If layered security is the cake, Open XDR is the frosting

The anchor of Enterprise Security is popularly known as a “Defense in Depth” architecture. The Defense in Depth (DID) is a classic defensive concept used in the military that found acceptance in the Infosec community in the early 2000s. The Infosec implementation/version of DID has evolved to address the threats as the threat landscape progressed over time.

Before the advent of the internet, computers had only AV protection because the main threat was viruses. Viruses were transferred over media (floppy disk, etc.). With the internet, all computers were connected, and threats like worms spread over networks, so we had to secure the networks, and we needed to police who came into the networks in the first place, and on and on.

In its current form, the DID architecture has grown to accommodate many layers and still evolving. So, the DID architecture translated into layered security — Perimeter, Network, Endpoint, Application, User, Data, Policies, etc. For each layer, a separate and distinct control was developed to protect against threats to that layer. For example, the technical security controls included solutions such as Firewalls, Secure Web Gateways, IDS/IPS, EDR, DLP, WAF, and anti-malware products.

In addition to deploying the layered security solution to the evolving threat landscape over time, the solutions were owned, managed, and operated by different groups inside the company. For example, the Firewall solution was owned by the infrastructure team under IT. Another group owned the email solution, and another group owned the endpoint security solution. This created a layered solution that existed independently of all other solutions. Hence, the concept of a standalone solution with all the learnings stayed inside the team responsible for it — in a silo.

Another unique attribute, best-of-breed solutions, also characterized the layered solution. Because the solutions evolved, the innovation came from different sources and disciplines, and a different set of vendors provided each new solution layer.

The DID or layered approach to security worked well for single vector threats, i.e., when the threat entered and exited in the same vector. A classic example of these early threats is the networks-based attacks detected by IDS/IPS, email threats like Spam by email gateways, etc.

However, as the threats become more complex and the advent of automated malware generation tools, Botnet, and remote programming, the layered security model is falling apart. This is because the assumption inherent to layered security — that all the protections and controls are aligned perfectly to detect all the threats and there are no blind spots — is being proven false. There are blind spots that none of the controls have any visibility into. As a result, the attackers are using the blind spots to their advantage, making it difficult to detect these malicious activities.

From our experience in dealing with a multi-vector threat, it’s clear that all the controls involved in a multi-vector threat have visibility only to their silos and nothing beyond that. Remember that this is by design and the way the current solution came together.

Also, all the underlying setup of separate infrastructures, data silos, and response mechanism means that managing the control directly, it’s a second order (n**2 — n) problem. However, having a layer on top of everything to work is a first order (2n) problem to be solved.

The options to address the blind spots are as follows:

• Have each control cover for their neighbor that they have no interest in doing.
• Hire more analysts to extend visibility beyond the silos manually
• Get a tool that can provide visibility into the controls and their data across the silos and detect these multi-vector threats using automated data collection, correlation, detection, and response.

If you chose option #3, you are correct!

No matter the name, the solution in #3 is an envelope that goes over all the controls to detect, correlate, co-ordinates, and provide response actions for threats across the silos.

And that is the most efficient way to optimize multi-control, layered security systems.

Its name is Open XDR.

Open XDR is the connective tissue between security controls designed to enable security teams to make sense of the vast amounts of data generated by their security controls. The reason it is called “Open” is non-trivial; it is a defining characteristic of the solution. Open XDRs can ingest data from any security control, including any EDR an organization has deployed. Then, using purpose-built detection capabilities can root out those multi-vector threats that can land your organization on the front page of the paper (or news website) if they went undetected.

While there is no silver bullet in cyber defense, Open XDR is a promising new approach to security that minimizes blind spots while making a security team more effective.