The Human Element and Why it Matters More Than Ever in the Age of XDR

According to a recent Enterprise Strategy Group (ESG) survey, 38 percent of cybersecurity professionals believe extended detection & response (XDR) can provide a centralized management hub for security operations, while 42 percent of cybersecurity professionals want an XDR solution that can simplify the visualization of complex attacks across the cyber kill chain. Momentum towards XDR is building as companies realize it’s a step beyond EDR and SIEM platforms. XDR is simply better because it links together related security events to tell a story that enable analysts to clearly and quickly identify real threats.

But XDR also can be an overly complex tool that requires subject-matter expertise to achieve optimal threat detection and response outcomes across an enterprise environment that includes a variety of endpoints and extensive cloud and on-premises networks. Enterprises need human expertise to simplify working with industry-leading XDR platforms such as Palo Alto Network’s Cortex and to properly tune and manage the security infrastructure. It’s these threat hunting and forensic specialists that take XDR from another security product technology layer to a truly fluid and comprehensive security approach that can shrink Time-To-Detect (TTD) and Median-Time-To-Respond (MTTR) and can deny an attacker the ability to move beyond the initial intrusion.

Palo Alto Networks cites that a better utilization of Cortex can occur when working with a managed detection and response (MDR) partner that can apply best practices in alert management, threat investigation, incident response, and threat hunting. This partner can help fine tune Cortex XDR for each environment and can enable a mature security operations center (SOC) to be up and running in days. Palo Alto Networks also cites that when working with one of the organization’s MDR partners, client security teams need to look at less than seven percent of their alerts.

An MDR partner brings a certain skillset to XDR to help those using the technology to realize its full potential. Some of the expertise in specific areas include:

• The operating system being used
• The dependencies of the libraries that will interact with the XDR and how they will all work together
• How to interpret incidents coming from XDR to understand what is normal versus concerning behavior across the network and all applications used by the organization
• How to efficiently perform a proper investigation based upon an incident that can contain upwards of 50-60 related alerts and know how to mount the proper response

These are the types of skills that are not going to be hired right out of college. Two full-time employees with skills in the above areas may cost an organization over $150,000 per year plus benefits, and yet still would not be able to provide 24×7 security coverage in most cases. Working with an MDR provider makes more financial sense, but more importantly it enables an XDR platform to tell the story it has been waiting to tell.

How the right MDR team can read the XDR story

The core strength of XDR is that it can link together related incidents to build a cohesive narrative of what’s really happening within a network. But this story may be told across anywhere from ten up to 50-60 related alerts. If a company is trying to operationalize XDR with their internal team, they may see a high or critical alert and investigate immediately. But other alerts that may rank as medium, low or even just informational, are put off for several hours as the internal team may not have the experience to read the full story that points to an attacker that’s already active and deploying an attack throughout the environment. To use Cortex XDR effectively, every alert must be treated equally with the expertise to understand how each can contribute to the picture of an entire security event.

At Critical Start our MDR services were purpose-built to simplify security and shrink risk with continuous threat detection and response coverage and resolution of all alerts across the diverse IT environment.  We deliver on this by:

• Baselining the environment and adapting playbooks to specific needs
• Ingesting and resolving all alerts—Critical, High, Medium, and Low
• Continuously optimizing the detections coming from security tools
• Correlating and bringing together richer contextual insights across the environment to identity threats
• Producing a quick reduction in false positives on day one to ensure identification of real threats and accurate decisions on response actions

For our customers, we have been able to solve for the complexity of stacking up against multi-vector cyberattacks by combining an advanced analytics and automation platform with human expertise.

How to find the right MDR team

The security and business case of using MDR to get the most out of XDR gets stronger with each examination. The whole premise of XDR is how it enables identification of threats quicker and provides the necessary information to enable the fastest possible response. But MDR will only pay off if you’re working with a provider that has the right expertise, tools, processes, and methodology that can adapt to your environment to ensure comprehensive visibility is combined with an aggressive and proactive response.  Here’s a suggested list of questions to ask prospective MDR providers.

1. Do you provide 24x7x365 MDR services?
2. Is your service delivered by highly trained and experienced XDR certified SOC analysts?
3. Do you investigate every XDR incident and alert?
4. Is every XDR incident and alert treat as critical? 
5. How long does your team take to respond to alerts?
   1. Are there contractual obligations around this?
6. Will my company have access to your SOC as needed or is that an additional charge?
7. Are playbooks and SOC operations personalized for my organization?  
8. Does your service provide 100% consolidated visibility into a single portal? 
9. Does your service provide configure and tune my tools? 
10. Do you have a mobile application?
    1. Can investigation and response to alerts be actioned from our phones?

When it’s all said and done, the MDR you ultimately select to operationalize your XDR should help you simplify your security by going beyond alerts to see attacks across hybrid device types and operating systems to stop the most advanced attacks, reduce risk exposure, eliminate alert fatigue, and optimize security operations center (SOC) efficiency.

Critical Start does this for our customers by using our Zero Trust Analytics Platform™ (ZTAP™) and a Trusted Behavioral Registry™ (TBR) to ensure that actionable visibility comes out XDR. The process looks like this:

1. ZTAP ingests, normalizes and aggregates every endpoint incident from Palo Alto Networks Cortex XDR
2. It removes alert prioritization
3. Compares alerts against known good behaviors in the TBR where playbooks auto-resolve known good alerts.
4. It escalates any unknown threats to the SOC for human-led forensic analysis

That last step is why human knowledge and expertise is so critical to ensure that XDR is performing at its best.

The Critical Start approach to human-led investigation and response through Palo Alto Network’s Cortex XDR looks something like this:

• 24x7x365 MDR services delivered by highly trained and experienced Cortex XDR certified analysts
• U.S. based SOC 2 Type 2 certified SOC to investigate, escalate, contain and respond to threats
• Seasoned security expertise applied to our MDR approach and platform to:
  • Help operationalize Cortex XDR for optimal outcomes
  • Curate, build and apply use cases
  • Sustain and nourish ZTAP – our purpose built MDR platform

Additionally, our Cyber Research Unit stays ahead of the latest threats that your organization may be facing. The unit manages, maintains and curates Cortex XDR out of-the-box detections and Behavioral Indicators of Compromise (BIOCs). Critical Start also maintains its own MITRE ATT&CK^® Framework based proprietary detections and BIOCs and curates original and third-party threat intelligence to develop new detections and BIOCs. The reality is that when it comes to XDR, it’s the human element that can bring the protection factor of this technology up to its full potential. Critical Start has a 99 percent SOC retention rate, which speaks to the value we place on our team and yours. If you would like to learn more about how both can work together to put an XDR shield around your own environment, visit our website, and contact one of our MDR for XDR experts.