INTERPOL’s ASEAN Cyberthreat Assessment 2021 report outlines how cybercrime’s upward trend is set to rise exponentially, with organised cyber criminals sharing resources and expertise to their advantage. We’ve similarly witnessed an increase in the sophistication of cyber attacks with a breakout time that is in parallel, decreasing. Breakout time is how long it takes for an adversary to move laterally within an organisation, from the first compromised host to the next. 

This is an important defensive metric to track because once an adversary has moved laterally within an organisation it will progressively become harder and more expensive to detect and respond to the attack. The CrowdStrike Global Threat report noted in 2018 that the breakout time was 9 hours and 42 minutes, this decreased to 1 hour and 38 minutes in 2021. 

In response to the growing risk of cyber threats, organisations are shifting their security capabilities to a more dynamic approach that enables efficient and effective threat detection, investigation, response, and hunting in real-time. 

Endpoint security for startups: why should small businesses in Southeast Asia care?

As such, we’re seeing increasing momentum of extended detection and response (XDR) capabilities. It enables an organisation to proactively protect itself against cyber threats by providing unified visibility across multiple domains, minimising data duplication and false positives, and offers automated and orchestrated response capabilities. Ultimately XDR is about obtaining better detection and response outcomes across all the relevant technology domains existing within an organisation. 

Unfortunately, not all XDR solutions are built the same, which creates uncertainty in the cybersecurity industry and inevitably puts organisations at risk.

False XDR harms security teams

Many organisations are struggling under a deluge of security data, and some of the XDR solutions on the market compound these issues for security teams by flooding them with more low-quality security alerts. In an unfortunate situation, security teams may even miss ongoing attacks as the information they require is buried under several false-positive alerts.

It is a common misconception to ‘upgrade’ an old solution to XDR by adding more network data, security information and event management (SIEM) capabilities, automation, or integration to other EDR solutions makes for an effective XDR solution. From a technical perspective, it appears logical, but it is crucial to note that adding more data points without helping teams glean actionable insights does not make a solution more effective.

Cyber attacks will only continue to grow in scale and sophistication, and more meticulous work is needed on the backend for security teams to sift through semantic gaps and piece together the full scope of incidents and their protracted trails of lateral movement across every vector and touchpoint. More and more data by itself is not going to help stretched security teams fill these gaps.

The true XDR approach

XDR should start with EDR as the cornerstone before integrating and correlating data across the endpoint, identity, intelligence, data security and cloud workloads. It should be able to solve the problem of alert fatigue, not exacerbate it. For example, like EDR, one of the primary functions of XDR should be to cut down the noise and simplify overly complex and resource-draining processes to allow security teams time to focus on the alerts that matter.

The fundamental problem here is that XDR is too often approached without its core tenets in mind. What many organisations fail to realise is that it’s a natural evolution of EDR, not an entirely new, rebranded solution. That’s the first and foremost thing organisations need to get right.

When building up to XDR from EDR, a good question to keep in mind is how the proposed solution addresses the challenges of semantic gaps. XDR is not just about ingesting more data, it’s about connecting a chain of events or activities, it’s about dealing with problems like missing data, reconciling contradictory data from varying sources, and entity aliases—all in an environment where the data represents rapid changes over a short period. 

Pros of streamlining data intelligence

True XDR actively narrows the scope of the data it needs to ingest and correlates events in a way that makes it simpler for incident responders to see what’s occurring and determine a course of action in real-time. XDR can provide significant efficiency benefits to an organisation by triaging across disparate and disconnected security tools and platforms. The same logical prioritisation concepts that have been traditionally applied to EDR are extended to XDR.

This has advantages beyond simply detecting more threats quicker. Providing your security team with the means to achieve faster and more efficient workflows leads to tertiary benefits such as higher job satisfaction, reduced burnout, and improved staff retention. Given that 69% of APJ CEOs are now engaged in cybersecurity interactions either weekly or bi-weekly, it also gives an opportunity to drive more efficient business outcomes and get more out of security investments.

At a time when Asia is plagued by a cybersecurity talent crunch, teams are looking for more efficient ways to conduct their work. Most recently, the Singapore and British governments signed an MoU to collaborate on improving cybersecurity professional development and building a cyber security skills base. XDR tips the scales of efficiency back in the favour of security teams, but only if approached with the right principles in mind. 

No organisation is immune from cyberattacks. There is no better time than now to prioritise cybersecurity, bring security teams closer and expand awareness of security fundamentals. 

This article was contributed by Fabio Fratucello, CTO APJ for CrowdStrike

About the author

Fabio is a technology and security executive with over 25 years of international experience working for private companies and large multinationals, in a variety of management, technical and advisory roles.

Currently, Fabio is the Chief Technology Officer for the Asia-Pacific & Japan region at CrowdStrike, working on accelerating growth and driving strategic direction, technology innovation and partnerships around the globe. Fabio is also responsible for developing and executing on CrowdStrike’s regional technology roadmap and helping customers developing cyber defence strategies, managing their cyber risks and being successful on their cyber journey.

Prior to this role, Fabio had a prolific career in the financial service industry, having held a number of CSO and Executive roles at Insurance Australia Group, HP Australia, Westpac Banking Corporation, UBS Group and Banca Intesa Sanpaolo in Australia and in Italy. In addition, Fabio was also a member of the Financial Services Information Sharing and Analysis Centre (FS-ISAC) APJ Strategic Committee, setting the strategic direction within the region and coordinating the group threat research to identify threats that could affect the sector broadly.

Fabio has spoken at numerous conferences, customer and non-customer events across the Asia Pacific region and contributes to various government and industry associations’ initiatives on security. Fabio holds a Master of Management in Information Technology and several security and technical certifications, including CISSP, SABSA, CRISC and CPDSE.