XDR Strategy and Zero-Trust: The Whole is Greater Than the Sum of the Parts


We are often asked what is the short-term future of cybersecurity? While expert answers may differ, we generally highlight the rise of Extended Detection and Response (XDR) as a significant shift in an organization’s cybersecurity toolkit, along with the adoption of the XDR model. Zero-Trust maturity providing both a trust-centric and data-centric approach. approach centered on the protection of digital assets.

Let’s briefly discuss the latter first. On average, 85% of all assets are in digital form. Twenty years ago, just after the millennium, this figure was only 10%. Digitization has made information the new oil. It fuels new industries and has tremendous value. But with cyber threats continuing to rise (hardly a day goes by without hearing of a cyber breach and there’s a ransomware attack starting every eleven seconds), zero trust is the new change. paradigm in cybersecurity, starting with the action inventories of data and users. Underscoring the importance of this shift, new federal regulations now focus on identifying and managing data risks from a people and technology perspective. These federal regulations include the much-discussed White House Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” issued May 12, 2021. The plan for this EO was to formulate a strategy to modernize cybersecurity in the industries public and private to deal with current threats. This strategy centered on the concept of Zero Trust Architecture or ZTA.

To help organizations and government agencies adopt this approach, the Cybersecurity and Infrastructure Security Agency (CISA) has developed a Zero-Trust Maturity Model to deliver prescriptive support. The maturity model describes the data-centric approach, with the assumption that breaches will occur and that devices and users should have least privilege access.

A section of EO 14028, section four, asks agencies, universities, private companies and others to identify existing or develop new standards, tools and best practices to improve the security of the supply chain of software. This is where Extended Detection and Response (or XDR) comes into play.

Cybersecurity as a field and practice is only 30 years old, so relatively young and aligned with DARPA’s invocation of the modern internet. We have now completed five generations of cybercrime actions that required a cybersecurity technology response.

Let’s do a little recap. In the 1990s, generation 1 cybersecurity was evidenced by anti-virus software on the endpoint and generation 2 was the advent of the perimeter firewall. Both are still with us in next-gen forms today, but far less effectively in a virtual, remote world than in earlier eras. We then evolved to Generation 3, IDS/IPS in the early 2000s, followed by Polymorphic Content Driving Sandboxing and Anti-Bot technology in 2010 which we consider Generation 4.

By 2015, and until today, we remain in generation 5, the era of the mega-breach. Gen 5 attacks (the short form) are typically large-scale and multi-vector. They are designed to infect multiple components of an information technology infrastructure, including networks, virtual machines, cloud instances, and endpoints.

Gen 5 attacks led to the development of a more advanced solution, namely Endpoint Detection and Response. Simply put, EDR is a new generation of anti-malware, which no longer relies solely on signature systems to perform malicious behavior detection. EDR adds behavioral process analysis capabilities to determine deviance. If you don’t use, at a minimum, an AI-powered EDR platform, you won’t detect or stop Generation 5 cyberattacks. Even then, EDR platforms routinely test for an effectiveness of 80 at 90%. More is needed as we are about to embark on Gen 6 attacks, which are large-scale multi-vector attacks, just like Gen 5, as well as assets accessed by vendors, IoT, OT, devices connected to the cloud, mobile, 5G and social. What we need is in XDR.

Generation 6 attacks require ubiquity in defense, not only to “see it all”, but more importantly, to “secure it all”. This is where the Zero-Trust approach and XDR have common goals. The objective of Zero-Trust is to prevent risks before they occur, by identifying risks and indicators of breach of trust. XDR adds laser focus to this identification, identifying evasive threats through behavioral analysis and using machine learning to detect anomalies indicative of an attack. XDR’s “Northstar” is that it natively integrates network, endpoint, cloud, and third-party data. It is, by nomenclature, a “cohesive security operations system,” as the Gartner group has called it. It’s a force multiplier against digital cyber risk, and in a world where every business has become an attainable target, it should be on every organization’s priority cybersecurity defense-in-depth chart.

