CISO considerations for managed XDR investment

To read this report in full in PDF format, click the ‘view report’ button

Hackers are getting smarter and cyber-attacks are continuing to grow in frequency, forcing organizations to confront huge costs when attacks are successful. 

CISOs and security owners, especially those operating small to medium businesses (SMBs), face several challenges including stretched budgets, lack of in-house resources, misconfigured security solutions and existing traditional solutions that are unable to keep pace with today’s threat landscape. They must be able to optimize their existing security investments to battle the ever-evolving security threats and alert fatigue.  

Extended detection and response (XDR) is a unified security incident detection and response platform that automatically collects and correlates data across networks, clouds, endpoints and applications. This technology incorporates and evolves endpoint protection platforms (EPPs), endpoint detection and response (EDR) security capabilities providing visibility across first- and third-party enterprises with protection at and beyond the endpoint. 

Managed XDR provides a solution with specialist analysts and threat prevention experts that bolster an organization’s own security and IT team’s capabilities. In addition, the human element provided through managed services allows companies to access experts who can triage cyber security alerts and remediate attacks.

How XDR extends your detection and response capabilities

XDR expands on EDR by searching for and addressing cyberthreats across an organization’s entire digital environment. XDR also looks beyond the endpoint to encompass an organization’s entire network, including cloud storage, applications and its endpoints. 

XDR can more effectively ward off cyber-attacks than EDR alone by unifying visibility and management across endpoints, the network and cloud-based assets. Artificial intelligence (AI) can also be an important feature in an XDR solution to assist in identifying and stopping evolving cyberthreats. 

The added telemetry of XDR is important for painting a more holistic picture of threat actor activity. Parsing, normalizing and correlating data from multiple sensors provides end-to-end visibility. While moving from EDR to XDR is the correct progression in defensive capabilities, additional telemetry can increase the workload of the network defenders, notes Tony Lee, vice president, global services technical operations at BlackBerry.  

XDR is also associated with current security information and event management (SIEM) practices that provide security operations centers (SOCs) with incident data for threat monitoring and response.

Interested in learning more? Become a member of CS Hub today!

Making the switch

While XDR does not set out to replace EDR, there are clear additions that it can provide to a CISO’s toolkit for them to keep pace with today’s evolving threat landscape. 

The next consideration for CISOs is to build an XDR solution in-house or to invest in a managed service provider that can act to enhance in-house knowledge and provide SMBs with constant monitoring.  

Organizations that lack headcount or skills to implement EDR and XDR should look to a managed XDR solution that can augment existing staff for a fraction of the cost of building this capability in-house.

The value of managed services

Many SMBs are dealing with an influx of security threats combined with a lack of security resources and knowledge. 

One of the most prominent issues organizations face today is dealing with the volume of data they are presented with, filtering alert noise and focusing on the right signals. Alert fatigue is a big challenge, explains BlackBerry’s Lee.  

“As we gather more telemetry and gain greater visibility via XDR, this can overwhelm defenders with new alerts,” he says. “All while threat actors continue to adapt and improve as part of an ever-evolving ransomware-as-a-service (RaaS) model.”  

This is exacerbated by the well-known headcount shortage in the cyber security industry which makes it difficult to both hire and retain good talent. 

For many, implementing enterprise-grade detection and response capabilities is a significant undertaking and building a SOC from scratch is not only time-consuming but represents a significant cost for many.  

Even traditional tools such as unified threat management systems (UTMs) and intrusion and detection/prevention systems (IDS/IPS) need to be monitored constantly.

Careful consideration for partner selection

When looking for a partner to supply a managed XDR solution, organizations should consider their overall vision and focus for the solution partner.  
XDR does not prevent 100 percent of cyber-attacks but does instrument action and make evidence forensically available for analysis.

Brian Robison, vice president of solutions and strategy at BlackBerry, says it is important to choose a vendor who can do their best to prevent the customer from becoming a victim, while having enough technology in place to gather the forensic evidence if needed. 

A multi-layered service capability is also important and should focus on prevention of an attack rather than detection and remediation alone. 

To this end, capabilities should include constant AI-powered endpoint protection, continuous threat hunting, threat intelligence overlay and rapid response to provide the best chances at preventing an attack.

Embedding managed XDR into your digital estate

It is evident there are benefits to both XDR and managed services as separate entities. Investment in XDR technology alone is not enough as businesses must have the resources to be able to deliver the capabilities and manage the technology. 

An organization may be able to move its detection and response in a positive direction with XDR, but ultimately, to find success in the solution, the onus of responsibility is always with the people behind the tool.

A managed XDR solution can enhance an organization’s detection and response capabilities. It is, however, imperative that CISOs consider the best investment for their existing digital estates in the case of any company, but maybe even more so with SMBs.  

With this in mind, SMBs may be inclined to lean toward a managed XDR solution that comes with a vendor providing the expertise and knowledge to implement the tool to be used to its full potential.

Conclusion: Your investment in managed XDR

With the need for constant threat detection and response, there is an advantage to having an agile managed service provider for XDR. 

For SMBs, consideration should be given to what a managed service can offer, but there also should be clear communications and a working relationship between the organization and the service provider. 

A managed XDR solution and the necessary skills to properly operationalize the technology can work together to provide organizations with maximum value and can allow an organization to focus on the core activities critical to their success and growth rather than spending time worrying about the ever-evolving threat landscape.

Does your company use managed XDR? Why or why not? Let us know in the comments!