For SOCs looking to improve their ability to detect and respond to threats efficiently and effectively, Extended Detection and Response (XDR) has generated increasing amounts of excitement and discourse in the industry. XDR was one of the hottest topics at RSA 2022, but like with many “hot new trends,” perspectives on what XDR actually is, and how it can help SOCs, are still developing. For security leaders, getting a clear understanding of just that — what XDR is and how it can help — is the first step to unlocking its potential.
With all the hype, it is important to consider the perspectives of respected industry analysts — who have seen the rise and fall of many hot trends — to understand what they think about this topic. IBM has sponsored ESG’s independent survey of 376 IT and security professionals involved with cybersecurity technology and processes to ask them about their perspective on SOC modernization and the role of XDR. The comprehensive survey digs into topics like the role of XDR, how it fits into a SOC, how it can help in SOC operations and more. In this blog, we dive into some of the key research findings of the survey, including the five key trends on SOC modernization.
1. More data and better detection rules are still desired
ESG’s research indicates that organizations are using more data for security and they want to use even more. The data shows that 80 percent of organizations use more than 10 data sources for security operations. These data sources include endpoint data, log data, network data, cloud data, threat intelligence and more. In addition, there is a desire for more custom detection rules. Organizations not only want content from their vendors, but they also want the ability to customize that content or write their own rules as well.
Recommendation: Look for an XDR solution that can pull from a wide variety of data sources while helping reduce tool sprawl and consolidate your tools. Consider your team’s bandwidth for writing detection content, and choose a vendor who offers a combination of out-of-the-box rules to save your team time and the ability to create custom rules based on your team’s needs.
2. SecOps process automation investments are proving valuable to organizations
According to ESG research, most organizations have invested in varying degrees of automation in SOC operations. In fact, the research shows that 90 percent of organizations have already invested in security automation for SOC operations, with nearly half investing extensively. The level and primary objectives of automation vary, but their investments are paying off.
Recommendation: Choose an XDR solution that can offers automation and AI capabilities that both augment your existing AI implementations and automate some of the manual tasks that security analysts may be doing today in your organization.
3. MITRE ATT&CK framework is proving valuable for most organizations
Most organizations are now using the MITRE ATT&CK framework for their security operations, not just as a reference architecture. In fact, the research shows that 89 percent of organizations utilize the MITRE ATT&CK framework for multiple security operations use cases — from understanding the tactics, techniques, and procedures of cyber adversaries, to a guideline for assessing SOC maturity.
Recommendation: Select an XDR solution that maps to MITRE ATT&CK framework and provides contextual threat intelligence to improve prioritization, root-cause analysis and response — thereby improving your SOC maturity.
4. XDR momentum continues to build
While the market is still coming to terms with the definition of XDR, it is very clear from ESG’s research that most organizations are looking to adopt a more robust XDR solution. In fact, the research shows that nearly half of the surveyed organizations see XDR as a path to break down problematic silos — from threat intelligence to MITRE ATT&CK mapping, to custom detection rules and more.
Recommendation: Look for an XDR solution that is open so it not only works with that vendor’s stack but with most tools in your current security operations. By creating a platform for your security operations, SecOps teams can work closely to check on the supported threat intelligence feeds and create custom rules.
5. The use of managed detection and response (MDR) is mainstream and expanding
Given the lack of security skilled resources that organizations are facing today, ESG’s research indicated that most organizations are looking for not just help with the product (XDR), but also the services (MDR) surrounding the product. In fact, the research shows that currently 85 percent of organizations are using managed services for security operations. This can help augment the skills organizations have, and also allow them to focus on more strategic security initiatives.
Recommendation: Consider a vendor who offers not just an XDR product solution but also the necessary professional or managed services that can help your team. Look at options around staff augmentation, deployment and managed security services so your existing staff is appropriately supported.
Download the Report
Detect and eliminate threats faster with the leading XDR suite
IBM Security QRadar XDR aligns with all of the key findings called out in the ESG survey. It provides comprehensive visibility across security tools and data sources, whether in the cloud or on-premises, and offers security teams valuable insights that they can use to act quickly. It drives analyst productivity by automating the work of enriching, correlating and investigating threats with purpose-built AI and pre-built playbooks, including automated root cause analysis and MITRE ATT&CK mapping.
QRadar XDR provides the industry’s broadest open XDR ecosystem that integrates EDR, SIEM/UBA, NDR, SOAR, Threat Intelligence and more, while providing a unified interface to display key information from all the sources while leaving the source data where it is. All of this helps speed up alert triage, threat hunting, investigation and response.
IBM Security can also offer Managed Detection and Response services, as part of the industry’s broadest portfolio of solutions that manage the full threat management lifecycle with turnkey support — to help improve SOC productivity, reduce attack dwell time and rapidly respond to threats 24/7.
Learn more about ESG’s findings
We invite you to download the report and attend an engaging webinar that will feature an interesting panel discussion with experts to explore this XDR topic and findings in more detail. Sign up and see how you can best leverage an XDR solution within your environment.
Register for the Webinar
Program Director, Product Management, IBM