扩展检测和响应(XDR)

How does XDR work?

XDR works by leveraging advanced analytics to correlate alerts from multiple telemetry sources into actionable threat intelligence that can stop threats earlier in the detection and response process. 让我们看一下XDR解决方案的内部工作原理.

统一遥测，更好的检测和响应

XDR应该统一远程用户之间的遥测, network data, endpoints, 云——以及接下来发生的一切. With a good XDR approach, 分析人士整理了一些检测结果, comprehensive investigations, 详细且高度相关的威胁事件, 以及自动响应建议. Analysts can work simpler, smarter, faster, and they’ll always know what to do next.

A focus on efficiency

正确的XDR方法是结束跳转选项卡. It provides a single, comprehensive hub that can be expanded without technical limitations. Expect SaaS delivery to facilitate collaboration across the office or around the world. XDR还应该减轻安全团队的繁重分析需求, 为您解析和分析警报.

High-fidelity detections

成熟的XDR具有显著不同的信噪比. The right methodology, threat intelligence勤奋的背后，检测图书馆 means you can trust detections out-of-the-box. And all your disparate data should be correlated by user, asset, and activity.

One-click automation

Forrester says XDR should include prescriptive-response cybersecurity playbooks that can be executed with one click. You should expect prebuilt workflows for things like endpoint threat containment, user-account suspension, 以及与Jira和ServiceNow等票务系统的集成.

XDR vs. SIEM

SOC Efficiency

Traditional SIEMs were built to consume massive amounts of log data and provide security teams with analytic capabilities. From there, 由你来收集相关的安全遥测数据, correlate findings, validate threats, and remediate.

Now, taking an XDR approach – with cloud SIEM at the core – removes analysis and configuration from the plate of your 安全运营中心(SOC). The focus is on efficiency, accelerating incident response, and creating more space in your day.

XDR means expert curation

传统的SIEM留给你很多东西. 然而，XDR=SIEM + EDR，都与策展. This means teams have native, relevant, and actionable telemetry, high-fidelity detections, 以及规范性的反应剧本.

Scope of visibility

XDR应该远远超出管理和分析SIEM日志的范围. Digital transformation is accelerating and “work anywhere” is the new normal. 真正的XDR平台能够应对这些新的安全挑战, 识别来自一系列遥测源和威胁馈送的威胁.

XDR vs SOAR

With a growing volume of data to manage comes a growing number of alerts to investigate. Traditional SIEM solutions typically don’t give analysts the context they need to prioritize those alerts.

This is where XDR truly SOARs. By which we mean it leverages 安全自动化和响应(SOAR) practices to automate the weeding out of tons of false positives and enrich the quality of alerts coming in. XDR提炼并引导了最有效的SIEM和SOAR实践, 强调先进的遥测技术, so that teams can be more proactive versus traditional reactive workflows.

XDR vs. EDR

XDR extends endpoint security

EDR is a crucial factor in a SOC’s methodology – it helps to secure specific endpoints across the network and prevent stolen workstation credentials, 威胁角色的横向移动, and other elusive behaviors. Capturing relevant context for alerts is the “special sauce” that extends endpoint security 因此，分析师和专家可以更快地采取行动.

Unify to prioritize

A capable incident detection and response (IDR) solution should be able to leverage this extended endpoint telemetry to provide out-of-the-box threat detection. Analysts could then act faster because they don’t have to sift through mountains of alerts; they can quickly respond to the alert that ranks as the highest priority.

XDR上下文+ MDR服务=高级保护

XDR端点解决方案并不局限于基本的威胁检测. 增强端点遥测(EET) 让团队知道是什么触发了特定的检测. They’ll get specific details as to what occurred before and after the incident. And, adding that all important “X” to EDR means teams will also benefit from file integrity monitoring (FIM) that provides more robust context around the users and specific assets involved with a detection.

您如何评价XDR平台?

如果您正在寻找XDR解决方案, you’re not alone: 83% of organizations are increasing their threat detection and response budgets, 29% admit to "blind spots,29%的公司需要缩短恢复时间, 27%的人希望了解哪些威胁是优先考虑的.²

First, ask what’s in the box?

Many vendors promising XDR outcomes are assuming you’ll integrate – and pay for – the many other cybersecurity technologies you’ll need for the complete telemetry set and extended-environment visibility: endpoint agents; network sensors; cloud hookups; user behavior analytics (UBA); log ingestion.

It’s important to understand what’s included and what your team is expected to bring.

接下来，了解检测哲学的含义

那么，XDR最令人期待的结果之一是什么? 承诺结束嘈杂的警报并提供高保真的检测.

问一下方法是个好主意， threat intelligence勤奋的背后，检测图书馆. 试着去理解哲学和概念证明. Experience detections firsthand. And finally, learn more by looking at objective third-party analysis or reviews.

Don’t forget the “R” in XDR

Find out what’s automated. Are analysts primed for action? Is guidance embedded? XDR应该消除单调, repetitive work and leave you the interesting work you trained for – and hopefully get you home in time for dinner. External, proactive threat intelligence that goes beyond the perimeter is now the norm in responding to incidents along an increasingly dynamic attack surface.

What is Managed XDR?

Managed XDR is a services solution provided by an external cybersecurity vendor. 它包含了上面提到的XDR的所有优点, with technology, capabilities, alerts, 响应通常由外部供应商管理. It takes the stress of managing an extended detection and response program off of the shoulders of the internal security team, 并允许SOC转向其他倡议和关注领域.

除了底层的XDR功能， 管理检测和响应(MDR) typically includes digital forensics breach response, regular threat hunting24x7x365监控，以及攻击者拦截能力. By adding XDR capabilities, security teams no longer have to jump in and out of multiple tools. A managed-services partner should be able to surface only true threats and help you create a remediation plan tailored specifically to the attack and how it’s affecting your organization.

When a SOC partners with an MDR provider well versed in XDR capabilities, that team is ensuring it can continue to innovate to drive the business forward while also receiving alerts with the proper context to prioritize.

Keep Reading About XDR:

Compare XDR Vendors

下载:ESG研究报告《十大赌博官方正规网址》

XDR News from the Rapid7 Blog

¹ 企业战略集团(ESG)， 2021年2月