Network outages remain a significant challenge for enterprises, with network and connectivity issues accounting for nearly a third of all IT-related downtime outages. The increasing number of third-party IT providers and services that organizations utilize means that getting to the source of a network incident, which can be anywhere across the enterprise or its providers’ networks or last-mile connections, can take days or even weeks.
The complexity of diagnosing network incidents, compounded by a mountain of alerts, often leads to delays in resolution and increased business and security risks. Standard incident response methods struggle to identify the root cause of outages promptly, prolonging and exacerbating their impact on organizations.
XDR for network incident detection and response
The answer to networking problems may lie in security. XDR (extended detection and response) analyzes data from various sources, such as user activity logs, threat intelligence feeds, and various native and third-party network sensors like firewalls and IDS/IPS (intrusion detection/prevention systems), to provide a holistic view of security threats and streamline incident response.
The same AI algorithms powering XDR’s threat detection can also be used to collect and analyze network signals and data points to identify network issues like blackouts, downed links, and border gateway protocol (BGP) session disconnects. Standard XDR collects and analyzes data from disparate network and security sensors and endpoints, which leads to an influx of incident alerts and incomplete or inconsistent data. Data quality issues and alert fatigue can complicate incident identification and hamper response efforts as sensor data pooled from various third parties must be normalized before XDR can correlate and contextualize it. Some data and information may remain missing, requiring NOC (network operations center) analysts to familiarize themselves with and switch between different tools.
In addition, NOC analysts must also establish baselines for normal or acceptable network or user activities and behaviors to effectively identify incidents and anomalies. However, this process often consumes valuable time and resources. Alarmingly, in 2023, organizations took an average of 204 days to identify a data breach and another 73 days to contain it.
Converged SASE provides high-quality data for XDR
To overcome the limitations of standard XDR, organizations can choose XDR capabilities integrated within a SASE architecture. SASE consolidates all networking and security functions into a cohesive whole with single-pane-of-glass visibility. SASE-based, next-gen XDR can leverage SASE’s telemetry to inform an organization’s incident detection and response workflows.
By leveraging native sensors, like NGFW (next-generation firewall), advanced threat prevention, SWG (secure web gateway), EPP (endpoint protection platform), EDR (endpoint detection and response), and ZTNA (zero trust network architecture), that feed data into a unified data lake, SASE eliminates the need for data integration and normalization. It allows XDR to analyze raw data, which eliminates inaccuracies and gaps. In addition, such XDR implementations have a single source of truth for all networking and security incidents, thus reducing false positives and expediting remediation.
AI-driven insights expedite XDR
AI and machine learning play a pivotal role in XDR capabilities. Advanced algorithms trained on vast amounts of data enable more accurate incident detection and correlation. However, only comprehensive, consistent, and high-quality data and events can train AI/ML algorithms to create quality XDR incidents and perform root-cause analysis. SASE converges petabytes of data from various native sensors into a single data lake for training advanced AI/ML models. These models can then expedite XDR implementation compared to manually establishing baselines for network and user activities.
Beyond incident detection, generative AI can simplify incident reporting and create human-readable incident narratives with all the information needed for further investigation. AI and ML algorithms can also suggest relevant remediation steps, thus reducing response times and improving the overall security posture. In addition, AI-driven XDR can rank network incidents based on each organization’s risk appetite, allowing network analysts to prioritize incidents and redirect resources to the most critical ones first.
NOC and SOC collaboration strengthens XDR
SASE-based XDR fosters enhanced collaboration between networking and security teams. Recognizing the growing interconnectedness of network infrastructure and security measures and the importance of unified efforts in response to complex incidents, organizations are considering converged NOC and SOC (security operations center) teams. According to a recent survey, 86% of enterprises are witnessing increased collaboration between network and security teams, while 49% have partially or fully integrated these functions.
SASE-based XDR promotes this synergy between network and security domains by providing a unified platform and a shared vision and language. It can correlate networking data with security data for accurate incident detection and holistic root cause analysis, enabling analysts to implement remediation efficiently faster. It also helps in orchestrating a unified response to incidents that require coordinated action from both security and networking sides.
Network outages remain a challenge for enterprises, accounting for a third of IT-related downtime. Standard incident response methods struggle to identify the root cause promptly, prolonging the impact. Data convergence, AI and ML models, and network and security collaboration can successfully address the shortcomings of legacy XDR, paving the path to more accurate detection, faster remediation and ensure business continuity.