Man uses laptop to analyze detection and response

Chaos Versus Clarity – Why Context Is Needed for Security

Asia Pacific was reportedly the most attacked region in 2021, with server access and ransomware being the top two attacks; and Japan, Australia and India being the most attacked countries across the region.

As the threat landscape becomes increasingly complex and challenging from every angle, security teams are under immense pressure as they are understaffed, overworked and catching up with the wide-ranging effects of the pandemic.

The talent issue reverberates as skill gaps and the complexity around IT management continues to widen and grow. Many security professionals are falling into the trap of adopting numerous security tools to help them cope with these problems.

While adding more technology can solve some of the issues, it can also dilute team attention spans further, leading to more problems over time.

Board members can be overwhelmed with the bounty of acronyms that surround security – security incident and event management (SIEM), security orchestration automation and response (SOAR) and endpoint detection and response (EDR) to name a few that clamour for investment, and seem to cross over one another.

Now there is extended detection and response (XDR) as well, so how can they understand what is delivering what value?

Prioritise threat detections with XDR

Whether it be SIEM, SOAR or EDR, each tool is valuable in its own right. However, with each new integration, organisations are facing greater data silos. Each dashboard reports metrics based on the visibility of its corner of the corporate network and specific use cases. Analysts then have to deal with a barrage of alerts from their range of solutions.

This leads to problems where the same alert can be flagged to multiple teams or where issues can slip through the gaps. With security analysts already stressed, this can produce alert fatigue.

To address this, XDR solutions are designed as the top layer to investigate every potential incident in the digital estate and enable real-time incident detection and response.

Yet, not all XDRs are created equal. Some solutions regurgitate data to users, which creates extra work for the analyst who still needs to interpret this data and make countless manual decisions about the required action.

Current SIEM and XDR solutions passively and reactively collect disparate, unrelated logs, which creates an avalanche of notifications that place the burden of correlation and prioritisation on the security analyst.

The emphasis is on the user to sift through those alerts to detect threats and prioritise response and remediation based on their analysis accordingly. This is a heavy lift for any team, particularly when dealing with false positives that waste time and affect staff morale.

The power of context in cybersecurity

Context is the difference between wasted time spent on manual tasks and more focused investigation where it is really needed.

With understaffed and time-poor security teams struggling to support remote working and deal with more attacks, providing context using XDR is an effective route to providing what businesses need to improve their risk posture and security approach.

Without this, teams will struggle to manage workflows and deal with potential issues in a timely manner.

XDR solutions must be able to break down security data silos in order to deliver a holistic view into threats across the enterprise.

In many organisations, there is a patchwork quilt of integrations, with disparate solutions handling vulnerability management, patching, asset inventory, identity and access, CMDB, SIEM and all points in between. This is why the power of a unified platform is crucial for XDR.

Attain clarity through context

The right XDR solution can provide clarity through context by bringing together the following benefits. CISOs should bear them in mind when implementing XDR.

  • Risk posture – The solution should leverage comprehensive vulnerability, threat and exploit insights not just for the asset’s OS but also third-party apps. This includes misconfiguration/end-of-life awareness for continuous vulnerability mapping that provides a complete picture of the enterprise’s risk posture. Risk scoring based on simple OS patch to CVE mapping leaves out too many possible exposures that threat actors are expert at exploiting.
  • Asset criticality – The XDR solution should be able to deliver the security and business context necessary to dynamically prioritise high-value assets (like an executive’s laptop or a critical R&D server) in real time.
  • Threat intelligence – Deep understanding of exploits, attacker techniques and how threat actors use vulnerabilities to penetrate defences is fundamental to delivering preventative and reactive response capabilities to stop active attacks, remediate root-cause and patch to prevent future attacks.
  • Third-party data – The XDR solution must be able to gather up-to-the-second log and telemetry data from the enterprise’s third-party solutions and triangulates this with asset risk posture, criticality and threat intelligence to detect threats and create high fidelity alerts.

In summary, the only way to truly understand and react appropriately to a security event is with context. Without context, alerts become noise.

Context changes the picture. With proper context, the responder understands immediately what the business impact of a given alert is and can respond appropriately. Context lends a level of intelligence that aids in proper, proactive response.