If you’re still trying to make sense of XDR, MDR and EDR, you’re not alone. The market doesn't have universal definitions of these terms, and overlap among the solutions makes it easy to drown in the alphabet soup. This blog summarizes the key differences in each solution so you can ensure that you’re using the right tools to secure your environment.
The obvious common element in each solution is the DR, which stands for “detection and response.” That means these tools go beyond simply recording an event or blocking software by looking for known malicious signatures. Managed XDR and other DR tools actively assess patterns of malicious activity and shut down suspicious programs, quarantine devices, etc.
DR solutions have proven so effective at reducing attacks that most cyber insurance carriers now require them for anyone seeking to buy or renew a cyber policy. These tools have become a cybersecurity must-have because they address these growing threats:
EDR protects your environment’s biggest vulnerability: endpoints. In the Wild West of remote workforces, employees are using networks you don’t control; sharing devices with family members; installing whatever software they want; etc. In most environments, about 70% of all attacks start with an endpoint.
EDR provides visibility into the endpoints. It constantly logs and monitors activity in order to identify potentially malicious activity on endpoints and take action to stop or mitigate the attack. Rather than looking for file signatures as antivirus solutions do, EDR looks at the behavior of files. With this capability, EDR regularly spots zero-day threats and other attacks that security pros haven’t seen before. In addition to the protection, it looks to provide context around how the attack started and what it attempted to do.
EDR’s powerful response capabilities come from playbooks that guide the solution’s actions after spotting malicious activity. These playbooks determine when to block a file, quarantine a device, etc. Clearly, proper playbook tuning plays an enormous role in not only stopping malicious activity but in preventing a stream of false positives from overly sensitive triggers.
Even if you have EDR covering your endpoints, attacks will still arrive through your firewall, cloud workflows, email system, IoT devices, servers and more. XDR provides a holistic view of your extended technology ecosystem, encompassing endpoints as well as every other part, regardless of the vendor that created each component.
XDR’s critical advantage is correlation of events. XDR solutions monitor telemetry data such as Syslogs from across your environment to create a unified response. By leveraging artificial intelligence and machine learning, XDR identifies suspicious patterns amid the millions of system events that occur each day. In simple terms, XDR is designed to notice two seemingly unconnected activities in distant corners of your environment, recognize the pattern of a larger attack and take appropriate action. Without XDR, the left hand may never talk to the right hand, letting attackers lurk in your system far longer before they’re detected.
With MDR and Managed XDR, a third party (known as an MSSP or Managed Security Services Provider) manages the tools described above. Management goes far beyond simply responding to alerts. Top MSSPs constantly tune complex XDR solutions in response to emerging threats and your unique environment. Partnering with an MSSP relieves your organization from staffing up to run your own in-house SOC or asking an already-overtaxed IT team to take it on.
A good Managed XDR service has a team of SOC analysts constantly monitoring your environment and tuning the tool for optimal performance. The analysts review alerts and notify you when you should take action. They regularly revise proprietary playbooks and rules in response to an ever-changing landscape. (When the Log4j vulnerability emerged in December 2021, for example, Pratum’s SOC wrote new rules for our Managed XDR clients within 12 hours.) In short, a Managed XDR service gives you access to cutting-edge security tools and a team of pros who know how to get the most from the tools.
A Managed XDR service also gives you a big advantage if you face a breach and need support with incident response/digital forensics. Experienced SOC analysts can quickly leverage XDR to develop an attack story that goes far beyond merely stopping the breach. Managed XDR lets you identify all the places the attacker went and what they compromised, ensuring that you can fully stop the breach and recover data more quickly.
To learn more about how Managed XDR service can secure your environment without additional staffing, contact us today.
Information security policies, standards and procedures typically fall to the bottom of many companies’ to-do lists. Nobody gets excited about the tedious process of creating these kinds of documents. But it's worth making the effort to create and maintain these key documents. Investing some time now will make your organization far more secure and efficient in the months and years ahead.
First, let’s break down what goes into each of these governance documents.
Policies are the high-level statements that communicate your objectives. Think about the information security policies as the vision statement that clearly states your values in this area and what you intend to put into action. Your organizational culture will drive how you set policies, as they reflect how you view risk, what role you expect end users to play in security and more.
Standards go more in-depth and elaborate on the policies. Standards will specify details such as:
Standards lay out specifics of how each control area fits into the overall information security program. For example, if a control framework you’re following requires specific steps around firewall settings or encryption measures, your standards will explain what you’re doing about those things. When you're trying to satisfy most compliance requirements and frameworks, you’ll hear a lot about your “policies.” But standards are typically what they're looking for.
Procedures are the step-by-step instructions for fulfilling the policies and standards. For every control area your policy covers, you should have corresponding procedures explaining how the organization will carry out that policy. Procedures turn policies and standards into tangible action steps. In procedures, the business should call out specific employees and technologies that carry out each procedure.
1. You experience a breach – Your Incident Response plan and Business Continuity/Disaster Recovery plans will help limit the damage and restore your operations as quickly as possible.
2. You have to discipline/dismiss an employee for inappropriate use of technology – Your Acceptable Use Policy, which you had each employee sign on their first day, lets you enforce the rules.
3. Vendors demand evidence of your security program – You can share a wide variety of documents to show that you take security seriously at all levels of the organization.
4. A user accidentally gives their credentials to a hacker – A solid Access Authorization/Identity Access Management policy limits each user’s data access, limiting how much a hacker can pivot within the system.
5. An entry-level employee makes a bad choice on a firewall setting – Your Change Management policy builds in reviews to catch unintended consequences in time.
