According to analyst firm Gartner, extended detection and response (XDR) is a “SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
You’ll hear plenty of the traditional vendors of antivirus begin to proclaim themselves as an endpoint detection and response (EDR) or XDR solution, trying to keep up with this more advanced tool space. As they continue to either buy up other vendors with the tool sets (then try to bolt them on to their traditional solution) or simply try to remake themselves in the model of an XDR solution in other ways, their final offering often has limitations. Typically, they’ll cover some but not all the areas of a complete XDR solution. They will address hosts and files but not network and users, or network and hosts but not files or users. They’ll miss some of that cohesive security operation defined by Gartner.
A recent article from HelpNetSecurity—a popular information security online publication—titled “XDR and MDR: What’s the Difference and Why Does It Matter?” made the following statement in closing: “An XDR solution without adequate human expertise/staffing behind it will only ever be a tool. With a managed services model in play, you’re getting both the comprehensive technology capabilities and the people required to make it work— which is why managed detection and response (MDR) may be the only acronym that your organization needs.”
This statement is very accurate for the less complete XDR offerings that do not include the managed and monitoring components in their solutions. They become like all the security information and event management (SIEM) and log management solutions that have been pushed at you for years, just becoming another tool that no one has expertise to manage or leverage the benefits that you bought it for. So, what do you have to do? One option is to buy the “managed services” from these tool vendors which can make banks dependent on them.
Another option is to research other solutions that are out there. In addition to Cynet, our Infosecurity consulting services suggest reviewing Gartner’s list of EDR solutions and offerings from WBA Associate Members when completing your due diligence. Complete solutions like Cynet360 include the backing of the Cynet CyOps team without needing to pay extra, bolt on more products, or go looking for the 24x7x365 expertise of another managed provider. This doesn’t mean that you can’t still depend on a managed services provider for another layer of monitoring and managing, but are they independent if they also are who you need to be monitoring? There’s nothing wrong with leveraging the additional layer you’ve come to depend on, but at what added cost to get the independence and expertise like that of a CyOps team that is already baked into the Cynet360 solution? You will still need to explain to your auditor and examiners that you’ve learned the tool adequately enough to understand and generate independent reporting of the activities of the managed third party.
At least when you are answering that questionnaire for your cyber insurance coverage, you’ll be able to check off ‘Yes’ on several questions because you implemented a powerful, more advanced endpoint protection solution.
Shaurette is FIPCO director infoSecurity and audit. Contact him at email@example.com or 608-441-1251.