What is XDR and which benefits can it bring to OT Security?

What is XDR?

XDR stands for Extended Detection and Response, and it represents an increasingly popular technology, or, more precisely, the integration of multiple technologies aiming to improve threat detection and response capabilities.

It is not always trivial to define exactly what an XDR solution provides, as this is intrinsically dependent on vendors’ marketing and organizations’ objectives. What can be surely asserted is that calling XDR a technology is reductive, as it might enforce the wrong idea that it is an out-of-box “magical” solution that would revolutionize the cybersecurity posture of an organization. It would be correct to define XDR as an ensemble of technologies, that, once simplified, minimized, and focused are then integrated.

Differences between XDR and EDR

Naturally, endpoint threat detection is no novel concept, as it has been carried out by a plethora of EDR solutions that are available on the market. The main difference between EDR and XDR lies in the fact that XDR solutions expand the detection capabilities of EDR, which are limited to endpoints only, to multiple sources, such as firewalls, cloud services, emails, and other security tools.

Differences between XDR and SIEM

It is also worth mentioning what are the differences between Security Information and Event Management (SIEM) solutions and XDR solutions.

SIEM solutions collect and analyze security data from various sources, such as network devices, servers, and applications, and provide a centralized, human-readable view of security events and incidents.

Compared to SIEM, XDR is a more advanced and comprehensive solution that combines multiple security technologies into a single platform, while SIEM primarily focuses on log data and network traffic analysis.

How does XDR work

XDR solutions collect and analyze security data from multiple sources, such as endpoints, firewalls, cloud services, emails, and other security tools. The collected data is then processed and correlated using advanced analytics and machine learning algorithms to identify potential threats that might go unnoticed by individual security products. XDR can also automate response actions, such as blocking malicious IP addresses or quarantining a compromised device and provide detailed forensics information that can help security teams understand the root cause of an incident.

Benefits of XDR for security

The comprehensive and contextual view of the security landscape offered by XDR solutions presents various advantages:

• Reduce time to detect threats thanks to the correlation from different data sources

• Reduce time to investigate incidents

• Reduce time to respond to incidents and attacks thanks to adaptable responses

• Enhance visibility on monitored security area

The analytical and monitoring capabilities of an XDR solution also make it possible to identify long-term cyberattacks. Multi-phase cyberattacks are designed by threat actors to first explore the target network to find weak links, investigate the attack surface and maximize the attack’s damage.

A multi-phase cyberattack follows usually 7 steps:

• Reconnaissance: Research, identification, and selection of targets

• Weaponization: Pairing remote access malware with exploit into a deliverable payload (e.g. Adobe PDF and Microsoft Office files)

• Delivery: Transmission of weapon to target (e.g. via email attachments, websites, or USB drives)

• Installation: The weapon installs a backdoor on a target’s system allowing persistent access

• Command & Control: Outside server communicates with the weapons providing “hands-on-keyboard access” inside the target’s network

• Actions on Objective: The attacker works to achieve the objective of the intrusion, which can include exfiltration or destruction of data, or intrusion of another target

Numerous examples of multi-step attacks have been perpetrated against manufacturing companies with harmful results. XDR solutions are designed to help defend against multi-phase cyberattacks by providing a more comprehensive and integrated view of an organization’s security landscape, advanced analytics capabilities, and automated response. SIEM solutions, conversely, would require a lot of manual effort from security operators to deal with a multi-phase cyberattack. In the occurrence of a multi-phase cyberattack, security teams would be required to manually correlate data from different sources and investigate events that appear unrelated.

Potential challenges

Until now everything about XDR solutions sounds positive but, as the proverb says, “All that glitters is not gold”. Despite this might be a bit severe, it is important to recognize the potential downsides of an XDR solution as well.

The first and most relevant is the complexity and cost of integrating multiple security technologies into a unified platform. The integration of an XDR solution cannot be “out of the shelf” and required effort.

Secondly, the offering of XDR solutions, or what is marketed as being an XDR solution, is steadily increasing and it is not a trivial mission to identify the most fitting vendor for an organization’s purpose.

In general, XDR is still a relatively new approach to cybersecurity and its implementation in any organization should be carefully discussed, prepared, and tested. Additionally, the reach of an XDR solution makes it necessary to involve stakeholders from different levels and expertise of your organization to reach a harmonized and shared view on the objectives to be reached with the adoption of a new solution. Organizations must ensure that the final users of any security solutions are well-versed in their functions, benefits, and potential downsides.

BxC Takeaway

An XDR solution is a powerful tool for improving cybersecurity posture and enhancing threat detection and response capabilities.

XDR solutions can provide specific benefits to OT as they provide visibility on a large group of different specialized assets that are used in manufacturing.

OT systems often have a low tolerance towards risks and are more delicate and expensive than traditional IT systems. Thanks to advanced detection capabilities, XDR solutions can help minimize the risk level of OT systems.

However, it requires careful consideration of the costs and benefits and a thorough understanding of your organization specific-security needs and challenges.

We, at BxC, are convinced that any technology, or solution, alone is not a security panacea and that well-educated and informed users still represent the cornerstone of cybersecurity.

Sources

https://www.sans.org/blog/cyber-kill-chain-mitre-attack-purple-team/