Now let’s explore why these three types of documents are important for your business.
It’s just good business to have solid policies/standards/procedures. But it usually takes outside pressure to make most organizations get serious about their policies and standards. In today’s tougher cyber insurance marketplace, for example, you may not even be able to renew a policy without having basic policies/standards in place. At minimum, creating these documents helps you get much better rates on insurance. Many large companies are also taking a harder look at the cybersecurity practices of all their vendors. So your company’s contracts may soon rely on you creating the policies/standards/procedures that prove you have a mature security posture.
It's crucial that you show your employees exactly what is expected of them. A murky vision inevitably raises questions. Creating a universal guide for everyone will unify and direct the team in times of crisis or confusion.
A written governance program gives leaders a way to enforce the practices they want employees to follow. If these expectations are laid out clearly in easy-to-find policies, standards and procedures, you can hold everyone accountable for abiding by them. Your employee onboarding process should build cybersecurity awareness into every employee’s first day on the job. One of their first tasks should be reading applicable policies and signing a statement that they have read the documents and agree to comply with them.
Executives should be involved in creating the policies, standards and procedures and should play a role in socializing them throughout the organization. If an executive is involved in the creation of these documents, they’re more likely to understand what’s happening when problems arise. That makes it easier for IT professionals, and other employees, to communicate and understand what is important to the executives.
Your organizational size and industry niche will mandate some of the governance documents you need. A large business with numerous employees typically requires a more detailed plan than a small organization.
You need to address how to get the governance program in place. Talk with your IT operations team to make sure they’re ready to follow the program you are trying to build. If not, find out what resources and tools they need to achieve the organization’s security goals. Open communication is key.
Understand that once you have your policies, standards and procedures in place, you still have work to do. Maintaining and updating your documents is just as important as the initial creation process. Times change, and so should your security governance. Be sure to review all these important documents annually to proactively evaluate the security controls related to the confidentiality, integrity and availability of your business’ sensitive information.
Several policies and procedures require regular testing to confirm that everyone understands them, that they’re still current and that somebody actually knows how to do each step in the procedures. Incident response plans, in particular, require regular testing via tabletop exercises and other evaluations. During testing, many organizations realize that “restore data from backup,” for example, isn’t quite as straightforward as it sounds. That prompts them to update the plan to cover every detail in a way that makes them truly ready for quick deployment.
If you need help creating and maintaining policies, standards, and procedures, Pratum can help. Contact us today.
Russia’s attack on Ukraine clearly isn’t limited to tanks, planes and missiles. Russia has already and will continue to deploy cybersecurity attacks as part of a strategy to destabilize or outright shut down its opponents. Most of us don’t play a role in battling nation-state cyber warfare. But this blog covers what organizations of all sizes should know about the potential impact of these global events and how you can take common-sense steps to protect your operations and data.
Russian hacking isn’t a new threat, so you’ve probably been battling it for years without realizing it. President Biden addressed Russia’s harboring of hackers at a meeting with Vladimir Putin in June 2021, and government and private security professionals have been fighting Russian interference for at least a decade. In January 2022, CISA issued an alert focused specifically on understanding and mitigating Russian state-sponsored threats to U.S. infrastructure.
But Russia’s attack on Ukraine brings new urgency, as Russia has already sought to bring down Ukraine’s government and critical infrastructure, mainly via denial of service attacks and malware deployments. Thus far, the U.S. Cybersecurity and Infrastructure Agency (CISA) has said in a statement that there are no specific or credible threats to the U.S. homeland at this point. But as sanctions begin to take effect, attacks may ramp up.
Few organizations face a real possibility of direct attack by nation states. But impacts could still be widespread if threat actors manage to compromise supply chains or critical infrastructure. Recent breaches involving Kaseya and Log4j have shown how quickly attacks can cascade throughout a software ecosystem. Russia’s attack on Ukraine may be your wakeup call, but regardless of the current headlines, you should incorporate the following best practices to protect your environment.
If you do suffer a breach, a calm, organized, well-planned response can greatly limit the damage and speed up your recovery time. Now is the time to pull out your incident response plan and make sure that it accurately reflects who is on your team, the tools you have in place, etc. The same goes for your business continuity/disaster recovery (BC/DR) plan, which describes how you’ll keep operations going if a crisis occurs.
Set up a tabletop exercise to walk through a simulated breach and identify any missing or unclear steps in your plan. Many organizations have only vague notes, for example, about how they would restore data from backups. Take time now to investigate how your backups work and the exact steps and timeframe it would take to restore your critical data.
Cloud-based services could be high-value targets for foreign attackers. So your IR plan should address how you’ll maintain operations if you lose access for a time to your customer relationship management (CRM) platform, document exchange service, Microsoft Office 365, etc.
Again, this is something that should be part of your normal practice, especially after the Log4j breach showed how rapidly compromised source code can wreak widespread damage. Many software developers have relied heavily on outsourcing work to programmers in Russia and eastern Europe in recent years. It will be a massive task to comb through all of your code for elements with Russian origins. But this process may become necessary to ensure that no allies-turned-adversaries left a pathway into your system for Russia to potentially exploit.
U.S. authorities count on reports from private organizations to help them maintain an accurate picture of current threats. If you experienced an incident or spot anomalous activity, report it to:
If you experience a breach and need immediate assistance with assessing the situation and getting back online, call Pratum’s Breach Line 24x7 at 515-212-6634.
If you need advice on getting your policies and plans in place, contact us today.
Get our blog articles delivered
to your inbox: