XDR: what is it, how does it work and how do MSPs use it?
We have been talking about eXtended Detection and Response (XDR) for some years now, but despite being a buzzword in the industry, a fundamental question remains: what are we really talking about here? According to Gartner, which first defined the term in 2020, XDR is a vendor-specific threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system.
Today, 62% of security professionals claim they are "very familiar" with the term XDR, which is up from just 24% in 2020. While this is clearly an improvement, 29% still state to be only "somewhat familiar," "not very familiar" or "not at all familiar" with XDR technology, according to a recent ESG study.
As the question of what XDR is still isn’t clear for some, we have decided to delve deeper into the concept. Extended detection and response technology specifically addresses the need for new levels of security telemetry aggregation, correlation and analysis to protect an increasingly diversified attack surface and deal with the constantly evolving landscape where threats are becoming more complex to detect. Integrating XDR capabilities into an organization's infrastructure means security events from diverse sources and assets can be analyzed and correlated to determine which activities are taking place. XDR shares knowledge from a single security platform for fast, automated responses that reduce the workload of security personnel.
Correlation was already present in Watchguard’s first version of ThreatSync: a Cloud-based engine that analyzed event data from Host Sensors and Fireboxes to identify malicious behavior. However, the old Threat Detection and Response (TDR) solution only used endpoint telemetry to detect malicious files and respond to actions initiated in the Cloud, correlating network events with individual files and processes on the endpoint. Now, ThreatSync has evolved to become an XDR solution by integrating endpoint and network security solutions on a single platform, which can correlate threat detection information from different layers of protection and orchestrate the tools' response.
How does XDR work?
XDR boosts security by combining different technologies that generate more accurate detections than when they operate separately. XDR collects and displays cross-product detections for computers, servers and firewalls in a unified way, which provides security professionals with the context of threat detections and enables them to respond to and stop advanced threats faster, lowering the risk posed by security threats significantly. By including this data in a single Cloud console, it also eliminates the need to learn how to use multiple consoles. Thus, it is possible to detect threats on both protected and unprotected devices by using cross-domain data to thwart advanced threats that are not visible at the perimeter or endpoint.
In addition, the use of cross-domain and event correlation means activities can be monitored for different security products, which facilitates the categorization and detection of malicious scenarios that may seem harmless on their own, but when contextualized, become indicators of compromise (IoCs), reducing the mean time to detection (MTTD), enabling rapid containment of potential impacts and limiting the severity and scope of incidents.
Response automation and scheduling frees analysts from repetitive or manual tasks by acting on detections that match previously defined criteria. This makes it possible to terminate processes, delete files, isolate an endpoint or block a public IP without the need for analyst intervention.
Use cases and benefits of XDR for MSPs
Using XDR delivers great advantages for managed service providers (MSPs) when protecting their customers’ security. For instance, correlation between network security and the endpoint can make all the difference in the event of an advanced persistent threat (APT). Today we expect files to be downloaded almost instantaneously, so firewalls have to allow unknown files to be downloaded while sending them to the sandbox for analysis. Once analyzed, if the file is found to be malicious, the XDR correlates it with an endpoint to remove it from the device.
Similarly, for processes running on a computer that are not harmful per se, but can make malicious connections, such as browsers or email clients, XDR capabilities can take data from blocked connections on the firewall and link it to individual applications on the endpoint. This enables users to detect new malicious applications or simply discover goodware with suspicious behavior that requires further analysis.
The above use cases highlight how this tool can help MSPs protect their customers' networks. However, there are other benefits of using the XDR that MSPs can garner:
Unified threat visibility:
XDR delivers greater accuracy and accelerates detection by unifying threat data into a single interface. Collecting and visualizing cross-detections with various products makes MSPs more agile, as they obtain the context surrounding the detections that provides the information they need to respond to and stop advanced threats more efficiently.
Reducing mean time to detect (MTTD):
According to IBM data, in 2022 it took companies an average of 207 days to identify a security incident. However, organizations with XDR technologies gained considerable advantages in identification and response times. Organizations that deployed XDR shortened the incident lifecycle by approximately one month (29 days), on average, compared to organizations that did not deploy XDR.
Unified threat response orchestration:
XDR enables MSPs to be more efficient by offering a wide range of response actions, enabling them to schedule and automate threat response across the entire network from a single console quicker, which reduces risk and provides greater accuracy and speed of response by reducing mean to time to respond (MTTR). For any company, being able to reduce detection times and show agility in response actions can make the difference between responding in time to a threat and preventing it from causing greater damage or the attack from spreading and taking control of the organization's systems.
No configuration required:
Some XDR solutions require advanced knowledge when installing, configuring and setting up the tool. The XDR solution, WatchGuard ThreatSync, is part of the Unified Security Platform framework, offering a unified and intuitive user experience that simplifies adaptation and learning, and as it is multi-product and fully integrated, this reduces the costs associated with configuring and integrating solutions.
XDR is the perfect fit for MSPs running midsize businesses, enabling them to increase security capabilities in an automated way and without the need for cybersecurity experts. It improves visibility, increases detection capabilities in specific scenarios, and simplifies responding to and remediating attacks. Find out how WatchGuard can help you adopt an XDR-based security approach through our ThreatSync solution.