XDR is a security threat detection and response platform, a method of collecting and automatically correlating information across multiple security layers for rapid threat detection, with program capabilities that vary by vendor. The value of the XDR solution includes: direct integration of security products out of the box; unified security data normalization and centralization for analysis and query; cooperation and coordination of multiple products to improve detection sensitivity and response process; Cost of Ownership (TCO). The XDR solution is still in its infancy, and it is mostly used in traditional information systems, not involving the industrial Internet field. Due to the increasing demand of the industrial Internet for improving the efficiency and value of security operations and enhancing the ability of detection and response, the XDR concept is used in the field of industrial Internet security to explore XDR solutions in the field of industrial Internet security to achieve cross-product integration and analysis in industrial scenarios Unification and normalization of security data, based on multi-product coordination and linkage, improve detection sensitivity and response efficiency, and significantly reduce the number of alerts, which are widely used in threat classification, threat investigation, and threat hunting scenarios.
XDR is a SaaS-based security threat detection and incident response tool tied to a specific vendor that natively integrates multiple security products (of that vendor) into a unified security operational system to unify all Authorized Security components. XDR is a new technology and more of a solution to improve threat detection and incident response efficiency. XDR is functionally similar to SIEM and SOAR tools, except that it has the ability to integrate vendor-specific products at deployment time, focusing more on threat detection and incident response. XDR is primarily used to protect end users and the applications and data they use, but can also be extended to data center protection, identity and access management, and more. The conceptual architecture of XDR is shown in the figure below. End-user-based protection requires the top-level security products (EDR, DLP, FW, IPS, NTA, etc.), followed by data normalization, data lakes, and data associations to form events. Responsiveness, automation, workflow, and the associated value of APIs.
The Industrial Internet is the key infrastructure that links the entire industrial system, the entire industrial chain, and the entire value chain, and supports the development of industrial intelligence. It is an emerging format and application model formed by the deep integration of a new generation of information technology and manufacturing. The core carrier to expand to the production field and from the virtual economy to the real economy. The Industrial Internet builds three functional systems of network, platform and security through the system, creates a new network infrastructure with comprehensive interconnection of people, machines and things, and forms an emerging business format and application mode of intelligent development. While the Industrial Internet brings opportunities for industrial production, it also introduces new risks. There are many types of devices and devices are widely interconnected, resulting in a large number of loopholes and backdoor resources and many attack paths. Security is sounding the alarm. Security is an important guarantee for the Industrial Internet, and the development of the Industrial Internet needs to be escorted by a sound security system. The industrial Internet is equally urgent for threat detection and incident response, and the XDR concept has reference significance in industrial Internet security.
XDR is derived from EDR, but XDR is not limited to endpoints, but combines information from multiple sources (eg, network, intelligence) to detect threats. XDR can look at various elements in a cyber threat, incorporating threat intelligence, network data, log information, and more. From EDR to XDR, it is an inevitable process of security technology evolution. In response to advanced attacks, the need to correlate data from endpoints and other locations for threat hunting led to XDR entering the Gartner Hype Cycle in 2020. The maturity curve shows that XDR has entered an innovation start-up period, and the XDR solution will improve the accuracy of security detection and improve the efficiency of security operations.
XDR is a new concept proposed in the past two years, which has been recognized by mainstream customers and consulting institutions abroad. Large foreign security vendors such as Cisco, Microsoft, Fortinet, Fidelis Cybersecurity, McAfee, Palo Alto Networks, Symantec, Trend Micro, FireEye, Rapid7 and Sophos are potential suppliers of XDR. Cisco XDR solutions collect and correlate data across email, endpoints, servers, cloud workloads, and networks for visibility into advanced threats. Threats are then analyzed, sorted, tracked and remediated to prevent data loss and security breaches. Leveraging artificial intelligence (AI) for incident investigation response, Fortinet XDR solutions automate security operations processes typically handled by experienced security analysts, enabling faster threat mitigation across a broad attack surface. FireEye XDR solutions provide managed detection and response services, taking clear action to prevent incidents and reduce the impact of breaches. FireEye provides solutions for endpoint security, network security and forensics, email security, and more.
XDR is currently mainly used in the traditional information security field, and is not fully suitable for industrial Internet security scenarios. There are differences between industrial Internet security and traditional information security. Industrial systems take “availability” as the first security requirement, while traditional information security takes “confidentiality” as the first security requirement. Industrial Internet security has its particularities in terms of protection objectives, network architecture, data transmission, operating environment, management and maintenance, etc. Therefore, traditional network security protection ideas cannot be used to solve industrial Internet security problems. The industrial Internet XDR solution cannot completely copy the current traditional information security XDR solution.
Starting from actual security combat, effectively improving the detection and response capabilities of network security is the future security requirement of the Industrial Internet. Industrial Internet security can learn from the XDR concept, and make targeted adjustments to the XDR architecture based on the characteristics of industrial interconnection security requirements. , industrial full traffic analysis system), perform data normalization processing, data storage, correlation analysis on security data such as log data and traffic data, and finally realize a comprehensive threat detection and response platform, break security data barriers, and integrate security products naturally. Together, through real-time security risk assessment, illegal and malicious behavior mining, security event correlation analysis, scenario-based security response customization and other functions, a closed-loop optimized security operation system is formed, which effectively improves the security operation efficiency and security protection of industrial Internet enterprises. level.
The Industrial Internet XDR solution provides an attack detection and response solution. Based on source data such as full traffic, logs, intelligence, and assets, it can make full use of technologies such as big data, streaming computing, and AI to discover network attacks and anomalies in the network. Known and unknown threats such as behavior and respond quickly. With the advantages of improved protection, detection and response capabilities, increased efficiency of security operations staff, and lower total cost of ownership for effective detection and response capabilities, XDR is more useful for industrial enterprises that do not have enough cybersecurity talent or skills to roll out their own integrated architectures. attractive.
It is recommended to promote the application and development of XDR solutions in the field of industrial Internet security from the following aspects: 1. Strengthen technical investment. Security vendors improve their product sorting and R&D iterative capabilities, integrate API-based security products, provide wider and more data access, and improve their ability to detect and deal with threats. Expanding the applicability of XDR scenarios and developing targeted industrial Internet XDR solutions, whether in-depth integration with SIEM/SOC or as a cost-effective alternative to SIEM/SOC, will add to the construction of the industrial Internet security protection system.
2. Strengthen the XDR market promotion. Wider publicity and promotion of the XDR solution for the industrial Internet security market. At present, XDR is in the early stage of development, and a unified solution standard has not yet been formed. Manufacturers determine the scope of security product integration based on their own product accumulation and integration capabilities. The industrial Internet XDR market has not yet been developed and cultivated. Small start-ups and large security companies have the opportunity to compete on the same stage to jointly expand and strengthen the XDR market.
3. Speed up the formulation of relevant standards. At present, XDR lacks corresponding solution standards at home and abroad. It is recommended to promote the introduction of relevant standards, accelerate the standardization process of XDR, and actively promote the implementation of XDR standards in industrial Internet applications.