Services / Implementation

X- Detection & Response Assurance

Cut through the noise of alerts and build detection & response capabilities that actually work.


A Unified Approach

XDR refers to a concept in Threat Detection & Response that is designed for practical outcome, not layered visibility. Instead of rolling out individual IDS, EDR, NDR or SIEM solutions that stand by themselves, the purpose is to build detection capabilities that entirely eliminate false alerts and aim for immediate, automated incident response where this is feasible. This approach requires much more than just a massive data lake of forensic artefacts; rather a holistic solution that takes away the edge from adversaries and flips asymmetry to the advantage of defense. Hence, XDR.

The Challenge

Drastically Minimizing Mean-Time-To-Detect and Mean-Time-To-Respond

Two main metrics stand out in the field of detection and response that typically drive the first objectives for defense teams: Mean-Time-To-Detect (MTTD) and Mean-Time-To-Respond (MTTR). Industry averages for MTTD are slightly below 200 days and around 60 days for MTTR. Both values are inacceptable for common-sense decision makers and require approaches to drastically improve.

Designing XDR Technology for a Strategic Advantage

A strategic advantage in detection and response occurs where its next to impossible for adversaries to not be detected - even in targeted attack scenarios and even if a 0day vulnerability exists. Defense teams can not rely on being completely invulnerable at all times. Having zero vulnerabilities may be a desirable target but is practically infeasible. A realistic scenario is to implement a technology stack that is purposefully build to detect exploitation reliably and early, as well as respond before the attacker is able to cause lasting damage.

Strong XDR stacks make it easy to determine root cause and impact of an attack. They leverage multiple tactics to detect and respond, including deception, multi-layered data collection, threat & vulnerability intelligence, user behavior, orchestration, automation and guardrails.

Working Incident Response Processes

On a process level it is of highest importance to have functioning workflows. An inability for executives, operations and incident response teams to take determined, decisive action enables the attacker to take advantage of the situation and win. Functioning workflows must be simple and lightweight in nature: Delineated responsibilities, technical IR playbooks, streamlined communication.

Delivery Process

Designing the Engagement

The purpose of the design phase is to jointly discuss and agree upon management parameters of the XDR Assurance program. This includes a reiteration of the strategic underpinnings of XDR for all stakeholders, alignment on objectives, budget, scope, timeline, contributing parties and similar aspects that set the baseline for subsequent program phases.

Examination of Existing DR Capabilities

Most companies already have some level of detection and response capabilities in place that can be leveraged. Prime examples include forms of endpoint or network visibility, SIEM systems or similar components. Existing DR capabilities need to be assessed for their true effectiveness (visibility, coverage etc.) and evaluated for use in the target XDR stack. The second phases focuses on the identification of such solutions.

Designing the Target XDR Stack & IR Processes

The third phase comprises the design of the target XDR architecture on two levels: technological and procedural.

On the technological side, the complexity lies in tailoring this architecture to the requirements of the surrounding technology landscape, considering both functional and non-functional requirements that are relevant in the environment (e.g. performance, scalability or regulation).

Alignment on Target XDR Stack & IR Processes

Once the components of the technical XDR stack have been designed in phase 3, the next phase is to align closely on suitable vendor products that are candidates to bring in the desired defense capability. This phase typically involves weighted evaluations, running integration POC's and ensuring that budget is allocated wisely. Depending on the specific requirements of the environment, both open source as well as commercial solutions can become part of the target stack.

On the process side, IR workflows need to be aligned with responsible defense teams (SOC, CSIRT, CERT) to ensure swift action can be taken if needed.

Execution & Delivery

Next, our teams will head into implementation to integrate the new stack and ensure it runs adequately. This phase can be executed solely by CISOCON or in close collaboration with onsite teams and development workflows.

Our Service

We've created the following service for you.

Services / Defense Implementation

XDR Design & Assurance