But beyond the much wider range of sources it offers visibility, detection and prevention, XDR brings elaborate functionalities allowing, for example, to increase the level of contextualization by connecting to our Threat Intelligence feeds, to bring a greater ability to anticipate by linking the technical information detected to external content, to refine the orchestration of security and the automation of the response by giving even finer granularity and fidelity to the intervention. Cybersecurity today is about creating a “factory” of defense and you need to power the “equipment” of that factory with data. We do this first through machine learning, and then we enrich that data with even more context, to develop threat models that begin to detect and assess threats at stage 1, reconnaissance. That’s why XDR efficiency can reach 99.9%, not 80-90% like EDR or 50-60% like old signature-based anti-malware.

It is important to remember that Zero Trust is a philosophical approach and XDR is an advanced prevention and detection capability. Zero-Trust is not a product that can be plugged in and saved the day. By using security tools that support the pillars of Zero Trust (posture, continuous assessment, and suspected compromise), you can significantly improve your overall security posture.

XDR is an effective security capability. However, when used in tandem with the Zero Trust approach, organizations can further improve their security. XDR has two important strengths that can support a Zero Trust strategy: strong endpoint controls (user, cloud workload, device, etc.) and organization-wide data collection and correlation from the entire IT infrastructure. Here’s how it works:

Robust endpoint controls provide a solid foundation to verify and establish trust by giving security teams full visibility into potential threats and endpoint/device activity. Without visibility, you cannot verify and establish trust in good faith.

Additionally, because XDR constantly collects and correlates data, it establishes the continuous evaluation pillar of the Zero Trust architectural strategy. This means that even after the initial access for a device is approved, that asset will be continually reviewed and reassessed to ensure that it remains intact. In the event that the endpoint starts acting suspiciously, such as multiple logins from various locations within impossible timeframes, XDR will send a notification to security teams, allowing them to remove access and terminate a potential attack vector.

Zero Trust and XDR also help ease the workload of security teams. With a Zero Trust strategy that leverages XDR, many security weaknesses and gaps can be detected by XDR and then blocked by enforcement points, eliminating a significant number of vulnerabilities and work for security teams. By closing security gaps, security teams have more time to focus on investigating advanced attacks. As always, the fewer attacks, the easier it is for companies to achieve their business goals, which a board can understand.

We established earlier that Zero-Trust is a trust-centric architecture that puts human and machine identities at the heart of creating security policies. In this architecture, corporate access controls and policies are based on assigned identity and attributes. In Zero-Trust, every access request requires an authorized access establishment combined with a provable identity, regardless of the origin of the request. It is dynamic and adaptive, supporting modern business models: BYOD, remote worker, cloud applications, hybrid cloud, on-premises, social integration, etc. XDR then does the heavy lifting, preventing unknown and known ransomware, stopping active attacks, detecting and preventing lateral movement, looking for signs of undetected compromise, and identifying opposing MITER ATT&CK tactics and techniques. XDR correlates data across endpoints, applications, cloud, operations technology, Internet of Things, and the aforementioned identity-centric architecture, essentially the entire IT estate. One (Zero-Trust or XDR) without the other leaves an incomplete technical security framework. So our advice is: Go for full visibility and extended protection across any application, workload, resource, compliance objective (e.g. PCI-DSS) or network. Detect and respond to advanced threats quickly with the ability to identify origin, track and investigate. Insist that your solution includes native integrations and support for APIs and protocols to protect your entire investment. Next, establish trust and least privilege before granting access (device or user) or authorizing a connection. Finally, align the likely path of the attacker with the highest level of cover among the different attack techniques. Sleep better while improving risk management and safety. You can do it all with a zero-trust architecture and a field-proven XDR solution. Contact me with questions. I always appreciate hearing from you. See you next time.

Previous Denise Welch Defends Duchess' Explosive Interview 'How Dare You Focus on Meghan!' | Celebrity News | Showbiz and television
Next Texas Ranger Museum Considers Expansion, Welcomes New Director of Development | Story