- Adversary tactics, techniques, and procedures (TTP) are evolving significantly increasing security risk
- Compliance frameworks – such as PCI DSS, NIST – are minimum security baseline control sets
- Cyber security operations that align technical solutions like XDR can meet compliance, security, and operational benchmarks, while meeting its compliance objectives
- Heightened visibility using attack aware (e.g., MITRE ATT&CK) solutions like XDR can improve security operations, shorten discovery windows, better coordinate rapid response, and reduce meantime to recovery
SaaS Security Solution Evolution
Is Extended Detection and Response (XDR) the natural evolution of Endpoint Detection and Response (EDR)? Historically EDR solutions monitor endpoint threats by parsing various logs and performing analysis to discover malicious activity and initiate remedial action (e.g., alert security operations to further investigate). This parochial solution often excludes material data points, such as those from the cloud, network, and applications. Enter XDR, which extends its purview to include visibility across the network, cloud, next generation firewalls, email, antivirus, and often EDR; using real-time telemetry. XDR also integrates incident response providing holistic incident resolution. These vendor specific Software as a Service (SaaS) solutions are constantly evolving using new data to better detect evolving threats.
In an effort to maintain pace with threat actors, XDR often uses the exploit tactics (e.g., MITRE ATT&CK), deploying machine learning and artificial intelligence (AI), aggressively processing billions of transactions. Once potential threats are discovered, prioritized countermeasures limit or at least warn security operations teams. What makes these SaaS solutions such powerful tools in the fight against adversaries, is their ability to learn and extrapolate known exploit behavior to isolate actual threats, ultimately removing the “noise” (e.g., false alarms) and enabling security operations to react to real threats.
XDR and Compliance
Introducing a SIEM, EDR, and the newest XDR solution can greatly improve an organization’s visibility and therefore security posture, materially reducing the mean time to containment and recovery! But how does it align with compliance frameworks? What benefit might these solutions provide for meeting compliance obligations? Security frameworks (e.g., HIPAA Security Rule, GLBA, PCI DSS, NIST) enumerate the minimum-security baseline for organizations. Being able to substantiate compliance conveys a positive message to clients, business partners, regulators, consumers, and senior leadership. Yet, basing your organizations’ security program on the minimum-security controls may be a compliance strategy, but is not a sensible security strategy. For example, PCI DSS only requires a minimum 7-character password, considered extremely weak in the industry. In the event of a security breach, telling interested stakeholders (e.g., executive management, judge, customers, business partners), “we deployed the minimum security…” is difficult to defend.
Many compliance programs are driven by statute, such as HIPAA to protect healthcare data and GLBA to protect financial industry data. Other programs may be driven by contractual agreement, such as PCI DSS for payment card data and various confidentiality clauses in contracts with business partners. Security teams often struggle with aligning the business objectives and satisfying the organization’s regulatory, contractual, and compliance obligations.
Today’s adversaries are sophisticated, and they enjoy deep-pockets, but which security controls should organizations actually invest? Performing a formal risk assessment allows an organization to benchmark its threat and vulnerabilities through the lens of likelihood of these being exploited and the possible resulting damage. In other words, investing to protect against the threats most likely to be exploited causing the most harm. This is a prudent risk management strategy. Many compliance frameworks include risk management (e.g., PCI DSS Req. 12.2). As such, organizations should already be performing annual risk assessments, ideally using an industry recognized risk framework (e.g., NIST, ISO). Organizations held to compliance frameworks can cross-reference the controls against adversary tactics, techniques, and procedures (TTP) to align their security with compliance. This risk-based exercise can uncover exploitable vulnerabilities that today’s adversaries deploy, making it straightforward to cost-justify solutions such as XDR. These solutions, if deployed correctly, can help achieve compliance and dramatically improve security.
XDR Perpetual vs. Annual Compliance
Compliance activities tend to be point in time. Companies perform an annual HIPAA, GLBA, and PCI Assessment. Security solutions such as XDR are perpetual; they are performed throughout the year. Creating programs to define roles and responsibilities for the staff accountable for the operational control execution provides insight on resource leveling, task gaps, and skill-set deficiencies. It also provides for informed decisions on operational task optimization. Which tasks might be automated? Are there mundane tasks that might be outsourced? Ultimately security teams must optimize efficiencies.
For example, CIS Control 6 includes “Maintenance, monitoring, and analysis of audit logs.” Often organizations are not short on log availability. They have too many logs. Being able to parse through all of the “noise” in a timely fashion to find actionable threats is tedious! And if not done in a timely fashion, the window to take corrective action may pass. Also, attackers enjoy longer dwell times and greater freedom to move around within the victim’s network and inflict further damage.
Adversaries are becoming more sophisticated, including better funding, increased availability of attack solutions such as HaaS (hacker as a service) and other exploits readily available for purchase. Complexities and responsibility confusion such as with shared security responsibilities for cloud and hybrid cloud solutions exacerbate the problem, while supply chains introduce new points of vulnerabilities that are beyond the visibility/control of the victim’s organization.
SIEM and other tools are helpful. Being able to move the tedium of log review and associated operational procedures can free up the team to investigate likely security threats and compliance missteps. As these tools become more sophisticated and more integrated, they produce more noise, and therefore need XDR’s sophisticated algorithms to interpret the data and provide meaningful feedback. As a result, XDR can reduce tedious security operations, shorten discovery windows, coordinate rapid response, and reduce meantime to recovery – graceful recovery.
The picture is not bleak. Organizations need to be secure. Many also need to comply with various industry frameworks. Organizations need to perform risk-based analysis of existing security controls and determine where to reinforce controls to better fend off threat actors. Aligning these controls with applicable security frameworks allows organizations to meet their compliance obligations, improve security, and reduce costs by eliminating redundancies. Security programs cannot be bullet-proof; adversaries are constantly evolving their tactics, techniques, and procedures (TTP). We can only hope to deploy adequate controls for the vulnerabilities most likely to be exploited using policies, processes, and tools that are threat actor behavior aware, such as MITRE ATT&CK. Then invest in additional solutions, like XDR with AI and machine learning to gain a clear advantage. While XDR may be the next phase of evolving security solutions, remember our goal isn’t perfect security, it is to try and stay a step ahead of the adversaries with the ability to quickly detect and respond when vulnerabilities are successfully exploited.