A recent ESG survey of 374 IT and cybersecurity professionals reveals how security leaders are facing the challenges of integrating XDR with existing security tools to reap all the promised rewards. This strategic move is aimed to enhance threat visibility, accelerate response times, and fortify security postures by unlocking XDR’s full potential to transform reactive security measures into a more proactive defense system.
Infoblox found this vendor-neutral ebook report excitingly comprehensive as it even calls out bridging the gap between networking and security tools as a crucial part of a complete XDR approach. The introduction mentions this as one of three key areas where XDR can support better threat detection and response by:
- Operationalizing threat intelligence
- Expanding the integration of asset management with SecOps
- Improving alert triage and prioritization
For many, the most important information may be in the middle of the ebook where ESG discusses ‘The State of XDR’, emphasizing that the early perspective of XDR as a possible SecOps panacea has given way to a more realistic understanding. In the 2022 survey
XDR is now primarily seen as a mix of strategy and technology that can help our existing security stack do a better “DR” job of detecting advanced threats and supporting more effective and efficient investigation, forensic and response efforts. As a result, only 28% of respondents see XDR as potentially replacing some of their current technologies.
But connecting all the survey results to these three benefits is not as straightforward as you might expect, so here’s a guide to learning more about what this report has to say around these three benefit areas, and how it demonstrates that Infoblox BloxOne Threat Defense customers are already well on their way to XDR and SOC Modernization.
Operationalizing Threat Intelligence
The first of the three key benefit areas of XDR figures prominently in the chapters on SIEM and “Automation and GenAI”. Each chapter talks about the value of ’context’ to make threat intelligence useful. But there are clear challenges to making this happen as just over half of respondents (51%) reported that they were using more than one SIEM to accomplish all of their key objectives. Even then, 57% of respondents have only been able to automate processes associated with tier one analysts (i.e. alert enrichment, alert prioritization, and alert triage support.)
This resonates with Infoblox customers who frequently call out the BloxOne Threat Defense threat research feature, Dossier as their favorite feature as it auto-collects relevant threat intel from multiple sources making it easy for analysts to drill-down and pivot around the data to better understand the threat. And it validates heavy investment in AI-driven analytics to support our SOC Insights feature, enabling customers to boil hundreds of thousands of alerts into a handful of insights for investigation.
Expanding the Integration of Asset Management with SecOps
Asset management is referenced throughout the ebook in regard to its critical role as another source of background or contextual information for alerts to help analysts and responders make informed decisions about what is important, and how to respond.
With that said, the section on “Security Tools and Data Stack” was very revealing about the challenge defenders face to use the information they may already have. As multi-cloud environments, IoT, remote work, and other factors expand our attack surface, both security and network data around the related assets often lacks centralization. Over half of respondents reported that they depended on more than 4-5 data repositories, with only 6% claiming to have a single, centralized data repository.
As a result, a coordinated effort is needed between the networking and security teams to centrally collect comprehensive asset data, and leverage DNS Detection and Response (DNSDR) to take advantage of its ability to enable security for any hardware, any OS, and any application … anywhere. ESG also recently release a report on “Hybrid, Multi-cloud Management Maturity” that may be of interest.
Improving Alert Triage and Prioritization
It should be no surprise that dealing with “alerts” continues to be a top priority for cybersecurity leaders, with 37% reporting that the volume and complexity is increasing. So the issue comes up more than any other topic throughout the report, particularly in the chapters on “The State of SecOps” and “Automation and GenAI” with 82% of organizations reporting that they are still dependent on numerous, disconnected analytics engines and point tools.
It is worth noting that only 17% of respondents felt that things would ‘come together by sending logs and alerts to a SIEM platform’. But more respondents are seeing results through XDR by correlating event, vulnerability, asset, and other data from networking and security tools. Some highlights of areas where respondents reported ‘significant’ or ‘somewhat’ measurable improvements:
- 93% – “Our ability to keep up with alert volumes”
- 94% – Our ability to detect advanced threats”
- 95% – “Investigation Times”
- 97% – Our overall security posture”
The XDR Vision
The overriding message of this report is that XDR is about more than dumping data into a single SIEM or data lake. The value of XDR will be realized when tools both share data and take action with 2-way communication. An XDR security ecosystem requires tools to automatically collect and correlate data by helping to expose what matters most, and then be prepared to take action and/or share the results of that specialized analysis to other tools in the stack.
For a great example of how this can work, take a look at the SOC Insights feature available for our BloxOne Threat Defense solution. SOC Insights applies AI-driven analytics to event, network, ecosystem and unique DNS Threat Intel to first reduce hundreds of thousands of alerts down to a more manageable set of ‘Insights’. But it then correlates that data into a unique investigation portal, or can share the results with other tools.
With XDR, a vendor specialized in an area such as ‘vulnerabilities’ can apply their own expertise via AI or other analytics. Then, as with SOC Insights, it can take action or provide the next tool in line with a better place to start applying its own expertise.