Predictions for 2023 are all the rage right now, but most are either highly speculative or so obvious they are hardly worth publishing. Here’s one that should be different: two of the hottest topics in networking next year will be lateral security and XDR, or eXtended detection and response.
OK, neither of those is exactly new, but they matter much more now because of a convergence of other factors which risks creating a perfect storm for network security professionals. Here are some of those risk factors:
- The demise of the defensive network perimeter, driven by work-from-anywhere, software-defined networking (SDN) and more;
- The growth of lateral traffic on networks – that is, internal traffic, for example between servers – which is being driven by the growing use of composite applications, containers, VMs and so on;
- Security policies are increasingly defined at the application and data level, not at the network level;
- More and more workloads now run in virtual machines or containers within servers, so they are less visible to the network at large;
- And of course the industrialisation and profitability of cybercrime has greatly increased both its technical and social engineering capabilities.
There are at least two major security concerns that arise out of all this. First, network endpoints such as servers, PCs, mobile devices and IoT equipment are more threatened than ever before.
Second, we’ve known for a good while now that most network security is on the data centre or network boundary, and that once an attack is past the firewall, it can potentially move more freely between endpoints. Plus, with virtualisation, composite applications and so on, there’s no longer a direct correlation between physical devices and endpoints. So we need new and/or better tools to watch for and block threats that are moving laterally between endpoints inside the network – including the virtual networks within its VM hosts.
XDR wants to be proactive
It may look like it was created by drawing letters from a Scrabble bag, but XDR is actually an eXtension of an existing acronym, namely EDR, or endpoint detection and response. Indeed, several of the EDR vendors have expanded into XDR, such as SentinelOne and CrowdStrike. EDR is all about detecting and alerting on cyber-threats by monitoring endpoints – which means watching servers, PCs, IoT devices and so on for suspicious behaviour and other signs of malware.
XDR aims to grow this from reactive to proactive by correlating and analysing, ideally in near real time, EDR feedback from across the network, including cloud workloads. This should add more visibility and context, and allow more threats to be recognised and analysed, and then prioritised for identification and attention.
Some XDR solutions are ‘closed’, in that they collate data from a single vendor’s security tools, making deployment simpler. Others are open and vendor-agnostic, potentially providing better coverage, but requiring deeper integration – examples of this ‘Open XDR’ approach include Arctic Wolf and CheckPoint.
XDR is different from SIEM
Incidentally, XDR might at first look like a variation on SIEM (security information and event management) tools. After all, they can both collect security data (such as event logs) from multiple sources around the organisation, before aggregating and analysing it.
They are conceptually different, however. For example, SIEM typically raises alerts to the SOC (security operations centre), rather than responding itself. SIEM can also support the likes of proactive threat hunting, post-attack forensic analysis, and regulatory compliance work. Think of it as a security data lake, perhaps.
XDR is more of a real-time service. It adds data from monitoring endpoint behaviour and from threat intelligence services. It automates common analysis and remediation processes, using AI-derived machine learning (ML) to add contextual awareness, which helps it filter out false alarms and triage the remaining genuine alerts.
As for lateral security, the overall story’s not new – and anyone in IT security who has not been worrying about it probably hasn’t been paying attention. There’s been moves to detect intruders via IDS/IPS, harden servers, and segment internal networks for added security, but what’s apparent now is that we need hardening within the server too, right down to the individual VMs, containers and network adapters. That’s because any interaction between VMs and other workloads running on the same physical machine is invisible to and unprotected by the external physical network.
Needless to say, there is quite a bit of activity in this area, the majority of which I see falling into two buckets. The first is those focused on fixing specific problems, for example Aqua Security and RapidFort on container hardening (plenty of others also offer sensible advice here, including the US Department of Defense and NSA), or AppArmor for Linux application hardening.
The second loose grouping is those who approach the problem from a certain perspective. The likes of Cisco and Juniper view it through a networking lens, for instance, as does Red Hat. XDR pioneer Palo Alto Networks comes in from the security direction, and the hyperscalers – Azure, AWS, Oracle and so on – approach it from a public cloud perspective.
There is an overlap too, with some taking a hybrid approach. A notable example here is VMware which combines its Carbon Black group’s more focused work on VM and application hardening with the EDR/XDR elements of its NSX network security software. IBM/Red Hat could also be added to this overlap group, of course, as could Microsoft with its various Defender capabilities.
So why do I think lateral security and XDR are so important in 2023? Well, yes you may still need that SIEM security data lake for compliance, hunting persistent threats, and doing after-the-event forensics – assuming you have the resources to support SIEM, that is.
In the long term, SIEM and XDR are complementary, so I expect to see significant convergence. Indeed, some SIEM systems are already gaining XDR-like and/or ML-based automated response capabilities.
But right now, as the risks continue to grow and coalesce, inside the perimeter is where that perfect storm is going to hit. When it does, you need to be ready to detect and defeat those lateral security threats, and alongside the necessity of hardening your workloads, XDR is currently one of the best schemes for doing that.