Organizations are under constant pressure to ensure that their security defenses adapt effectively to evolving threat actor methodologies. Extended detection and response (XDR) has the potential to significantly advance these efforts thanks to its ability to accelerate and streamline investigation, threat hunting and response. However, successfully adopting XDR to achieve comprehensive visibility demands some important considerations. In this article, we outline the key elements of an effective XDR adoption and implementation strategy and set out the steps required to maximize your organization’s technology investment.
What is XDR?
XDR is a security solution that unifies threat data from previously isolated security tools across an organization’s technology stack. This consolidation facilitates quicker and more efficient investigation, threat hunting and response. An XDR platform collects security telemetry from endpoints, cloud workloads, network email and other relevant sources to:
- Ensure the high-fidelity detection of true positives
- Enhance visibility across multiple environments beyond the endpoint—such as network, Software-as-a-Service (SaaS), cloud, email and identity—to improve insights across the attack lifecycle and achieve layered defense
- Allow root cause analysis to enable organizations to understand how a threat occurred and improve their defenses in the future
- Deliver automated detection and response
XDR usually takes two forms:
- Closed/Native
Delivered all in one technology suite from the same vendor - Open/Hybrid
Delivered using one vendor, for example, endpoint detection and response (EDR), and integrating third-party data from other vendors for wider visibility. This can include security information and event management (SIEM), vulnerability and network data.
Open or Closed XDR? Key Considerations
The choice between open and closed XDR should be defined by aspects such as:
- Existing Investments in Security Technologies
What is already in place in the business? - Future Road Map
What is your target architecture for the future and how will XDR align with plans such as a move to the cloud or achieving complete digital transformation? - Cost Efficiencies
Which option provides the best value for your business? - Operational Efficiency
Which option provides better insights into your security environment?
Leveraging the Value of XDR in Microsoft
Microsoft XDR is offered under the Defender suite of solutions and covers endpoints, identities, email, collaboration tools, SaaS applications, cloud workloads and data. The Defender stack includes Defender for Endpoint, Defender for CloudApps, Defender for Identity, Defender for 0365, Defender Vulnerability Management, Entra ID Protection and Defender for Cloud
Microsoft Sentinel can be used to augment areas that aren’t covered by Defender XDR. Combining Defender XDR with Microsoft Sentinel provides a single “pane of glass” perspective on threats across your organization’s infrastructure. The key advantages of this approach are:
- Faster detection of cyber attacks
- Response achieved at machine speed
- Unified security and identity management
- Cost efficiency driven through automated response actions
The approach an organization takes to manage XDR technology is just as important as the tech itself. It is vital to have the right processes and procedures in place, supported by a team that is qualified enough to manage the alerts. Key approaches include security operations center (SOC) processes, such as monitoring and analysis, threat detection and investigation, incident response, and threat intelligence. Key people include security experts certified in Microsoft Security competencies, such as AZ-500 Microsoft Azure Security Technologies (security engineers capable of implementing, managing and monitoring security for resources in Azure, multi-cloud and hybrid environments as part of an end-to-end infrastructure) and SC-200: Microsoft Security Operations Analyst (security analysts certified in investigating, responding to and hunting for threats using Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender and third-party security products) and Microsoft SOC professionals (Microsoft-Certified Azure Security Engineers, Microsoft-Certified Security Operations Analysts, etc.).
Essential Questions to Ask Before Adopting Microsoft XDR
To successfully adopt and implement MXDR in your organization, answer these questions first:
- How do you manage your security operations? Do you manage them in-house, co-manage them with an outsourced SOC, or fully outsource your security operations?
- How do you undertake analysis? For example, do you use multiple siloed products for analysis or a centralized platform with automation using Security Orchestration, Automation and Response (SOAR)?
- How do you leverage threat intelligence within your security operations?
- Outside of incident investigations, how often does your team carry out proactive (hypothesis-based) threat hunting?
- What is the status of your digital forensics and incident response investigation capability setup?
- If you need to outsource the management to a third-party provider, do you know how to evaluate them?
Learn more about the benefits of managed XDR here.
Discover Your Organization’s Microsoft XDR Maturity with the Kroll Online Assessment Tool
For a personalized maturity rating and recommendations to support your path toward XDR adoption, complete our quick online assessment now. You’ll receive an instant report outlining your level of maturity, plus suggested considerations and areas of improvement for the successful adoption of Microsoft XDR and Microsoft licenses.
How to Avoid the Pitfalls of Adopting XDR
Leveraging the many benefits of Microsoft XDR can present unique challenges, including:
- Understanding Which Microsoft Investments to Prioritize
A common challenge for many organizations is a lack of certainty around which Microsoft Defender/E5 products they should prioritize for threat detection and response. In addition to carefully considering what type of license you have, it is important to monitor which option is most cost effective for your requirements. For example, additional data ingestion and storage charges can be created by consuming too much data. Including extra assets and endpoints to monitor—such as additional servers, workstations and virtual machines—may incur further licensing charges, while some teams spend too much time configuring sensors.
