Is it really a "Detection & Response" solution?
Mr. Yamada, a security expert and evangelist who works at Macnica, was consulted again by Mr. Yoshikawa, who works in the security products sales team. The content is "~DR" in XDR and EDR, or "Detection & Response." I would like to reconfirm my way of thinking. Mr. Yamada answers Mr. Yoshikawa's questions.
Character
| name | Kohei Yamada |
| age | 30's |
| sex | Male |
| Occupation | pre-sales engineer |
| Belonging department | Suspect |
| Outline | Active as a pre-sales engineer for security products. He also plays an evangelist role to raise awareness of the necessity of XDR inside and outside the company. |
| name | Rina Yoshikawa |
| age | 20's |
| sex | Woman |
| Occupation | sales |
| Belonging department | field sales |
| Outline | A new mid-career recruit assigned to Macnica 's security products sales team. In my previous job, I worked in IT product marketing and field sales for five years. However, I have no experience in sales of security products. |
Is it really a "Detection & Response" solution?
Mr. Yamada, I apologize for taking so much of your time.
No problem at all. This time you want to know a little more about "Detection & Response".
that's right. In fact, the other day, I received a phone call from a customer regarding their "XDR (eXtended Detection & Response)" solution. Because I realized that I didn't.
I see. Is the customer already using EDR (Endpoint Detection & Response) products?
yes. However, when I listened to the story, I felt doubtful whether the product was really an EDR solution... If it's not an EDR product, I wonder if that product can't be used as the XDR sensor (data source) that I heard about the other day.
Why did you feel that your EDR product was not an EDR solution?
This is because I felt a discrepancy between the EDR that I had researched and recognized and the EDR that the customer was talking about. However, at my level of knowledge, I wasn't convinced that the EDR product the customer was using was not EDR, and I couldn't tell the customer, "That's not EDR." So this time, I decided to ask Mr. Yamada again about the essence of "Detection & Response."
I see, it's true that many manufacturers have released EDRs, and they have various functions, so it's not surprising that there are products that can be said to be inadequate as EDRs. And about the requirements for "Detection & Response" solutions...
please.
What is the essence of the "Detection & Response" solution?
I think Mr. Yoshikawa already knows, but the solution of "Detection & Response" is the latest antivirus software using AI (artificial intelligence) (= next-generation anti-virus software: NGAV) and next-generation firewall ( It is not a solution to prevent intrusion of threats caused by cyberattacks such as NGFW), but a mechanism to detect and respond to threats that have entered the internal network.
Yes, I understand that part. Using the security countermeasure framework established by the National Institute of Standards and Technology (NIST), we can say “(1) Identify,” “(2) Protect,” “(3) Detect,” and “ It is a mechanism that supports measures after "③ Detection" in ④ Respond and ⑤ Recovery. *1
that's right. In terms of the cyberattack process, the attacker hijacks the target organization's terminal through malware and remotely operates it while spreading malware infection inside the network, conducting reconnaissance, and stealing administrator privileges. to expand. EDR and other "Detection & Response" solutions are mechanisms for detecting such internal activities at an early stage and responding to them. Here's what it looks like in a diagram.
This diagram is also easy to understand.
So I have a question for Mr. Yoshikawa. Suppose that a solution such as EDR was able to capture the occurrence of some kind of security incident. What will it take to respond appropriately?
By examining logs, we can quickly identify the scope of impact of incidents and find out the route of threat intrusion. Otherwise, we may not be able to respond appropriately.
yes. In addition to detecting threats, the essence of the "Detection & Response" solution is to enable such investigation and analysis to be performed promptly. In order to realize this solution, we have to go back in time and investigate the logs to identify the source of the malware infection, find out what route it took from there, how the infection spread, and what led to the occurrence of the incident. I have to look it up. In other words, in "Detection & Response", it is important to identify and organize the causes of incidents through retroactive investigation and analysis, and to link them to permanent countermeasures. As a mechanism, it is very important to properly record and refer to the logs necessary for incident response.
That's right! That's what I thought when I was talking to customers about EDR. However, the customer I mentioned earlier told me that they could only talk about behavior detection using AI regarding the EDR function they were using, and they could not perform retrospective investigation of logs, and said that they were unaware of such a function. is. I felt uncomfortable there.
Hmm, perhaps the EDR used by that customer may be an NGAV product sold as an EDR product. In fact, there are a surprisingly large number of such products, and because of this, there are many misunderstandings among customers regarding EDR solutions or requirements for EDR solutions.
What knowledge and skills are required for “Response”?
By the way, I heard that the introduction of solutions such as EDR increases the operational burden on security personnel. I also heard that XDR is the solution to that problem.
I agree.
Please tell us more specifically about the knowledge and skills required to carry out "Detection & Response" for confirmation.
First, the "Detection" part is automated by choosing the right EDR product, so it should be seen that no knowledge or skill is required there.
Then the problem is the "Response" part.
I agree. Regarding "Response", for example, after performing "authenticity judgment" of many alerts issued by the EDR solution, the problem terminal is isolated from the network, various logs (authentication logs such as Active Directory, FW log, proxy server log, file server log).
What knowledge and skills are required to do these tasks properly?
The minimum requirement is a reasonable knowledge of the latest threats and vulnerabilities, as well as the skills to analyze alerts and logs. However, among the recent EDR and NDR (Network Detection & Response), there are many products that support the work of isolating the problem terminal from the network, so depending on the product you use, the required skill level should be reduced. Sometimes you can do it. .
In any case, the role of XDR is to lower the hurdles of "Response" by EDR and NDR, which require such advanced knowledge and skills. Also, in order to increase the effect of introducing XDR, it seems necessary to be careful when selecting products related to EDR.
exactly.
Thank you very much for today.
3 lessons learned
- What is the essence of D&R?
It is to streamline the work of "Response", and it must be possible to keep logs as records and investigate the cause of the incident and the route of infection retroactively. - What is Detection?
It is to detect threats that have entered the internal network, quickly identify the impact range of the incident, and identify the route of threat intrusion. Also, since it is automated by choosing an appropriate EDR product, you can think that advanced skills and knowledge are not required here. - What is Response?
It refers to responding quickly and appropriately to detected threats. The main methods of Response are isolation, deletion, and repair of detected threats, and often require advanced skills and knowledge.
*1 Source: Security Center, Information-technology Promotion Agency, Japan "Framework for Improving Cybersecurity of Critical Infrastructure Version 1.1"
Inquiry/Document request
In charge of Macnica XDR Co., Ltd.
- TEL:045-476-2010
- E-mail:XDR@macnica.co.jp
Mon-Fri 8:45-17:30