DeepSeas MDR for XDR: The 80/20 Rule Driving XDR Adoption

December 13, 2023

There is a continuing, sometimes passionate, debate about whether enterprise environments can be effectively defended without visibility into their network telemetry. While utilizing network data for threat detection is not a new concept, the platforms are often costly, forcing organizations to choose specific locations to deploy based on budget or access, resulting in gaps in security.  

This oft-faced dilemma is forcing an industry shift to a more cost-effective, innovative solution to capture this data – distributing the collection to each endpoint in the environment as a feature of the Endpoint Detection & Response (EDR) software while reporting that intelligence to a cloud console.  

Still, this solution adds software licensing costs and even more data for the Security Operations Center (SOC) to ingest and inspect. Is adoption worth it? Let’s discuss. 

The OODA Loop for Cybersecurity 

I think we can all agree that, when in the properly trained and experienced analyst’s purview, EDR tools do a fantastic job at detections and alerts for indications of compromise and attack. Those analysts can triage, disposition to validate an alert, and take appropriate action. In the military, this is sometimes called executing an OODA loop – Observe, Orient, Decide, and Act. Jet fighter pilots use this process to win their dogfights. But we can employ these same tactics as cyber defense practitioners in the fight against cyber threat actors.  

Complete Observations: Getting the Whole Picture with XDR

Properly observing threats requires context – a lot of it. Here’s a simple but helpful analogy. Imagine you are on a sidewalk, waiting to cross a busy street. Observation is one tactic you’ll use to protect yourself as you decide if it is safe to cross.  

You look to the left and right for oncoming traffic. You search for the nearest crosswalk. To compare this to cybersecurity, consider your eyes as the endpoint detection software and your brain as the response mechanism. In this scenario, EDR is providing probably 80% of the observational context for safety – If I can’t see any traffic coming, my brain knows I’m likely safe to cross.  

But what about the other 20%? I want to cross safely 100% of the time. What about my other senses? What if I hear the siren of an emergency vehicle not too far away, and it’s just not in view yet? In cybersecurity, that other 20% is coming from visibility into network telemetry. This additional visibility helps complete observations and gives the necessary context to make the right decisions for safety.  

We commonly refer to this additional 20% of context as XDR (EXtended Detection and Response), where the “X” can be any source of information important to the threat disposition decision. We also call this the “four-legged chair” of threat detection. EDR can effectively provide a significant amount of the data needed to keep an environment protected as one of the chair’s legs — the other legs being network, email, and identity. Combine those four legs of visibility, and it gives your chair the expected balance. I would argue the biggest bang for your buck is finding this proper balance via a distributed software solution. 

Closing Gaps with DeepSeas MDR for XDR

At DeepSeas, we pride ourselves on being client-obsessed. How could we not find a way to give our clients that extra 20% of context, 100% of the time? It just makes sense. So, we’ve partnered with Carbon Black to provide this additional telemetry to orient our SOC defenders with the network and identify the telemetry every endpoint agent is seeing on its interface. Wired, wireless, 5G, whatever the location, the network has traffic on it that is observed and provides orientation to TTPs (Tactics, Techniques, and Procedures). Additionally, the identity information of the user/host can be used to attribute certain behaviors. We call this DeepSeas MDR for XDR, and it is powered by the XDR feature of Carbon Black Endpoint Detection and Response.   

Decide Fast: Allow/Block/Continue to Examine

Time is of the essence in cyber defense. Our SOC crews at DeepSeas must examine the additional context they now have access to and – using products like Security Orchestration, Automation, and Response (SOAR) – make a fast decision on what to allow/block/continue to examine in-depth to make the right decision for cyber defense. Making that decision faster can force attackers to change their TTPs or leave the environment and move on to one that is lesser defended – and that’s how we win. XDR on the endpoint from Carbon Black and MDR using SOAR from DeepSeas give us that advantage. 

A MTTD You can Trust

With an average mean time to detect (MTTD) of 55 minutes, DeepSeas is winning the dogfight against cyber attackers. A lot of vendors out there will talk about MTTD times in the range of five minutes (we’ve even heard of one that was measured in seconds), but at DeepSeas, we challenge that. To receive an alert, investigate, use XDR telemetry and logs to gain context, decide to validate the threat, and then respond, takes time to do correctly. In our investigation, we’ve discovered that many other vendors are taking credit for a “preventative action” being performed by the EDR tool. At DeepSeas, we feel that taking credit for a tool doing its job is disingenuous to the intent behind a metrics conversation and don’t include that information in our MTTD.  

An accurate and well-informed decision as fast as possible is the goal. Having all the relevant sight and sound data – and 100% of the context – speeds this metric up. 

Summary of DeepSeas MDR for XDR 

We’ve discussed the value of network data and a new way to collect it, with less gaps and in a way that is more cost effective than the traditional network appliances – distributing the collection to each laptop, server, and device using a feature of already-deployed EDR software. This in turn gives us that extra 20% of observable intelligence for the SOC analysts at DeepSeas to execute their OODA loop and keep the attackers’ methods discovered and blocked.  

My guess is that the debate on the value of visibility into network telemetry will continue. However, if you can’t deploy a stand-alone network detection and response solution with robust identity detection, you can choose to go with an EDR integrated XDR like DeepSeas MDR for XDR powered by Carbon Black EDR. I personally take great stock in the fact that DeepSeas has been told by our incident response (IR) practitioners, when called into a cyber incident by insurance carriers, that they want this EDR-enabled XDR feature turned on for every IR Overwatch service we provide by DeepSeas. It’s so valuable to investigation and remediation that we deploy it for them every time, upwards of 30 times a month.  

That ends the debate for me. The value of EDR integrated network telemetry is clear, and now there is a way to deploy it quickly and cost effectively for coverage you don’t otherwise have. We call this the DeepSeas MDR for XDR service, and it is powered by the XDR feature of Carbon Black Endpoint Detection and Response.

Written by Mike Johnson, Vice President, Partners & Alliances, DeepSeas

You can hear even more from Mike in his video on our DeepSeas YouTube Channel.