Skip to main content
Meet NetWitness at RSA Conference 2024!
Stop by our booth #254 or book a meeting with an expert. Reserve Your Spot Today!
Securing the Digital World

XDR and Zero Trust: Partners in Threat Detection

  • by Spencer Lichtenstein, Brian Robertson, Karim Abillama

blog post

Are Extended Detection and Response (XDR) and Zero Trust simply two new security buzz words?

There is a lot of talk about both, but the deeper question is, “Are they related, and if so, how?” To level set the conversation, let’s look at why implementing Zero Trust as part of XDR strengthens an organization’s threat detection.

The premise of XDR is that XDR collects and automatically correlates data across multiple security layers (identity, asset, user, endpoint, email, server, cloud workloads, network, and IoT) so threats are detected faster and security analysts improve investigation and response times.

The premise of Zero Trust is that enterprises should not inherently trust any attempt to connect to a business system or application—and must be verified before any level of user access is granted.

There’s a vital relationship here—but why is it so critically important to cybersecurity?

How We Got Here

Before we examine how XDR and Zero Trust are related, we need to understand why they are building blocks to threat detection and response.

The way in which organizations operate securely is transforming due to seismic shifts in how employees access information and other macro-pressures, especially during this new working world of remote access during a global pandemic.

These new realities are forcing companies to accelerate their digital transformation by expediting large transformational projects. This results in a massive expansion of the threat landscape at a faster pace than most would have expected, created in part by:

  • Acknowledging remote workers accessing sensitive information from many devices globally
  • Changing approaches to data storage, causing many organizations to migrate their traditional physical data centers to dynamic cloud infrastructure
  • New applications being developed, adopted, and moved to production at a rapid pace, often using publicly available code structures

As these adjustments are embraced, here’s the rub: they carry increasing security challenges.

Security challenge 1: The expansion of connected users and devices from remote workers that extend beyond the physical boundaries of the company

Security challenge 2: Third-party infrastructure that diminishes an organization’s ability to administrator granular controls

Security challenge 3: Rapid adoption of new software with wide-ranging codebases and versions, often outside an organization’s control

Companies need to rethink security in the present. And future. Any device attaching to the network, any application being moved into production, and all users must be scrutinized.

Zero Trust Required, Not Optional

The erosion of the security parameter paved the way for Zero Trust requiring organizations to find new ways to establish trustworthiness.

Traditional security has always said, “Trust, but verify.” But Zero Trust says, “Never trust, always verify.” Zero Trust security never really clears anything. Instead, Zero Trust considers all resources to be external to an organization’s network—continuously verifying users, resources, devices, and applications before granting only the minimum level of access required.

Zero Trust is proving to be a strong solution to addressing security holistically with the ability to keep up with the shift and expansion of the threat landscape.

If an organization implements tenets of Zero Trust, they have a significant risk reduction when they accelerate digital transformation initiatives. For example, rapid adoption of new software applications, or a new IaaS provider for a critical project all become a natural part of your “security glue” because Zero Trust assumes nothing is trusted until it actually proves to be trusted.

Keeping this in mind, security organizations need a mechanism that constantly surveys the environment and identifies known risks and emerging or unforeseen new threats across every attack surface anywhere in this modern, expanded infrastructure. That’s where XDR comes into play.

XDR: A Key Component to a Zero Trust Approach

Look at how the National Institute of Standards and Technology (NIST) interprets Zero Trust. Here are some compelling assessments of the need for deep visibility and speed of detection:*

  1. Architecture. Zero Trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and non-person entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure.
  2. Devices. Assets that are discovered to be subverted, have known vulnerabilities, and/or are not managed by the enterprise may be treated differently (including denial of all connections to enterprise resources) than devices owned by or associated with the enterprise that are deemed to be in their most secure state. This may also apply to associated devices (e.g., personal devices) that may be allowed to access some, not all, resources.
  3. Data. An enterprise should collect data about asset security posture, network traffic, and access requests; process that data; and use any insight gained to improve policy creation and enforcement. This data can also be used to provide context for access requests from subjects.
  4. Traffic. All traffic is inspected and logged on the network and analyzed to identify and react to potential attacks against the enterprise. However, some (possibly the majority) of the traffic on the enterprise network may be opaque to layer 3 network analysis tools. This traffic may originate from non-enterprise owned assets (e.g., contracted services that use the enterprise infrastructure to access the internet) or applications/services that are resistant to passive monitoring. The enterprise that cannot perform deep packet inspection or examine the encrypted traffic must use other methods to assess a possible attacker on the network. That does not mean that the enterprise is unable to analyze encrypted traffic that it sees on the network; the enterprise can collect metadata (e.g., source and destination addresses, etc.) and the encrypted traffic and use that to detect an active attacker or possible malware communicating on the network. Machine learning techniques can be used to analyze traffic that cannot be decrypted and examined. Employing this type of machine learning would allow the enterprise to categorize traffic as valid or possibly malicious and subject to remediation.
  5. Network. For network requirements to support Zero Trust architecture, the enterprise can observe all network traffic. The enterprise records packets seen on the data plane, even if it is not be able to perform application layer inspection (i.e., OSI layer 7) on all packets. The enterprise filters out metadata about the connection (e.g., destination, time, device identity) to dynamically update policies and inform the PE as it evaluates access requests.

XDR: Delivering Vast Visibility

The NIST paper referenced above specifically calls out the need for deep visibility in the network. If Zero Trust requires organizations “…to collect data about security posture, network traffic, and access requests, process that data, and use any insight gained to improve policy creation and enforcement” then having the ability to abstract data from every data source across the endpoint and network becomes more vital.

Layer on top of this the ability to use machine learning analytics to identify anomalies such as new endpoints or users, or anomalous changes in behavior, and XDR becomes a powerful way to trust, but always verify, those end devices.

Leveraging automation actions through orchestration and automation when endpoints or users are deemed risky takes this approach a step further to ensure assets are swiftly removed when their trustworthiness is questioned.

For organizations adopting a Zero Trust model, the visibility of XDR is a key requirement to this cybersecurity strategy.

Speed Detection and Reducing Dwell Time

Zero Trust security models assume that an attacker is present in the environment and that an enterprise-owned environment is no different or no more trustworthy than any non-enterprise owned environment.

A real-world analogy for Zero Trust: imagine a stranger going unnoticed, hiding in your residence in an area lacking surveillance. The consequences threaten both the assets you own and your own safety. Being able to instantly react and respond are critical; our human brain (one of the most sophisticated neural networks) is trained to react quickly to those emergencies.

XDR is a Zero Trust enabler when it comes to elevating the speed of detection.

This is a very important concept if we consider an attacker is already present. To thwart attackers and reduce dwell time, it is imperative to act fast and be able to quickly analyze Indicators of Compromise and behavioral anomalies in a central location with all contextual information related to the business asset. The result? Efficient identity and comprehensive threat intelligence across the endpoint and network infrastructure.

An XDR platform becomes more efficient in invoking authentication mechanisms (suspected breach or threat) when access to end-user entitlements—a.k.a. Zero Trust—is engaged. For example, invoking a step-up authentication mechanism leveraging biometrics as a response to an XDR-identified anomaly. This is a powerful enabler for the SOC grounded in Zero-Trust principles.

So how does an organization mitigate risk effectively—that makes the most sense for a company’s unique security needs?  Zero Trust is the fundamental answer. It’s a critical enterprise-wide mindset that’s part of an XDR strategy to keep your house safe.

To learn more, check out NetWitness for XDR here.

*NIST Special Publication 800-207, Zero Trust Architecture: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf