At SEP2, we understand that XDR can be a confusing topic, with many solutions claiming to offer unified security. In this blog, Jon Cumiskey, Head of Information Security at SEP2 shares hands-on experience to clarify what true XDR looks like, why the right SIEM platform matters, and the key factors to consider before getting started. Our goal is to help you cut through the buzzwords and make confident, informed choices for your organisation’s security.
Written by Jon Cumiskey, Head of Information Services at SEP2.
Connect on LinkedIn.
So, to get past the first – and fairly tired – complaint people have about the topic of XDR, let’s talk first about how we are defining XDR. SEP2 see XDR as being a capability that allow for unified visibility and responsive/remedial capability against cyber security threats across endpoint, identity, network and workload, whether that be on-premise, hybrid, cloud, or multi-cloud (i.e. everywhere our customers need protecting).
With that out of the way, let’s get into what we seek to actually achieve with this.
Let’s work with an example. One great benefit of an XDR-aligned posture is the ability to get full visibility across the organisation’s full technology stack. In this example, we get an alert for a malicious DNS request that the firewall detected. Looking at the raw/enriched view, we’ve got the hostname, but the firewall isn’t going to tell you which process the DNS request came from on the source host. As such, we can’t come to a conclusion as to whether the endpoint is infected or not – we can’t tell whether we need any further action. However, in an XDR ecosystem, we can go to the Endpoint logs and find out it came from their web browser (chrome.exe). We can now traverse the proxy/enterprise browser logs and might discover that it was a malvertising redirect that the user was redirected to and which they did not follow any further links from. If you’re missing pieces in the puzzle, you can’t build the picture.
There’s also a “quality of life” factor here too. We’ve worked with tools like Microsoft Sysmon a lot previously for Windows estates and things like OSQuery etc across non-Windows estates to help us answer these questions. These are great tools but have a lot of management overhead and weird and wonderful issues, with a lack of supportability and a lack of ability to intelligently “de-duplicate” data. These are scalability factors and pain points of living in that world.
Any EDR platform worth its salt (e.g. SentinelOne or Crowdstrike) is going to provide access to a data lake of endpoint telemetry. We’re all about reducing agents, so if we can leverage that necessary EDR agent for data collection and analysis inside our core analysis engine, then we’re in a great spot.
It’s also worth calling that out EDR is not a “sticky plaster” (i.e. rollout and forget). Defaults do not equate to best practice and SEP2’s team can help bring our best practice configurations to help reduce the amount of investigation/research on tool best practices that your team are subject to. Many people are surprised at what the default settings are on their EDR.
Once that mass of EDR data is collected, it’s important that it does go into a SIEM platform that is capable of not only handling the amount of data collected, but also to use it correctly. Whatever solution is chosen, it becomes the heart of the XDR solution, so it’s key that it’s the right fit for your organisation. SEP2 chose the Google SecOps platform for this based on its flexibility and scalability, but each company may find a solution fits better. Not every SIEM is made equal and some may struggle to stay functional with the amount of data collection an XDR platform requires. Ensure your platform does before committing to go on this journey.
Whatever platform you choose for XDR, remember what the goals are: unified visibility and responsive/remedial capability against cyber security threats. If we can’t see data from all angles, it’s not XDR. If we can’t unify that data and enrich it from external sources, it’s not XDR. And if you can’t use that data to properly understand and respond to a threat, then it’s not an XDR.
Have questions about XDR or SIEM platforms?
Reach out to SEP2 for expert advice and discover the best solution for your business.
Follow us on LinkedIn to keep up to date with SEP2 news and updates.
