XDR Isn’t Enough to Protect Your Organization: The Importance of Adversary Detection and Response

It’s more difficult than ever to protect our infrastructure, government, and businesses from becoming victims of well-funded, skilled adversaries. From the Log4j vulnerability to the SolarWinds hack to the Colonial Pipeline cyberattack, organizations are more vulnerable to cyberattacks than ever before. In fact, 87% of enterprises across 11 countries have fallen victim to cyberattacks in the past three years.

So what more can your cybersecurity team do? After all, they’re facing incredible hurdles, from limited resources and a shortage of skills to a decentralized security infrastructure and an attack surface that’s spreading rapidly in all directions.

Clearly, it’s time for a new approach — one that helps you stay ahead of the adversary by moving beyond defense-in-depth, reactive detection, and response capabilities to a proactive security strategy powered by threat intelligence.     

Proactive defense strategies start with knowing the adversary   

As adversaries emerge, CIOs, CISOs, SOC analysts, and threat analysts alike must be able to quickly evaluate the risk and potential impact on the business. For example, the CIO of a retail bank might read about an attack on banks within their geographic area and want to know whether their bank is at risk of attack.

If the CIO’s security team has the right threat intelligence on the adversary at their fingertips and can correlate that information with telemetry data from their environment, they can answer questions that help determine their risk and which mitigating actions should be taken, including:

• How are they impacted?
• What’s the risk right now?
• Is the organization already under attack?
• Are there already indicators of compromise (IOCs) for the threat in the bank’s environment? 
• Has the financial community seen the threat in the past?     

Answering these questions requires massive amounts of global intelligence and data. And with overwhelmed and understaffed security teams, organizations need a way to curate all the telemetry data and intelligence to make it relevant and actionable. Automating a proactive, adversary-focused approach to security is the only way to win against attackers today.

That’s why you need adversary detection and response

Extended detection and response (XDR) solutions give your security team visibility across all your control points, collecting telemetry data and correlating it to accelerate detection, streamline investigations, and help analysts do more with less work. But even the best XDR solutions cannot help predict what may happen next.

What you need is adversary detection and response (ADR). ADR gives you tools, such as the MITRE ATT&CK framework for a map of the potential attack along with the global intelligence required to understand your enemy so you can better defend your organization.  ADR is XDR that’s powered by relevant, actionable threat intelligence at scale.

ADR helps you understand where your adversaries are based and who they target as well as their tactics, techniques, and procedures (TTPs) and goals.  With this understanding, you can predict their next moves and proactively protect your business. With an ADR approach, you can adopt a risk-based cyber-defense strategy, leveraging machine learning, analytics, and automation as enablers to help you focus on the adversaries that matter—then outmaneuver them.

Threat intelligence is the foundation for effective ADR 

Threat intelligence is more than knowing a domain name or IP address used by an attacker. Your team needs access to a comprehensive threat intelligence repository and tools that enrich the context around threats, automatically correlate threat intelligence with telemetry data, and turn massive amounts of data into relevant, actionable intelligence to inform decision-making.          

Without threat intelligence, you can’t do ADR. Bad actors share TTPs, they pass on information that helps their fellow cybercriminals, and they work together to be more effective. But all of us good actors are hindered by a persistent lack of sharing.

As a cybercommunity, we need to adopt the bad actors’ model of sharing intelligence. We need trusted communities where you can share and listen so that everyone can be more vigilant 24×7. To learn more about communities for sharing threat intelligence, check out Anomali’s trusted circles and sharing community portals. For a real-world example of the benefits of sharing threat intelligence, watch the webinar “Intelligence Sharing: The Key to Stopping Breaches is Teaming Up.”

Sharing information and staying ahead of adversaries with an ADR approach is the only way to win today.

To learn more about detecting adversaries, watch this webinar: “Anomali Threat Day: Evolving Threat Hunting to Adversary Hunting Using Threat Intelligence, Presented by Cybersixgill.”

_{Karen Buffo}

_{Chief Marketing Officer, Anomali}

_{Karen Buffo is Chief Marketing Officer at Anomali. She brings more than 15 years of experience in global security, with a track record of developing and executing leading marketing strategies, resulting in value for customers, shareholders and employees. Prior to Anomali, Karen was CMO of Symantec, a role Broadcom appointed her to after its acquisition of the company. While at Symantec, she defined and implemented its global marketing strategy across all activities to strengthen its brand and drive growth for the cybersecurity business. Before Symantec, Oracle selected her to oversee global communications for its executive office. While in this role, she oversaw the development, implementation, and supervision of internal and external executive communications along with corporate thought leadership. Karen’s diverse background in business enablement and global marketing has lent itself to a holistic view of companies and their unique capabilities, opportunities, and drivers. This has led to her consistently providing sustainable value to the businesses she has served. Karen is a recognized industry keynote speaker, mentor, and contributor to the cybersecurity community. Karen holds a bachelor’s degree in Consumer Science and Business Administration from the California State University at Sacramento.}