We are often asked, what is the near-term future of Cybersecurity? While experts’ answers may differ, we typically highlight the ascension of Extended Detection and Response (XDR) as a significant step change to an organization’s cybersecurity toolkit along with the adoption of the Zero-Trust Maturity Model providing both a trust-centric and data-centric approach to the protection of digital assets.
Let’s briefly tackle the latter first. On average, 85% of all assets are in digital form. Twenty years ago, just after the millennium, this figure was just 10%. Digitalization has made information the new oil. It powers new industries and has tremendous value. But with cyber threats continuing to elevate (rarely a day goes by when we don’t hear of a cyber-breach and there is a ransomware attack starting every eleven seconds), zero-trust is the new paradigm shift in cybersecurity, starting with actionable inventories of data and users. Underscoring this shift’s importance, new federal regulations now focus on identifying and managing data risks through the perspectives of people and technology. Those Federal Regulations include the much-discussed White House Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity” issued May 12, 2021. The plan in that EO was to formulate a strategy to modernize cybersecurity in both the public and private sectors to meet current threats. That strategy centered on the concept of Zero Trust Architecture or ZTA.
To help move organizations and governmental agencies toward this approach, CISA (Cybersecurity and Infrastructure Security Agency) developed a Zero-Trust Maturity Model to offer prescriptive assistance. The Maturity Model outlines the data-centric approach, with the assumption that breaches will occur and devices and users should have least privilege access.
One section of EO 14028, Section Four, directs agencies, academia, private firms, and others to identify existing or develop new standards, tools, and best practices to enhance software supply chain security. That is where Extended Detection and Response (or XDR) comes into view.
Cybersecurity as a domain and practice is only about thirty years old, so relatively young and aligned with DARPA’s invocation of the modern internet. We’ve now completed five generations of Cybercrime actions that necessitated a technological response in Cybersecurity.
Lets do a short recap. In the 1990’s Generation 1 cybersecurity was highlighted by anti-virus software on the endpoint and Generation 2 was the advent of the perimeter firewall. Both are still with us in next-generation forms today but with far less effectiveness in a virtual and remote world than during prior eras. We then evolved to Generation 3, IDS/IPS in the early 2000’s, followed by Polymorphic Content driving Sandboxing and Anti-Bot technology in 2010 that we consider Generation 4.
In the 2015 timeframe, and to today, we remain in Generation 5, the era of the mega-breach. Gen 5 (the short form) attacks are typically large-scale and multi-vector. They are designed to infect multiple components of an information technology infrastructure, including networks, virtual machines, cloud instances, and endpoint devices.
Gen 5 attacks have led to the development of a more advanced solution, that being Endpoint Detection and Response. Simply put, EDR is a new generation of anti-malware, no longer relying solely on signature systems to perform malicious behavior detection. EDR adds behavioral process analysis capabilities to determine deviance. If you are not using, at minimum, an AI-based EDR platform, you will not detect, nor stop Generation 5 cyber attacks. Even then, EDR platforms routinely, test out at 80-90% effectiveness. More is needed as we are about to embark on Generation 6 attacks, which is large-scale multi-vector, just like Gen 5, plus vendor-accessible assets, IoT, OT, Cloud-Connected Devices, Mobile, 5G and Social. What we need is found in XDR.
THE NEXUS OF ZERO-TRUST AND EXTENDED DETECTION AND RESPONSE (XDR)
Generation 6 attacks require ubiquity in defense, not only to “see everything” but more importantly, to “secure everything”. This is where the Zero-Trust Approach and XDR have common objectives. The goal of Zero-Trust is to prevent risks before they happen, identifying risks and indicators of a breach of trust. XDR adds a laser-focus to this identification, pinpointing evasive threats with behavioral analytics and using machine learning to detect anomalies indicative of an attack. The “Northstar” of XDR is that it natively integrates network, endpoint, cloud, and third-party data. It is, by nomenclature, a “cohesive security operations system”, as Gartner Group has called it. It’s a force-multiplier versus digital cyber-risk, and in a world where every company has become an attainable target, it should be found on every organization’s prioritized cybersecurity defense-in-depth chart.
