\n
\u201cSecuring devices is important, but it\u2019s not enough. We should also be focused on securing individuals. We can enhance your experience and security by letting you become the password.\u201d<\/p>\n
Bret Arsenault, Microsoft\u2019s CISO \n<\/sup><\/p>\n<\/div>\n\n
A comprehensive approach to ransomware requires great tools<\/b><\/p>\n
Many of the CISOs I talk with are taking a palette approach to attack prevention and detection, utilizing layers of vendor solutions that cover vulnerability testing, perimeter testing, automated monitoring, endpoint security, identity protection, etc. For some, this is intentional redundancy, hoping that a layered approach will cover any gaps\u2014like stacks of Swiss cheese, in the hope that the holes won\u2019t line up.<\/p>\n
Our experience has shown that this diversity can complicate remediation efforts, potentially creating more risk exposure. As one CISO notes, the downside of assembling multiple solutions is a lack of visibility due to fragmentation: \u201cI do have a best-in-breed approach, which in itself presents certain challenges because then there is a lack of insight into aggregate risks because you have these independent consoles that you\u2019re managing threats, and not having this aggregate view of what is going on in your place.\u201d (Healthcare, 1,100 employees) With attackers weaving a complex web that extends across multiple disparate solutions, it can be hard to get a complete picture of the kill chain, identify the extent of the compromise, and fully root out any malware payloads. Stopping an attack in progress requires the ability to look across multiple vectors to detect, deter, and contain\/remediate attacks in real time.<\/p>\n
The bottom line<\/b><\/p>\n
A comprehensive, integrated solution helps you manage vulnerabilities so you can reduce your attack surface and distinguish the critical signals from the noise. This simplicity is crucial for organizations struggling to distinguish a real threat from the steady stream of alerts and false positives.<\/p>\n<\/div>\n
\n
Extended detection and response (XDR)<\/h2>\n Many security leaders are turning to extended detection and response (XDR) for this cross-platform vantage point. XDR helps coordinate signals across the entire ecosystem\u2014not just endpoints\u2014to facilitate faster detection and response of sophisticated threats.<\/p>\n
XDR works like endpoint detection and response (EDR) but covers more ground, extending security threat detection and incident response across the entire digital environment\u2014including identities, infrastructure, apps, data, networks, clouds, etc. This expansive scope is critical given the sophistication of modern attacks, which take advantage of today\u2019s complex, distributed environment to move laterally across domains. Attacks are increasingly proceeding in a non-linear fashion, moving laterally across different clouds, email, SaaS applications, etc.<\/p>\n
XDR can help you bring the data from all your disparate systems together so you can see the entire incident from end to end. Point solutions can make this comprehensive visibility difficult because they only show part of the attack and rely on an often-overwhelmed security team to manually correlate multiple threat signals from different portals. Ultimately, this can make it time-consuming to fully remediate a threat\u2014and in some cases, even impossible.<\/p>\n
Making the leap from EDR to XDR<\/b><\/p>\n
The promise of XDR remains unrealized by most. Many CISOs we talk to have implemented a powerful starting point in EDR. EDR is a proven asset: we have seen that current endpoint detection and response users have a track record of detecting and stopping ransomware faster.<\/p>\n
However, because XDR is an evolution of EDR, some CISOs remain skeptical about XDR\u2019s utility. Is XDR just EDR with some point solutions tacked on? Do I really need to use an entirely separate solution? Or will my EDR eventually offer the same capabilities?<\/em> The current market for XDR solutions adds further confusion as vendors race to add XDR offerings to product portfolios. Some vendors are expanding their EDR tool to incorporate additional threat data while others are more focused on building dedicated XDR platforms. The latter are built from the ground up to deliver out-of-box integration and capabilities centered around the needs of the security analyst, leaving the fewest gaps for your team to have to fill in manually.<\/p>\nThe bottom line<\/b><\/p>\n
XDR is so compelling in today\u2019s security environment because of its coverage and speed in detecting and containing threats. As ransomware and other malicious attacks become more and more common (one interviewee stated that his org is attacked on average *daily*), security leaders see automation as a critical tool, offering 24\/7 monitoring and near real-time response.<\/p>\n<\/div>\n
\n
Automation<\/h2>\n Use automation to elevate your team\u2019s impact<\/strong><\/p>\nFaced with a security talent shortage and the need to respond quickly to contain threats, we have encouraged leaders to employ automation to help free up their people to focus on defending against the worst threats instead of handling mundane tasks like resetting passwords. Interestingly, many of the security leaders I talked to mention that they\u2019re not taking full advantage of automated capabilities yet. In some cases, security leaders aren\u2019t fully aware of the opportunity; others hesitate to embrace automation for fear of losing control, inviting inaccuracy, or sacrificing visibility into threats. The latter is a very legitimate concern. However, we\u2019re seeing the effective automation adopters achieve just the opposite\u2014more control, fewer false positives, less noise, and more actionable insight\u2014by deploying automation alongside the security team to guide and focus the team\u2019s efforts.