As businesses continue to embrace hybrid work and digitization, endpoint and identity are moving perpetually closer. Both professions are evolving, and to make the most of this evolution, people on both sides will need to cross the aisle. In a recent episode of the Hybrid Identity Protection podcast, I discuss this evolution with Remediant Cofounder and COO Paul Lanzi. We also discuss why integration between XDR and identity is a game-changer for modern security teams.
“From an identity practitioner’s perspective, endpoint security and server security have historically always been someone else’s problem. There typically hasn’t been a lot of interaction with the identity teams, but that’s changing. The endpoint security team is coming to talk to you soon, and you need to be ready.” —Paul Lanzi, Cofounder & COO, Remediant
1. Understanding the alphabet soup of endpoint security
The cybersecurity sector has a not-undeserved reputation for being laden with acronyms to a ridiculous extent. It is a veritable alphabet soup of technologies, processes, and systems. The two that are arguably most present at the moment are EDR and XDR.
The basic idea of EDR—shorthand for endpoint detection and response—is simple enough. As malware authors got smarter, they learned to bypass signature-based detection and architect infections that could spread far more rapidly than antiviruses could handle. EDR emerged as a potential response to this problem, a security solution capable of acting across an entire environment to stop threat actors and disseminate threat data between organizations.
XDR, or extended detection and response, is meant to be an evolution of EDR. Whereas EDR solutions are focused on endpoint security, XDR solutions are meant to tap into other parts of the infosec stack. Unfortunately, given that the technology is still relatively new, it’s frequently used as a marketing tool.
“According to Peter Firstbrook, a Gartner analyst who covers this space, something like 80% of XDR solutions launched in the next few years will actually lack basic XDR capabilities,” says Lanzi. “So, he was understandably a little bit critical of these marketing-only approaches to a new product category. But there’s still something there.”
2. The limitations of SOAR
Just as XDR is intended to be an evolution of EDR, security orchestration, automation, and response (SOAR) is intended to be an evolution of security information and event management (SIEM). Whereas SIEM is largely focused on event detection and alerting, SOAR at least theoretically adds mitigation and response capabilities to the mix. Unfortunately, due to the immense engineering resources and expertise required to implement those capabilities, most businesses have been unable to realize them.
“I think the hypothesis is a good one,” Lanzi reflects. “If you’re integrating with a solution to access its event feeds, why not add response capabilities? The reality is that a lot of SOARs are used to collect events and do alerting similar to SIEMs, but the response part proved very difficult for all but the largest enterprises to implement.”
“This is part of what XDR is trying to tackle,” he continues. “The promise is that you can take these response actions as part of your infosec stack, but it won’t require the degree of feeding and engineering a SOAR solution would. It’s a one-click integration versus an implementation that requires a complete security engineering team.”
3. History repeats itself: the evolution of XDR and identity management
Currently, the integration between XDR and identity management is still in the early stages. Say, for instance, that your company uses Active Directory, and you determine that an employee’s device has been compromised. To prevent threat actors from using that employee’s credentials to execute an attack or spread laterally in the network, you have the option of using XDR to completely lock down that employee’s account.
It’s not exactly the fine-grained control identity practitioners are used to, but according to Lanzi, that functionality will come with time, as we see more integration points between XDR solutions, directories, and identity stores.
“It’s the same thing we saw in endpoint response actions, and in antivirus software before that,” says Lanzi. “In the early days of antivirus solutions, for instance, you could either delete a compromised file, or leave it alone and have it run wild. That eventually evolved, with new actions like quarantining, removing the infection and keeping the file, and so on—solutions more nuanced than simply bludgeoning it to death.”
“My hypothesis is that this will accelerate significantly in the near future,” he adds. “I’d say in the next eighteen to twenty-four months.”
4. Threat management and the hybrid estate
A great deal of variance exists in both functionality and deployment options where XDR solutions are concerned. This variance is by design. Modern business ecosystems are incredibly diverse; some are exclusively on-premises, some are cloud-based, and many are hybrid.
What all these environments share is the need for threat management and the value of identity response capabilities within that arena.
“We’ve seen malware spread using compromised hybrid credentials, as well,” notes Lanzi. “There are some great examples out there of organizations not only having their on-prem infrastructure infected, but their hybrid infrastructure as well. The problem of identity spread of malware exists as much for cloud as it does for on-prem.”
5. People are the driving force for XDR and identity integration
“Historically, identity practitioners haven’t had much reason to collaborate with endpoint security professionals,” Lanzi concludes. “That is going to change—and it’s a good idea to establish relationships ahead of time. I was talking to someone the other day about how so much of the work that gets done in companies is because of the informal networks that exist rather than the formal reporting relationships.”
To put it another way, XDR is likely already on the roadmap for your endpoint security team. It’s therefore crucial that identity practitioners work to establish a relationship with your colleagues now—and not just to help smooth over the implementation. By opening lines of communication, you might also be able to ensure that any XDR solution your organization chooses works effectively with your identity stack.
Traditionally, there’s been a great deal of separation between endpoint management and identity management. But as anyone who’s spent time working in the cybersecurity sector will attest, tradition doesn’t mean much. We live in a world where even the most advanced technology can be rendered obsolete in just a few years.
To thrive in this world, we as identity practitioners must embrace change—and work openly with those who facilitate it.
Implement a best-of-breed ITDR solution to augment XDR
Credential misuse is a primary method attackers use to access systems and achieve their goals. Among Gartner’s top CISO priorities for 2022, Identity Threat Detection and Response (ITDR) solutions can augment XDR with comprehensive protection for identity systems. Recently included in Gartner’s Hype Cycle for Security Operations, ITDR is a relatively new category with a diverse group of vendors and strategies. Give preference to ITDR solutions that provide coverage across the entire lifecycle of an identity attack—before, during, and after the attack.
Gartner also emphasizes the need to prepare for the unexpected. For example, new zero-day exploits against AD will emerge. Including AD in your organization’s vulnerability and threat management and incident response planning is critical, and relying on prevention and detection capabilities simply isn’t enough.
Ensure your ITDR solution can contain attacks with auto-remediation, revert malicious actions, and stay ahead of the adversary. In worst-case scenarios, ITDR solutions that include AD-specific ransomware recovery and post-breach forensics capabilities will significantly improve cyber readiness.