What is XDR?
The largest cybersecurity companies in the world, industry analysts and other security experts are talking about the emergence of Extended Detection and Response (XDR) solutions, which Gartner defines as solutions that “automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability.” If this were possible today, imagine the gains in Mean Time to Detection (MTTD) and Mean Time to Respond (MTTR) to an attack or active threat in your environment.
Evaluating XDR Offerings
Large security vendors with XDR offerings position their solution as integrating their own set of products which may include a couple of third-party products already part of their suite and providing a central screen or single pane of glass to be able to see all the data. But that raises some important questions:
What data are you looking at in that central console?
Data can come from any of the solutions that are part of the XDR offering at any time and, given alert overload, we’re probably talking about massive amounts of data. Without context from external intelligence sources, it’s impossible to determine relevance and prioritization.
What happens with organizations that aren’t starting with a clean slate and have a variety of best-of-breed solutions across departments and teams?
To deal with this, many of these larger vendors are now creating marketplaces, hoping that smaller vendors will use their APIs to build integrations with them. This takes a lot of time and isn’t easy to maintain.
How do you integrate on-premises legacy tools with XDR’s cloud-based architecture?
Even if the XDR solution vendor has great APIs that are “easy” to write to, getting data from on-premises, legacy applications to a cloud platform is a considerable undertaking. An XDR implementation can quickly turn into a very large consulting project requiring significant time and budget.
How ThreatQ Enables XDR
Aggregate and normalize external and internal threat intelligence, augmenting it with internal event data and context.
Correlate detections over time and identify broader campaigns versus viewing each incident independently so that teams can respond more quickly and accurately to an incident.
Use standard interfaces for ingestion and exporting, and easily write custom connectors to connect to new data sources and security controls to address emerging threats.
Automatically score intelligence to filter out noise and prioritize based on parameters set by users. Action that intelligence either automatically or for human consumption.
Create organizational memory for learning and improvement by storing and prioritizing the data collected from all investigations.
Leverage bi-directional integration, including with existing tools the XDR vendor may not be familiar with, to send data to the right tools across the security ecosystem for efficient response, as well as back to the ThreatQ platform to accelerate understanding and detection.
The ThreatQ Platform: Powering the XDR Movement
The ThreatQ platform takes a threat-centric approach to security operations because we believe you cannot defend against what you do not understand. We have deep roots in threat intelligence management which positions us perfectly to address the XDR use case of extended detection. What’s more, because threat intelligence is the lifeblood of security operations, our customers efficiently and effectively address multiple use cases from within the platform –
SPEAR PHISHING
THREAT HUNTING
ALERT TRIAGE
VULNERABILITY MANAGEMENT
INCIDENT RESPONSE