Comment by Richard Werner, Business Consultant
According to a Trend Micro survey, companies have an average of 29 IT security solutions in use. Nevertheless (or perhaps even because of this) experience teaches that practically all of them also have open security gaps. These are caused, for example, by the direct connection from the production network to the printer server, exist in the laptop that was officially discarded three years ago but is still active, or in the application that an employee once absolutely needed. All this can be found in German companies, but the corresponding documentation cannot. Of course, there are also the “usual” software vulnerabilities and not only in the examples. Patching, however, is a time-consuming affair, with IT security teams chronically overworked and the number of cyber attacks on the rise. In his latest report on the IT situation in the nation, BSI chief Arne Schönbohm warns that the situation “in the area of information security – at least in some areas – is on red alert”. More and more new technology does not help against this situation – on the contrary, consolidation and, beyond that, perhaps outsourcing of detection and response is called for.
How the IT security industry is reacting
The IT security industry has already experienced several “doomsday scenarios” and always reacts reflexively to a new threat with new technology. This is also the case with ransomware: “artificial intelligence” (AI) is supposed to help. It is suddenly in everything, even though it has actually been for 15 years. While the technology still helped against the first wave of ransomware attacks, it has a hard time when the perpetrators’ approach has changed. This is because the framework conditions have changed and technology is no longer the focus. Favoured by external factors such as uncontrollable currency (cryptocurrency) as well as criminal law freedoms in various countries, an underground economy could develop with its own specialists and service providers who are also able to counter modern technology – none of which can influence IT security. So we return to old patterns: more technology, i.e. Endpoint Detection & Response or EDR for short. Of course, this can also be sold with the buzzword AI.
But more technology in a world where IT (security) departments are already on the verge of burnout and in an IT landscape that is becoming increasingly diverse? In which home offices, clouds, containers and any number of other topics need to be implemented, secured and monitored? So 29 security products and maybe even more? A huge hurdle for many companies. To make matters worse, there is a glaring shortage of experts, especially in IT security. More technology thus becomes more of a problem than a solution. And anyway… who says that the technology we use today against today’s ransomware will be able to detect tomorrow’s attack?
Rethinking is called for
This calls for a rethink! The IT security industry can no longer leave its customers alone with the technology. We have to provide our users with the necessary updates and expertise. Logically, this means that IT security is increasingly becoming a service business.
More and more companies are looking for managed service offers and want a partnership relationship with security specialists, be they manufacturers or specialised trade partners. It is a matter of finding a service offer that is adapted to the needs of the company. But what kind of technology is needed, who operates it, who assists in emergency situations, whether and to what extent a Security Operation Centre (SOC) should be operated, these are all questions that have to be clarified individually and on which the initial security offer is based, and if the IT in companies grows, the security offer must grow with it. The more open we are with each other, the easier and faster new requirements can be integrated into an existing service.
No changeover is easy
This change is not only difficult for IT security providers, but also for their customers. In companies, security is often seen as a cost centre that one would prefer not to be aware of at all. Accordingly, purchasing was often only tactical and not infrequently also based on “compliance”. Rethinking means moving away from a case-based analysis to a basic strategic concept. A security partner helps with the creation, implementation and continuous monitoring of the required security infrastructure. He also clarifies how to deal with changes and emergency situations.
At the same time, however, it usually means replacing some of the 29 solutions in use! Because the costs of such a service naturally depend on how many individual products have to be monitored, and here consolidated solution approaches that talk to each other ensure that prices are significantly slimmed down. Offers of this kind are known as “XDR”.
The transformation of “XDR”
Originally, the term primarily meant the technology used to detect successful attacks as quickly as possible (Detection) in order to then be able to respond to them (Respond). It is thus directed at the emergency situation of an attack that has overcome the primary defence tools. The whole thing must be as comprehensive as possible for the entire infrastructure, i.e. extended (“eXtended”) or comprehensive (“Cross”) Detection & Response – XDR. Initially, SOCs were the addressees of this technology. From the beginning, the clarity and simplification of work through XDR was a core component of the discussions, since even well-funded SOC departments in large corporations operate at the limit of their capacity. But as soon as it comes to using XDR sensibly, the question arises whether an XDR provider also supports it with manpower. Today’s XDR solutions are therefore not only measured by their purely technical skills, but also by their ability to support customers through service offerings.
With these aspects in mind, the IT security analyst firm Forrester has undertaken a market analysis of various XDR providers. The market researchers explain what is important: “Mature vendors offer native, cross-telemetry detection and investigation with limited response capabilities and no orchestration capabilities. These vendors combine the best elements of their portfolios, including industry-leading products, to simplify incident response and create targeted, highly effective detections.” Incidentally, the market researchers gave Trend Micro the top score for a “current offering”.
You can read the related study here.
“The situation is tense”. We have seen a 60% increase in ransomware attacks targeting businesses in the first half of 2021 compared to the first half of 2020. There is nothing to suggest that this trend will reverse. Companies that have suffered such an attack are struggling with the complexity of their own IT and IT security infrastructure. XDR is an approach that consolidates the multitude of different sources to become faster in case of an emergency, but also includes a procedure to reduce the costs of IT security. In addition to pure technology, XDR vendors also offer services either directly or in association with reseller partners to provide customers with customised approaches.
As an XDR provider, we would rather talk to you about these issues BEFORE an incident!