platform that can aggregate the right, targeted data in one manageable location and automatically translate it into a uniform format for analysis and prioritization. This includes events and associated indicators from inside your environment, for example from your SIEM system, log management repository, case management system and security infrastructure. You can augment and enrich this data automatically with threat data from the multiple sources you subscribe to – commercial, open source, government, industry, existing security vendors – as well as integrating quickly and fully with new frameworks that emerge, like MITRE ATT&CK. Once you have all the pieces of the puzzle together and correlate the data, you can see a complete picture of the attack with context.
Now we need to be able to use that intelligence for response, with the flexibility to do so manually, automatically or some combination. Just like detection isn’t siloed in single tools, response isn’t siloed in single tools either but must extend across your environment. Tools need to integrate with a centralized repository of relevant, prioritized threat intelligence, and with all your security controls. This allows them to send the right data back to the right tools across the ecosystem for effective extended response.
Clearly, we need to make better use of the data our detection tools are finding – and we can. Now we need to look forward, making sure we use a deeper understanding of threats to optimize both our extended detection and response capabilities.