Is Your XDR Strategy Incomplete?

Why you can’t have XDR without NDR.

Gentlemen looking at 2 monitors in NOC

What is extended detection and response (XDR)? There is a lot of confusion as to what XDR is, and some people are asking whether we simply ran out of letters for acronyms. Many are even thinking that XDR is a product or the evolution of endpoint detection and response (EDR), but that’s not necessarily the case either. Rather, we need to start thinking of XDR as a strategy, and not a product. XDR consists of a combination of security-related telemetries, in combination with high-fidelity detections, to deliver faster and more effective incident response.

To implement an effective XDR strategy, you need to understand the different types of XDR. There is a proprietary XDR strategy, which focuses on a single vendor or an “all-in-one” platform providing telemetry from a single vendor’s different products—for example, that vendor’s firewalls, EDR, network detection and response (NDR), and so on (more on why that may not be the best approach later). And then there is an open XDR strategy, which consists of multiple vendors, or “best-of-breed” technologies or tools that provide multiple types of telemetry from different types of products (for example firewall, intrusion detection system [IDS], EDR, and NDR) and vendors (CrowdStrike, Palo Alto Networks, and NETSCOUT, for example).

Many organizations believe having an EDR-centric XDR strategy suffices, but that causes a single-point-of-blindness issue. If you lose visibility with that EDR agent, you have nowhere else to go to find or investigate a potential critical breach. With this single-focused telemetry strategy, all adversaries need to do is evade one technology or evade one defense, and they will have their way inside the network.

For example, modern-day attackers are consistently using evasion techniques, polymorphism, and encryption, modification or deletion of Windows registry or log files, fileless malware, and exfiltrating bite-sized data cloaked in common protocols or services—all of which are difficult to detect using EDR agents alone.

Network Telemetry Sees It All
The one type of telemetry that will see all this movement and provide you with complete visibility is network telemetry. If all endpoints need to connect to the network for functionality and communication, doesn’t it seem to reason we should focus on being able to view that traffic?

Here are some of the benefits network telemetry provides:

  • The network doesn’t focus on endpoints; it focuses on traffic. This makes it much harder for adversaries to evade detection as they traverse the network.
  • With network data, there are no “agents” needed. You can apply probes at strategic points or choke holds in your network. Also, you can apply these technologies in places you are unable to with EDR agents such as Internet of Things (IoT) devices.
  • The network cannot be turned off: It is always on and will always be able to view or monitor questionable behavior, allowing you to be closer to the event.
  • The network is the perfect level at which to respond to threats—for example, instituting a blocking policy in a firewall.
  • With the right partner, cloud-capable NDR technologies provide you visibility in cloud, on-premises, and hybrid cloud environments.

As XDR continuously evolves, so must the providers of network telemetry. Not all NDR technologies are alike: There is both legacy NDR and advanced NDR. The table below provides a breakdown of the main distinctions between a legacy NDR solution and an advanced NDR solution, with the biggest difference between them being the quality of data.

Differences Between Legacy and Advanced NDR

Characteristic

Legacy NDR

Advanced, DPI-based NDR

Source of data

Heavy use of NetFlow or limited use of packets

All packets, including encrypted and hybrid cloud

Packet capture performance

Snippets of traffic, only after alert, not full line rate, packet slicing

Continuous (before, during, and after attack) line rate and full packet capture

Metadata extraction, storage, and analytics

Limited extraction of metadata, raw packets require massive amounts of storage, cumbersome analytics

Real-time extraction and local storage of layer 2–7 metadata from packets, intelligent indexing, and packet compression enable more long-term storage and responsive analytics

Detection and response capabilities

Just detection; response actions may be orchestrated via another platform but are likely not integrated

Detection plus integration with blocking devices (firewalls, DDoS protection)

Integration

Little integration into existing security stack, siloed data

Full integration into security stack, including export of metadata for combination with other datasets and custom analysis

Why NETSCOUT  

NETSCOUT believes in achieving what we call Visibility Without Borders. This is achieved by using our scalable deep packet inspection (DPI) and patented Adaptive Service Intelligence (ASI) technology, which converts raw network packets into a rich source of locally stored, compressed packets and layer 2-7 metadata in real-time.
  
NETSCOUT calls this combination of packet data and metadata Smart Data, which includes: 

  • Key performance indicators (KPIs) such as network or application error codes, response times, and results of cyberthreat analytics at the time of packet capture
  • Server discovery metadata along with details of all conversations between clients and services (for example, attributes of source and destination IP addresses, ports, and IP protocols)
  • Protocol-specific details, such as TCP (flags, response/latency times, and so forth), DNS (domain queries and responses, response codes, sizes, flags, and so forth), HTTP/S (such as error codes, URLs, and user-agent metadata), and TLS (such as error codes, certificate information, and cipher suite) 

ASI technology removes the burden associated with packet analysis by automatically uncovering intelligence that exists within the network packet. 

NETSCOUT uses this market-leading, patented technology to offer a scalable DPI-based NDR solution known as Omnis Cyber Intelligence. NETSCOUT gives you the most comprehensive attack surface observability in the industry and provides continuous intelligence, with real-time detection of all network activity, so you can halt attackers in their tracks.


To learn more about how endpoint and network data combine for a more cohesive security approach, read the SANS white paper “XDR Doesn’t Exist Without NDR.”