Automated Cyber Defense at Speed Is Manageable - SIGNAL Magazine
2022-04-01 07:56 (EST) - Paul Beckman
In today’s cyber environment, the attack surface grows exponentially day after day with no sign of slowing. With the near-geometric growth of applications, the signal-to-noise ratio has been amplified into the stratosphere. The result: The hunt for timely and important context in system and network telemetry is like trying to find a particular needle in a sea of needles.
Equally challenging is the “dwell time” of attacks—the period between initial penetration and the point of detection/eradication. In 2020, the average global dwell time was 56 days. That means that an attacker had nearly two months inside a network on average before being discovered.
Two excellent approaches to these challenges are extended detection and response (XDR) powered by artificial intelligence (AI) and managed detection and response (MDR). Both shorten dwell time by quickly detecting and responding to penetrations.
XDR is the next step beyond conventional endpoint detection and response (EDR). Nir Zuk, chief technology officer and co-founder of Palo Alto Networks, first coined the term “XDR” and introduced the concept. Today, he describes XDR as “the future of detection and response.”
XDR adds collective monitoring of critical areas such as identity management, intrusion sensors, firewall and cloud applications and many more and ties all of it together. XDR ingests data from a myriad of security products and appropriately correlates the telemetry data intelligently, accurately and with automated response across all data types at speed.
The XDR AI engine looks for behaviors from all the telemetry data ingested throughout the network in real time and finds anomalous patterns of behavior that would otherwise go undetected. When the AI engine determines that something is a security risk, the response phase can automatically remediate the issue by responding to the relevant security devices, depending on the configured playbook. This can include blocking an IP address at the firewall, quarantining a user at the switch port or blocking a domain on the mail server to mitigate risk.
There is just one downside: XDR with AI doesn’t necessarily come cheap.
One alternative is third-party MDR that leverages XDR’s ability to integrate, automate and provide an enhanced threat-monitoring detection and response service at a reasonable price, which works 24/7 to significantly reduce cyber-attack dwell times.
The quality of an MDR service depends on its ability to incorporate extended detection and response visibility that includes network traffic analysis, visibility tools and analysis of security log data. Today, MDRs fall into three capability groups:
Base Level Services: This includes proactive threat hunting, investigation and response services.
Managed EDR Services: Here, the MDR provider is managing the EDR client and providing base-level services.
Advanced Services: These span incident response as a service as well as the deployment of traditional “boots on the ground” personnel to assist with incidents.
With the cyber risks at hand, the advanced approach is always the best because it provides insight into what’s happening on a network that would otherwise be difficult or impossible to do manually. For organizations that don’t have the manpower or expertise to take on XDR themselves, Managed service security providers that offer MDR are a smart solution.
Paul Beckman is vice president and chief information security officer at ManTech.
ManTech is sponsoring AFCEA International’s annual The Cyber Edge writing contest, open to thought leaders and subject matter experts in the military, government, academia and industry. This year’s contest theme is” Emerging Technologies in the Cyber Realm.” Three authors will win monetary prizes and will have their articles published in SIGNAL Magazine. Top prize is $5,000; second prize is $2,000; and third prize is $1,000.
