Why XDR Should Be on Your Roadmap for SOC Success

Originally published by CrowdStrike here.

Written by Scott Simkin, CrowdStrike.

Fighting modern adversaries requires having a modern security operations center (SOC), especially as organizations move to the cloud. To protect their estates against tomorrow’s threats, security professionals have often turned to more data sources and adding more security monitoring tools in their operations, both in the pursuit of maximizing their attack surface visibility and reducing time to detect and respond to threats.

Unfortunately, this strategy has reaped mixed returns, sometimes even aggravating existing problems that plague security professionals. In fact, a recent study conducted by ESG, “SOC Modernization and the Role of XDR,” which surveyed approximately 370 IT and security professionals across North America in early 2022, revealed that 52% of respondents believe security operations are getting harder.

Source: “SOC Modernization and the Role of XDR”, ESG 2022.

Growing volumes of data sources have left security teams inundated with information they can’t operationalize in time to face threats in the wild. Siloed security monitoring tools lack holistic views of the enterprise, enabling adversaries to exploit lingering blind spots. Unending alerts bloated by false positives leave already lean analyst teams burnt out and numb, struggling to prioritize and respond to the alerts that really matter. Finally, the innate complexity of SOC operations, coupled with the growing sophistication of threats, have obstructed inroads to automating workflows — proving that human expertise remains essential, but leaving teams critically outpaced in the fight against modern attacks.

In response to this, SOC teams have turned to multiple strategies. They’re investing in skills training to counter industry shortages. They’re putting greater weight on tools that use machine learning and advanced analytics to reduce noise and increase detection fidelity. And topping their list of priorities, as indicated by ESG’s research, is to consolidate tools, redirecting their investments toward platforms that can help them do more with less — streamlining their operations, maximizing their attack surface coverage and improving mean time to detect/respond (MTTD/MTTR), all in service of the ultimate goal of stopping breaches.

Among the solutions gaining traction in the industry is extended detection and response (XDR) — and for good reason. XDR builds on the foundation of endpoint detection and response (EDR) by integrating cross-domain security data such as endpoint data, network data and identity data from across the organization, including integrating multi-vendor products. It centralizes intelligence across silos to expand visibility and deliver richer context surrounding events. In doing this, XDR enables teams to improve the fidelity of their alerts and accelerate detection and response time, while simplifying operations and opening the door for automation and machine learning-based tools to continuously streamline operations.

One of the persistent issues around XDR, as explained by CrowdStrike CTO Mike Sentonas, is that it has drawn such intense market interest that the term has fallen victim to frequent misuse, inadvertently contributing to more confusion as to what XDR actually is and does. In fact, the same survey by ESG reveals that the majority of respondents (60%) claim to already be using an XDR solution, but when asked to define XDR, they reported different definitions of what they believed it to be.