For decades, companies spent most of their IT security resources on technologies and strategies designed to keep intruders out of their networks. The 2020 SolarWinds hack has inspired a shift in that philosophy, with increased emphasis on detecting and responding to threats that have already penetrated perimeter defenses.
The SolarWinds attack involved what may be the most notorious example of an advanced persistent threat (APT), a particularly stealthy type of malware that can remain undetected for extended periods. It ultimately affected thousands of organizations in what is widely considered the worst cyber-espionage incident in U.S. history.
The attack began in February 2020 when Russian hackers injected malicious code into an update of SolarWinds’ popular network monitoring software. After customers implemented the update, the malware remained in stealth mode for at least six months, profiling target organizations and exfiltrating data before creating backdoor access the hackers used to install even more malware.
APTs were also used to compromise some 250,000 Microsoft Exchange servers in 2021. Security analysts warn that all signs point to the increased frequency of such attacks as criminal groups and state-sponsored hacker groups seek footholds for reconnaissance and data theft. The FBI has warned of an increasing number of APT attacks targeting governments, international organizations, engineering companies, law firms and the hospitality sector.
Focus on Detection
While perimeter security remains a critical element of IT security, organizations should place a greater emphasis on finding and stopping threats that have breached defenses. In a recent ESG study, 82 percent of cybersecurity professionals said that improving threat detection and response is a high priority.
However, threat detection can be a challenge for overextended IT teams. Security information and event management (SIEM), endpoint detection and response (EDR) and other standalone detection tools can generate loads of threat data across multiple attack vectors, but most organizations lack the manpower and expertise to efficiently correlate and analyze all that data.
An emerging class of solutions known as extended detection and response (XDR) improves the detection process. With advanced automation and analytics capabilities, XDR solutions continuously collect and correlate real-time security data streams from servers, firewalls, endpoints, cloud instances and many other sources. The result is a single-pane-of-glass view of security data that allows IT teams to rapidly detect and respond to stealthy threats.
Breaking Down Silos
XDR sounds a lot like SIEM, but there are key distinctions. SIEM tools tend to generate a large number of alerts, making it difficult to sort through the false positives and prioritize alerts effectively. XDR resolves that problem by orchestrating data from multiple functional silos to provide greater context about suspicious activity. XDR tools also feature behavior profiling and analysis and threat intelligence for more effective detection and response.
Although XDR solutions do a lot of the heavy lifting, threat detection and response can create a burden for organizations dealing with an ongoing shortage of in-house security skills. A third-party partner with established managed detection and response (MDR) services can provide the required manpower and expertise.
MDR providers often have a variety of detection-focused tools, including SIEM, EDR and XDR, as well as a fully staffed Security Operations Center (SOC). With far more expertise in threat hunting than the typical IT staffer, MDR teams can usually deliver more accurate analysis and faster remediation of most threats.
While threat prevention remains a high priority, it will never be 100 percent effective. Organizations need the ability to root out hidden threats inside the network before they’ve had a chance to do lasting damage. Contact us to learn more about XDR solutions and our managed detection and response services.