eXtended Detection & Response (XDR) has become an industry buzzword promising to take detection and response to new heights and improving security operations effectiveness. Not only are customers and vendors behind this but industry groups like Open Cybersecurity Alliance (OCA) share this same goal and there are some open projects to leverage for this effort.
Let’s start with an understanding of XDR. There is a range of XDR definitions but at the end of day there are core desired capabilities and outcomes.
- Go beyond the endpoint with advanced and automated detection and response capabilities, and cover all vectors—endpoints, networks, cloud, etc. automatically aggregating and correlating insights in a unified view.
Benefit: Remove the siloes and reduce complexity. Empower security operations to respond and protect more quickly.
- Enable security functions to work together to share intelligence and insights, and coordinate actions.
Benefit: Deliver faster and better security outcomes.
This requires security functions to be connected to create a shared data lake of insights and to synchronize detection and response capabilities across the enterprise. The Open Cybersecurity Alliance (OCA) shares this vision to easily bring interoperability between security products and simplify integration across the threat lifecycle. OCA enables this with several open source projects available to the industry.
OCA Projects Enabling XDR
Create a Simple Pathway for Security to Work Together
In order to connect security solutions a consistent and easy to use pathway is needed. Contributed by McAfee OpenDXL Ontology is a common messaging format to enable real time data exchange and allow disparate security functions to coordinate and orchestrate actions. It builds up on other common open standards for message content (OpenC2, STIX, etc.) Vendors and organizations can use the categorized set of messages to perform actions on cybersecurity products and notifications used to signal when significant security-related events occur. There are multiple communications modes, one to one or one to many. In addition, there is a centralized authentication and authorization model between security functions. Some examples include but are not limited to:
- Endpoint solution alerts all network security solutions to block a verified malicious IP and URL addresses.
- Both endpoint and web security solutions detect suspicious behavior on certain devices calling out to a URL address. Investigation is desired but more time is needed to do so. A ticket is automatically created on the IT service desk and select devices are temporarily quarantined from the main network to minimize risk.
Sample code on OCA site demonstrates how to integrate the ontology into existing security products and related solutions. The whole mantra here is to integrate once and be able to share information with all the tools/products that are leveraging OpenDXL Ontology.
OpenDXL is the open initiative from which OpenDXL Ontology was initially derived. The Data Exchange Layer (DXL) technology developed by McAfee is being used by 3000 organizations today and is the transport layer used to share information in near real time. OpenDXL technology is also the foundation to McAfee’s MVISION Marketplace where organizations may easily compose their security actions and fulfill the XDR promise of working together.
One who has followed DXL may ask what makes OpenDXL onotology different from DXL. DXL is communication bus. OpenDXL ontology is the common language to enable easy and consistent sharing and collaboration between many different tools on the DXL pathway.
Normalize Cyber Threat Data for a Better Exchange
To optimize threat intelligence between security tools easier, one needs to homogenize the data so it may be easily read and analyzed. Contributed by IBM, STIX -Shifter is an open-source Python patterning library to normalize data across domains. Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). Many organizations have adopted STIX to make better sense of cyber threat intelligence.
STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more. Here is a great Introduction to STIX-Shifter video (just under 7 minutes) to watch.
Achieve Compliance with Critical Interoperable Communication
Security Content Automation Protocol Version 2 (SCAP v2) is a data collection architecture to allow continuous real time monitoring for configuration compliance and to detect the presence of vulnerable versions of software on cyber assets. It offers transport protocols to enable secure interoperable communication of security automation information allowing more active responses to the security postures changes as they occur. SCAP v2 was derived from the National Institute of Standards Technology (NIST.)
To fully realize the benefits of an evolving XDR strategy, enterprises must ensure the platform they select is built atop an open and flexible architecture with a broad ecosystem of integrated security vendors. McAfee’s innovation and leadership in the Open Cybersecurity Alliance provides customers the confidence that as their security environment evolves, so too will their ability to effectively integrate all relevant technologies, the telemetry they generate and the security outcomes they provide.
If your organization aspires to XDR, the OCA projects bring the technologies to help unite your security functions. Many vendors are leveraging the OCA in their XDR ecosystems. Leverage the projects and join OCA if you want to influence and contribute to open security working together with ease.