By Jon Bove, Fortinet
Many organizations made rapid digital shifts last year, accelerating their timetables for cloud adoption and other innovations. These organizations are now looking back at the surge in cyberattacks, particularly ransomware, and recognizing that their digital transformation has created greater threat exposure. The network has more edges than ever, all needing to be secured. But security leaders hesitate to add to their security stack because they know that complexity creates its own challenges, challenges that can erode security.
Consequently, organizations have been rethinking their approach. Gartner discovered, for instance, that 80% of organizations are either currently or planning to consolidate vendors. As they exist today, security tools from different vendors typically work in siloes. This means that security teams are left to manually correlate alerts and coordinate responses, which is time-consuming and labor-intensive. Consequently, many threats can fall through the cracks.
Extended Detection And Response (XDR) And Managed Service Providers
Customers must have comprehensive visibility and control across their entire distributed networks, all the way out to remote workers and cloud-delivered applications, to stay ahead of today’s advanced threats. But at the same time, they must also address the challenge of sheer cybersecurity complexity. Extended Detection and Response (XDR) is an emerging security concept being adopted by security operations teams to help fill this gap. Gartner defines XDR as a “unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.”
XDR solutions present an opportunity for managed service providers to offer customers a differentiated approach to what have been traditionally independent security categories: network security, endpoint security, email security, and cloud security. Through a consolidating principle such as XDR, individual security solutions from a single vendor can see, share, and analyze data, which helps teams more easily detect threats and guide a coordinated response that spans the entire attack surface. Not only does this help MSPs detect threats faster and respond quicker, but it also enables them to do so more cost-effectively – resulting in a more affordable and at the same time profitable service offering.
How Some XDR Solutions Fail
With XDR, MSPs expect to deploy multiple products from the same vendor as part of an integrated system. However, many solutions fall short in accomplishing this due to three key challenges.
One of these challenges is that many vendors’ solutions do not span the breadth of the whole attack surface. Instead, they may only cover one or a few different attack vectors such as endpoint, cloud, email, or network individually.
Another challenge is that even if vendors offer a full range of security products to cover the attack surface, those components may have been acquired individually over time and are only loosely integrated. In situations such as this, rather than providing a true, cohesive system, XDR instead acts as a loose compensation for the platform’s inability to interoperate.
A third significant challenge is investigation. Even If an XDR solution can correlate alerts from products across the attack surface and possibly coordinate a response, it leaves the heavy lift of investigation on the shoulders of security analysts. An effective XDR solution should be able to autonomously perform a thorough investigation to determine a threat’s validity, nature, and scope, freeing cybersecurity professionals’ time for higher-priority initiatives. Otherwise, you simply have a centralized monitoring solution like a security information and event management (SIEM) system, perhaps with a companion security orchestration, automation, and response (SOAR) capability.
And don’t get me wrong, SIEM and SOAR are powerful platforms for a well-staffed, skilled, and tooled security operations center (SOC). But the trade-off for that open approach, which can support any customer system imaginable, is that the security team needs to do the heavy lifting.
XDR Selection Criteria
When looking for an XDR solution, three key considerations to keep in mind are extended detection, extended analysis, and extended response.
Extended detection: To detect potential incidents, an XDR solution should have the capacity to leverage various security data across the attack surface and convert raw information into high-fidelity incidents.
Extended analysis: If a threat is identified, there are many steps to take and questions to answer before deciding on response actions. It should be determined whether or not the threat is real, the scope of its potential impact, the required remediation actions and whether it could indicate a larger issue. Typically, this is something the security team would tackle. But due to the overall rise in threat and alert volume, as well as the widening cybersecurity skills gap, many teams are simply not equipped to efficiently manage every alert that comes in.
With an XDR solution that uses AI trained to automatically investigate alerts in seconds, teams can verify the full context of an incident and authorize the remediation. This not only frees up valuable human resources but also can scale and adapt to meet an organization’s changing requirements.
Extended response: A solution that can support all available security controls for conducting an automated and coordinated response is a priority. This allows the system to contain incidents at machine speed and reserve security expertise for oversight, broader risk assessment, and fundamental improvements to security posture.
The Opportunity Awaits
MSPs need every advantage possible as they compete to meet the needs of customers’ dynamic security requirements. By adding an XDR solution to the mix, you can help organizations strengthen their security and while improving their own operational efficiency. You both get machine-speed security and your security experts are freed up to help scale your service offering.
About The Author
Jon Bove is the vice president of Channel Sales at Fortinet, Inc. (FTNT). In this capacity, Bove and his team are responsible for strategizing, promoting, and driving the channel sales strategy for partners in the United States as we seek to help them build successful – and profitable – security practices. A 17-year veteran of the technology industry, Bove has held progressively responsible sales, sales leadership, and channel leadership positions. During his time at Fortinet, he has been responsible for establishing Fortinet's national partner program and aligning Fortinet's regional partner strategy to allow partners to develop Fortinet security practices with the tools and programs to successfully grow their business.