<\/strong><\/p>\nAutomation covers a range of capabilities, from basic automated administrative tasks to smart machine learning-enabled risk assessment. Most CISOs report adopting the former, event-triggered or rule-based automation, but fewer have taken advantage of built-in artificial intelligence and machine learning capabilities that enable real-time risk-based access decisions. Certainly, automating routine tasks helps free up the security team to focus on the more strategic thinking that humans do best. But it\u2019s in this strategic realm\u2014in triaging incident response, to name one example\u2014that automation has the most potential to empower the security team as a data-crunching, pattern matching, intelligent partner. For example, AI and automation are adept at correlating security signals to support comprehensive detection and response to a breach. About half of security practitioners we recently surveyed say they have to manually correlate signals.1 This is incredibly time-consuming and makes it almost impossible to respond quickly to contain an attack. With the right application of automation\u2014like the correlation of security signals\u2014attacks can often be detected in near real time.<\/p>\n<\/div>\n
\n
\u201cWe need AI because we have thin profit margins and can\u2019t hire too many people.\u201d<\/p>\n
Restaurant\/hospitality, 6,000 employees \n<\/sup><\/p>\n<\/div>\nWe\u2019ve found many security teams are under-utilizing the automation built into existing solutions they already use. In many cases, applying automation is as easy (and high-impact!) as configuring available features like replacing fixed-rule access policies with risk-based conditional access policies, creating response playbooks, etc.<\/p>\n
CISOs who choose to forgo the opportunities of automation often do so out of distrust, citing concerns about the system making irrecoverable errors while operating without human oversight. Some of the potential scenarios include a system inappropriately deleting user data, inconveniencing an executive who needs access to the system, or worst, lead to a loss of control or visibility about a vulnerability that has been exploited.<\/p>\n
\n
\u201cWhenever we try to put things in place that are automatic, it sometimes scares me because what am overwriting? What am I recovering from? Well, what, what made this action come into play\u201d<\/p>\n
Financial services, 1,125 employees \n<\/sup><\/p>\n<\/div>\nBut security tends to be a balance between daily small inconvenience weighed against the constant threat of a catastrophic attack. Automation has the potential to serve as an early warning system for such an attack and its inconveniences can be mitigated or eliminated. And besides, automation at its best does not run on its own but alongside human operators, where its artificial intelligence can both inform and be checked by human intelligence.<\/p>\n
To help ensure a smooth deployment, we\u2019ve been adding report-only modes to our solutions in order to offer a trial run before rollout. This allows the security team to implement automation at their own pace, finetuning automation rules and monitoring the automated tools\u2019 performance.<\/p>\n
The security leaders who are using automation most effectively deploy it alongside their team to fill gaps and serve as a first line of defense. As one CISO recently told me, it\u2019s nearly impossible and prohibitively expensive to have a security team focused everywhere at all times\u2014and even if it were, security teams are prone to frequent turnover. Automation provides a layer of always-on continuity and consistency to support the security team in areas that require this consistency, such as traffic monitoring and early warning systems. Deployed in this supportive capacity, automation helps free the team from manually reviewing logs and systems and allows them to be more proactive. Automation doesn\u2019t replace humans\u2014these are tools that empower your people to prioritize alerts and focus their efforts where it counts most.<\/p>\n
The bottom line<\/b><\/p>\n
The most powerful defense strategy combines AI and automated tools with the more nuanced vigilance and tactical response of a security team. Beyond the immediate benefits of completing tasks and taking immediate action to contain an attack, automation helps empower the team to manage their time and coordinate resources more effectively, so they can focus on higher-order investigative and remediating activities.<\/p>\n
All cited Microsoft research uses independent research firms to contact security professionals for both quantitative and qualitative studies, ensuring privacy protections and analytical rigor. Quotes and findings included in this document, unless specified otherwise, are a result of Microsoft research studies.<\/p>\n
1. 2021 Microsoft research study of CISOs and security practitioners \n<\/sup><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"Learn how extended detection response (XDR) can be used to help you manage vulnerabilities and help protect your organization against ransomware<\/p>\n","protected":false},"author":4,"featured_media":2933,"comment_status":"open","ping_status":"open","sticky":false,"template":"single-post.php","format":"standard","meta":{"footnotes":""},"categories":[160,158],"tags":[153,137,138,144],"industries":[],"threat_actor_groups":[],"countries":[],"industries_targeted":[],"acf":[],"yoast_head":"\n
CISO Insider Issue 2: Extended detection response (XDR) and ransomware | Security Insider | Security Insider<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n \n \n \n\t \n\t \n\t \n