Taking Threat Detection and Response to the Next Level with Open XDR

November 2, 2021
| |
6 min read

The challenges facing today’s security industry can easily be described as a perfect storm: increasingly sophisticated cyber attackers combined with the proliferation of security tools to cover an expanding attack surface driven by remote work and cloud adoption. These dynamics can lead to disconnected insights and data, putting even more pressure on the existing shortage of security skills. As a result, the way security teams approach threat detection and response is at a turning point. To guard against complex threats and safely navigate digital transformation, organizations need broad visibility, connected data and the ability to make smart decisions, fast.

Given these challenges, it’s not surprising that extended detection and response (XDR) has gained so much momentum of late. One of the promises of XDR is to provide the security analyst with high-fidelity insights and the ability to take action quickly, with end-to-end visibility, detection, investigation and response across multiple security layers. In short, XDR must enable security teams to work more efficiently.

With the industry on the cusp of this turning point, I wanted to take a brief look at the current threat environment, how XDR addresses security challenges and why truly open XDR can empower security operations center (SOC) teams. I’ll also discuss why IBM intends to acquire ReaQta and how XDR Connect, launched today, can help enhance your security strategy.

A Quick View Into the Current Threat Landscape

The stakes of a security incident are higher than ever. Security teams are navigating enterprise adoption of cloud workloads and a remote workforce, leading to increasingly complex IT environments and an expanded attack surface. According to the Cost of a Data Breach Report 2021, conducted independently by the Ponemon Institute, and sponsored, analyzed and published by IBM Security, for organizations surveyed, the average cost of a data breach was $1.07M higher in breaches where remote work was a factor. For organizations with more than 50% of their workforce working remotely, it took 58 days longer to identify and contain a breach. The transition to remote work has clearly been costly for organizations.

At the same time, the volume and severity of threats are on the rise, putting more pressure on security teams to detect and respond quickly. Yet, the most daunting challenge facing security teams is the proliferation of security point solutions, which contributes to the sprawl of data and tools and makes it nearly impossible for security analysts to get a complete view of threats and take action quickly. In fact, according to the 2021 Cyber Resilient Organization Study based on Ponemon Institute survey data and sponsored by IBM, 60% of organizations surveyed stated that lack of visibility into applications and data assets was an impediment to improving cyber resiliency. Furthermore, while traditional security analytics relies on ingesting and analyzing as much data as possible, it can pose challenges in terms of speed, accuracy and cost and make it difficult for security analysts to get a complete understanding of potential threats.

Learn more

How XDR Addresses Security Challenges

XDR fundamentally brings all the anchor tenants that are required to detect and respond to threats into a simple, seamless user experience for analysts that automates repetitive work. Bringing together all the required context enables analysts to take action quickly, without getting lost in a myriad of use cases, different screens and workflows and search languages. It can also help security analysts respond quickly without creating endless playbooks to cover every possible scenario. XDR unifies insights from endpoint detection and response (EDR), network data and security analytics logs and events as well as other solutions, such as cloud workload and data protection solutions, to provide a complete picture of potential threats.

XDR incorporates automation for root cause analysis and recommended response, which is critical in order to respond quickly with confidence across a complex IT and security infrastructure.

Whether your primary challenge is the complexity of tools, data and workflows or preventing a ransomware actor from laterally moving across your environment, quickly detecting and containing threats is of the essence. XDR provides seamless, connected workflows to enable deeper insights and quick action and automated response to block and slow threat progression. The broad visibility and simplicity enabled by XDR can help teams quickly defend against advanced threats, proactively hunt for stealthy attackers and continuously address regulations.

Furthermore, advanced analytics together with artificial intelligence (AI) and automation can help accelerate investigations and automatically enrich and contain threats. Less time spent on investigations can help improve response and mean more time for analysts to focus on impactful, strategic analysis.

Why Open Is a Critical Component of XDR

Some security teams take a native approach to XDR — sourcing all aspects of a solution from a single vendor. Others tend towards a hybrid or open XDR model, with solutions sourced from a variety of third parties and partners. Another way to think about open XDR is a cloud-native platform that can connect critical insights across siloed tools to deliver a unified workflow, all while leaving your data where it is.

Clearly, in the current climate of controlling costs and modernizing, organizations are looking to utilize the security tools they have today, leverage additional best of breed or even ‘free’ security capabilities and, when it makes sense, have the option to simplify through vendor consolidation. In other words, a successful XDR must have a strong open approach and also include the option of native capabilities that enable security teams to consolidate.

Not all definitions of open are equal, though. For years, vendors have claimed their platforms are open. However, this typically translates into a set of vendor-specific application programming interfaces and vendor-specific point-to-point integrations and data model mappings that can be slow to market. In an environment that is moving so quickly, these hindrances are not sustainable. We believe a different approach is required, one based around open standards and open source to realize a world where security vendors provide standard APIs and ontology so that security tools can talk to each other without vendor-to-vendor specific work. This is the goal of the Open Cybersecurity Alliance, which takes a radically different approach. For example, open sourcing all the vendor-specific open standards implementations for the entire community to use for free.

Most importantly, when XDR is delivered on an open security platform, organizations can leverage existing investments and avoid ripping and replacing current solutions. This kind of approach can also help make investments adaptable. In a rapidly changing IT environment, an open platform sets a SOC up to be ready to support the next iteration of new technology.

IBM Launches QRadar XDR, a Comprehensive, Open XDR Solution

To help organizations thrive in the current IT landscape, IBM Security is committing to an open approach to security with QRadar XDR — an evolution of a brand that has grown over the years from SIEM to include network, risk, AI, user behavior analytics and an open ecosystem, to address the demands of today’s security teams. QRadar XDR is a security software suite with native capabilities for SIEM, SOAR and network detection and response (NDR) that is fundamentally based on open standards and open source. QRadar XDR is connected, providing flexible integrations with existing tools or IBM products.

Additionally, with the planned acquisition of ReaQta, IBM aims to further expand its threat detection and response capabilities by providing native EDR capabilities as an option in the QRadar XDR suite. ReaQta’s endpoint security solutions leverage AI to identify and manage threats. Its behavioral-based platform helps protect against known and unknown threats and leverages an operating system agnostic engine that can be deployed in a hybrid model — on-premise or in the cloud. This move is designed to align with IBM’s strategy to deliver security with an open approach that extends across disparate tools, data and hybrid cloud environments.

In addition, the suite includes XDR Connect, which is designed with intelligent AI to help security analysts improve productivity by connecting data, tools, workflows and people to gain deeper insights and act faster. XDR Connect provides a unified, seamless user experience for alert triage, investigation and threat hunting, automated root cause analysis and response. It also provides access to the latest threat intelligence insights data and centralized management of security incidents with pre-defined detection and response rules. XDR Connect leverages open standards and open source to allow organizations to leverage their existing investments (EDR, SIEM, NDR, etc.) and then modernize and consolidate at their own pace, allowing them to future-proof their architecture to avoid vendor lock-in.

QRadar XDR meets SOC teams where they are to enhance, simplify and automate threat detection and response. As organizations modernize their infrastructure and strengthen their defenses against threats, it’s time to take threat detection and response to the next level with a truly open approach.

Learn more about QRadar XDR

Chris Meenan
VP, Product Management, IBM Security

Chris Meenan is the VP of Product Management within the IBM Security division. He has over 10 years experience in product management and been involved in dev...
read more