According to IBM researchers, the average organization takes 287 days to detect and respond to a data breach. By that time, it’s already too late. With nearly 10 months to rummage around in compromised systems, malicious actors have ample time to steal sensitive information, plant malware, manipulate data or sabotage infrastructure. It’s no wonder IBM estimates the average cost of a breach in the U.S. now approaches $10 million.
As cyberattacks become more frequent, stealthy and sophisticated, organizations need to enhance their security posture. Key to this effort is robust detection and response measures that can find and stop threats that have already breached traditional network perimeter defenses. In this post, we’ll explore two main tools security teams can use to significantly reduce the average time to detect an attack.
Endpoint Detection and Response (EDR)
EDR solutions continuously monitor individual endpoints such as desktops, laptops, servers and mobile devices, using advanced behavioral analysis and machine learning to identify suspicious files. When a known threat is identified, the EDR solution triggers rules-based responses such as sending an alert or logging off the user.
This has become a critical capability due to the dramatic increase in endpoint devices needed to support mobile, remote and hybrid workforces. The average enterprise organization now has approximately 135,000 endpoints — an astonishing 17,900 percent increase over pre-pandemic figures, according to a study by the Ponemon Institute. The study further found that organizations are unable to discover or manage nearly half of the endpoints connecting to their networks.
EDR solutions use advanced behavioral analysis and machine-learning algorithms to automatically identify malicious files by their unique tactics, techniques and procedures (TTPs) and take more proactive steps to block them. All information about threat characteristics is recorded in a central database for further analysis. That data can then be used to actively hunt for similar threats that might be sitting undetected in the network.
Extended Detection and Response (XDR)
XDR solutions extend their scope beyond endpoints, leveraging broader datasets to detect and respond to threats that may span multiple systems and environments. They continuously collect and correlate real-time security data streams from multiple sources, including servers, firewalls, endpoints, email and cloud environments, to provide a far more holistic view of an organization’s security landscape.
For example, if someone in your company opened a malicious email attachment, an EDR solution would provide visibility into the PC, phone or other device that was used but would offer no information about the email. On the other hand, XDR could trace the email's journey, flagging the malicious attachment and providing insights into any other suspicious activities on the network or other endpoints.
Machine learning (ML) also enhances XDR’s capabilities. Over time, ML algorithms help build the threat intelligence necessary to actively hunt for threats. As they develop a deep understanding of what is typical, the algorithms can then flag any unusual activity that might indicate a security incident. For example, ML can detect unusual login patterns, file access or data transfer activities.
With the ability to identify anomalies and potential indicators of compromise, XDR also enables security teams to actively hunt for threats and disrupt them in advance of an attack. Many XDR solutions include predefined threat-hunting playbooks that describe structured steps for conducting investigations based on common attack scenarios or tactics.
Conclusion
As cyber threats become increasingly stealthy, organizations must augment traditional preventive measures with more proactive solutions that can help them root out hidden threats. In our next post, we’ll take a look at how WatchGuard is addressing threat detection with its new ThreatSync XDR solution.