But beyond the much wider range of sources, it offers visibility, detection, and prevention to, XDR brings elaborate functionalities allowing, for example, to increase the level of contextualization by connecting to our Threat Intelligence feeds, to bring a greater capacity of anticipation by linking the detected technical information with external content, to refine security orchestration and response automation by giving an even finer granularity and fidelity to the intervention. Cybersecurity today is about the creation of a defense “factory” and you need to fuel the “gear” in that factory with data. We first do that via Machine Learning, then we enrich that data with even more context, to develop threat models that begin detecting and evaluating threats at Stage 1, reconnaissance. It is why effectiveness in XDR can reach 99.9%, not 80-90% such as EDR or 50-60% like legacy signature-based anti-malware.
THE POWER OF TWO: ZERO-TRUST AND XDR
It’s important to remember that Zero Trust is a philosophical approach, and XDR is an advanced prevention and detection capability. Zero-Trust is not a product that can be plugged in and save the day. By utilizing security tools that support the pillars of Zero Trust (posture, continuous assessment, and assumed compromise), you can significantly improve your overall security posture.
XDR is an effective security capability. However, when used in tandem with the Zero Trust approach, organizations can further enhance their security. XDR has two significant assets that can support a Zero Trust strategy: strong endpoint (user, cloud workload, device, etc) controls and organization-wide data collection and correlation from across the IT infrastructure. Here’s how it works:
Strong endpoint controls deliver a solid foundation for verifying and establishing trust by providing security teams with comprehensive visibility into potential threats and endpoint/device activities. Without visibility, you can’t verify and establish trust in good faith.
Additionally, since XDR is constantly collecting and correlating data, it establishes the continuous assessment pillar of the Zero Trust architectural strategy. This means that even after you’ve approved initial access for an endpoint, that asset will continually be reviewed and reassessed to ensure it remains uncompromised. In the event the endpoint starts acting suspicious, such as multiple logins from various locations in impossible time frames, XDR will send a notification to security teams, allowing them to withdraw access and terminate a potential attack vector.
Zero Trust and XDR also help alleviate work from security teams. With a Zero Trust strategy that leverages XDR, many security weaknesses and gaps can be detected by XDR and subsequently blocked by enforcement points, eliminating a significant number of vulnerabilities and work for security teams. By closing security gaps, security teams have more time to focus on investigating advanced attacks. As always, the fewer number of attacks, the easier it is for enterprises to achieve their business goals, something a Board of Directors can understand.
We established earlier that Zero-Trust is a trust-centric architecture that puts human and machine identities at the heart of security policy creation. In this architecture, enterprise access controls and policies are based on identity and assigned attributes. In Zero-Trust, every access request requires an establishment of permitted access combined with a provable identity regardless of where the request came from. Its dynamic and adaptive, supporting modern enterprise models: BYOD, remote worker, cloud apps, hybrid cloud, on-premises, social integration, and more. XDR then does the heavy lifting, preventing unknown and known ransomware, stopping active attacks, detecting and preventing lateral movement, hunting for undetected signs of compromise, and identifying MITRE ATT&CK adversarial tactics and techniques. XDR correlates data across endpoints, applications, the cloud, operations technology, Internet of Things and the aforementioned identity-centric architecture, essentially the entire IT estate. One (Zero-Trust or XDR) without the other leaves an incomplete technical security framework. So our advice is the following: opt for complete visibility and extended protection to any application, workload, resource, compliance objective (e.g. PCI-DSS), or network. Detect advanced threats and respond to them rapidly along with the ability to identify the origin, deeply track and investigate. Insist your solution includes native integrations and support for APIs and protocols to protect the totality of your investment. Then establish trust and least privilege before granting any access (device or user) or allowing a connection. Lastly, align the attacker’s likely path with the highest level of coverage across differing attack techniques. Sleep better while doing risk management and security better. You can do all of this with a zero-trust architecture and a field-proven XDR solution. Reach out to me with questions. I always welcome hearing from you. See you next time.