The Integration Imperative for XDR
Written by Marc Solomon, Chief Marketing Officer, ThreatQuotient
Large security vendors with XDR offerings position their solution as integrating their own set of products which may include a couple of third-party products already part of their suite and providing a central screen or single pane of glass to be able to see all the data. But that raises some important questions:
What data are you looking at in that central console?
Data can come from any of the solutions that are part of the XDR offering at any time and, given alert overload, we're probably talking about massive amounts of data. Without context from external intelligence sources, it's impossible to determine relevance and prioritisation. Because the data isn't curated for the specific customer environment it could be noise, which lowers users' confidence in the data and their ability to make the right decisions.
What happens with organisations that aren't starting with a clean slate and have a variety of best-of-breed solutions across departments and teams?
To deal with this, many of these larger vendors are now creating marketplaces, hoping that smaller vendors will use their APIs to build integrations with them. This is starting to happen. But if you have been in the software industry for a while, you understand that this takes a lot of time and isn't easy to maintain. And if a smaller vendor has products that actually compete with the main vendor, the integration may never happen.
How do you integrate on-premises legacy tools with XDR's cloud-based architecture?
Even if the XDR solution vendor has great APIs that are “easy” to write to, getting data from on-premises, legacy applications to a cloud platform is a considerable undertaking. An XDR implementation can quickly turn into a very large consulting project requiring significant time and budget. Alternatively, some organisations may choose to outsource the entire function to a managed detection and response (MDR) service provider that offers XDR as a service. MDR is a growing category in cybersecurity services and is an offshoot of the traditional Managed Security Service Providers (MSSPs). Unlike MSSPs, MDR companies don't manage traditional security tools and technologies like firewalls but are there to detect, respond and address attacks.
To help XDR solutions deliver on their promise, what's needed is a platform focused on integration, serving as a central repository for data and intelligence from internal and external sources, and as a conduit between existing security technologies and cloud-based XDR offerings. More than a central screen or single pane, the platform delivers a single source of truth for teams and tools, bringing in third-party intelligence to enrich data from internal tools with context and prioritise it for action. This single source of truth can prioritise and filter out noise, share knowledge, serve as organisational memory and become a custom enrichment source for all teams and tools to use to accelerate security operations.
With preprocessed, curated data, teams have high confidence that the data is relevant. Confidence in data leads to confidence in decision making which, in turn, leads to confidence in automating those decisions and actions. Because that platform also integrates with third-party security controls, relevant, prioritised threat intelligence can flow through all systems, playbooks and processes. Actions – automated or manual – are based on the right data and can be executed quickly.
Clearly, integration is imperative for XDR – enabling effective detection and efficient response.