When we think of security, many will conjure up a mental image of steel doors with impressive locks, armed guards or banks of CCTV camera feeds viewed from a darkened control room – the visualisation is of keeping criminals out and away from our valuable property – and in the case of IT, protecting critical systems, and data.
Cyber security is also resplendent with similarly protective language as nothing sounds scarier than a wall of fire (Firewall), secure perimeter or a cyber kill chain! The latest iteration gaining momentum in cyber security is Extended Detection and Response (XDR) which, depending on which security vendor you ask, “…collects and automatically correlates data across multiple security layers.”
Yet the term XDR which is going through its own hype cycle has been co-opted by many cyber security vendors as a way of convincing customers to buy all their security products from a single supplier. The simplistic logic is often – buy all the bits you need from us, and we can make sure it all works together. For a large enterprise with a dozen different security products – probably from at least half-a dozen-different suppliers, the prospect of having to rip and replace systems is unappealing.
Cyber security is a massive industry. Worldwide spending on information security and risk management technology and services is forecast to grow 12.4% to reach $150.4 billion in 2021, according to the latest forecast from Gartner, Inc. A staggering sum but still dwarfed by damage caused by global cybercrime that is predicted to reach $6 trillion annually by 2021 according to Cybersecurity Ventures, an analyst firm.
Legacy approach
The hundreds of vendors selling cyber security products and services have traditionally focused on individual product silos. Specialists in malware protection, firewalls, content inspection, intrusion detection – the list is endless. However, over the last decade, many of these well-known brands have moved sideways – to sell more products. In the last few years, a period of consolidation has seen several brands merge to now offer the entire spectrum of cyber security products across diverse portfolios. The aim is ultimately to increase the average spend per customer and – at least in theory – to ensure everything works together.
Yet, just like white goods in a typical kitchen, few organisations buy an entire cyber security stack of technology and services from a single vendor. According to AttackIQ and the Ponemon Institute, large organizations use an average of 47 different cybersecurity tools across their networks. While research firm ESG estimates that enterprises source their tools from an average of 10 different vendors.
However, herein lies a major issue. In a market chasing after $150bn a year in potential revenue, there is little incentive for cyber security vendors that sell extended portfolios to work seamlessly with rival vendors. This is a broad statement and there are some notable exceptions in areas such as SIEM where the core purpose is to pull together disparate systems. There are also a few vendors that have gone above and beyond in getting their systems to play nice with third party tools – but these are the exception rather than the rule.
Open XDR
For many, XDR could be a different proposition as its goal is to correlate data across multiple security layers. Yet examining the vendor propositions in detail these integrations tend to focus on products within the vendors own stack. Instead, a few pioneers are pushing for an Open XDR approach that aims to not just have a handful of supported third party cyber security products, but tens and ultimately hundreds of integration points.
The companies pushing for this Open approach, ReliaQuest included, generally do not have an anti-virus, firewall, VPN, NAC, or MDM solution to sell – and as such are primarily focusing on adding integration based on what potential customers are already using. The goal is to raise visibility across the entire cyber security landscape to gain a single source of insight and response.
The Open XDR movement is gaining traction and is primarily focused around a few key areas. The fastest growing is cloud security where these systems can peer into multiple clouds, tools, and locations to create a single platform for unified visibility, detection, and response.
Another area is security automation to streamline the investigation process triggered by an alert and allow infosec teams to use accurate data from multiple systems to spot real attacks rather than false alarms. The last major area is continuous analysis and reporting to validate – and ultimately improve security posture. Open XDR is also gravitating towards being delivered ‘as-a-service’ model which also streamlines deployment and allows organisations to adapt as the threat landscape evolves or the business need changes.
Increasingly, many of these capabilities are supplemented by machine learning techniques – and as the Open XDR landscape grows, more third-party tools and data sources are integrated - which in turn makes the overall systems more intelligent and capable of detecting and responding to threats. Essentially a virtuous circle.
Standard evolution
Yet there are some inhibitors. After lack of awareness around Open XDR – the main issue is a lack of open standards for allowing different security tools to interoperate. Part of the problem is that many vendors that have larger “end-to-end” style portfolios have little to gain by working with rivals. In addition, these standards are not mandated within any regulatory frameworks – so there is no pull from customers to ensure interoperability compliance.
There are a couple of notable bright spots. MITRE, a not-for-profit organization that helps maintain the widely used Common Vulnerabilities and Exposures (CVE®) list is pioneering efforts through its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) knowledge base to model cyber adversary behaviour, reflecting the various phases of an adversary's attack lifecycle and the platforms they are known to target. MITRE is also working on two new initiatives for sharing cyber threat information. The first is Trusted Automated eXchange of Indicator Information (TAXII™) and this is supported by the Structured Threat Information eXpression (STIX™), both sponsored by the Department of Homeland Security.
TAXII defines a set of protocols for securely exchanging cyber threat information for real-time detection, prevention, and mitigation of cyber threats. STIX provides a common format for cyber threat information, including cyber observables, indicators of compromise, incidents, TTPs (techniques, tactics, and procedures), and campaigns. Another bright spot in the interoperability landscape is the Organization for the Advancement of Structured Information Standards (OASIS) that has an created the Open Cybersecurity Alliance (OCA). The OCA brings together interested stakeholders to look at a solution for two big issues. The first is the development of an interoperable messaging format for cybersecurity tools, while the other will develop standardized data models and libraries to classify threats in a way that can be analysed by any cybersecurity tool.
All these projects are still at an early stage, but for enterprises that can see the potential merit in Extended Detection and Response – the key question to ask is whether its Open and able to support the cyber security platforms already in use? Or is it potentially forcing you down the road of having to rip and replace your cyber security infrastructure for the benefit of the vendors’ future sales.