Start by gaining a clear understanding of the type of Microsoft license your organization has. We recommend ensuring that you have the following solutions and prioritizing them for threat detection and response:
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity - Azure Active Directory (AD)
- Microsoft Defender for Office 365
All of them offer cost-effective licensing while providing that vital combination of prevention and detection in the key environments exploited by threat actors in the early stages of attack. By prioritizing Microsoft Defender solutions that cover endpoint, identity and Office 365—and putting them all into Microsoft Sentinel—you will begin pulling in data from the underlying Azure environment and from third-party cloud sources such as AWS and Google Cloud. Using Sentinel in this way also means that everything is in the same place for dashboarding, rules and Microsoft 365 Defender.
- Failing to Leverage Automation and Native Integrations
Organizations frequently fail to automate response playbooks with on-premise environments because of the negative impact this can have on legacy technology that also demands specific on-site forensics. However, the cloud is accessible and fast-moving, so response should be highly automated. To achieve this, explore opportunities to leverage native Microsoft tools, such as Azure Logic Apps and Power Automate, to set up automated cloud responses. You should also look at opportunities to build playbooks that are native in Microsoft Sentinel, covering issues such as notifications, blocking, changing incident severity, compromised machines and activity from suspicious locations.
It is important to understand the difference between Microsoft Sentinel automations and broader SOC automations. Although Microsoft Sentinel will help automate API integrations with other technologies, a broader SOC workflow automation is required to cover triage, enrichment of threat intelligence Indicators of Compromise (IoCs), and containment. This should be supplemented with frontline intelligence and strategic response that uses digital forensics and incident response (DFIR) techniques such as root-cause analysis, reverse engineering, threat hunting and malware removal.
- Failing to Ensure Effective Configuration Is in Place
Many organizations make the error of committing financially to adopting security solutions before fully understanding the amount of time and insight required to optimize them. Monitoring can become redundant if effective configuration isn’t in place to identify the right telemetry and activity. The good news is that Microsoft has made it simple to integrate Microsoft Defender and other E5 security solutions into Microsoft Sentinel. The bad news is that, without proper configuration and implementation of these underlying features, you won’t gain value from them. Consider key aspects such as data retention, threat policies, automations, permissions/roles and rules.
- Understanding Your Current Level of Maturity
A critical step in the process of adopting XDR is gauging the maturity of your existing security stack. This begins with prioritizing your efforts to secure your organization’s identity, endpoint and cloud. You should then ensure that effective configuration is in place to achieve the most value from your tools before leveraging automation and native integrations.
Choosing the Right XDR Solution for Your Requirements
With the XDR market still maturing, vendors offer varying levels of XDR integration and delivery. To ensure that your organization achieves the best results from XDR, we recommend that you clearly define your required outcomes, fully evaluating your product functionality to ensure that they are met. It is also important to carefully assess the native integrations with other tool sets in your organization, along with response functionalities, alongside the financial implications of making the transition. Based on the outcomes defined, your organization can then identify the best approach to meet your requirements, whether that is open or closed XDR.
Achieving XDR Outcomes with Microsoft-certified MDR Providers
Microsoft-certified managed detection and response (MDR) vendors can help organizations achieve XDR through the right combination of people, process and technology. Kroll goes further than most vendors. Our product-agnostic approach means that our experts can help with decision-making around choosing the right XDR solution for your needs. As the world’s #1 incident response provider, we integrate frontline threat intelligence into our detections in near real-time from thousands of cyber incidents handled by our investigators every year. We correlate telemetry across the Microsoft Defender suite and layer our threat detection, hunting and forensic-led incident response expertise. By bringing in our seasoned Digital Forensics & Incident Response investigators as part of our ongoing service, we can go beyond just containing a threat to quickly understanding the root cause and remotely remediating across all affected systems. Our frontline experience means we can mature your operations with advisory support throughout the lifecycle of the service.
Client Case Study: Elevating a Housing Association’s Security Posture with Managed XDR
As one of the largest housing associations in the UK, Southern Housing was concerned about being targeted due to a sharp increase in cyberattacks on its industry. The organization also needed to broaden its defenses in response to the shift to remote and hybrid working. Kroll Responder’s managed XDR service now provides 24/7 monitoring, investigation and response for Southern Housing, leveraging Microsoft Defender 365 and Microsoft Sentinel. The service ingests and analyzes data from Defender for Endpoint, Defender for Cloud Apps, Defender for Cloud, Defender for Identity and Defender for Office 365, as well as third-party endpoint, email and cloud data sources. By delivering enhanced threat visibility and complete response, Kroll Responder MDR enables Southern Housing to maximize its technology investment while also assuring the security of its IT infrastructure and assets.
Complete the Kroll Microsoft XDR Maturity Online Assessment Tool
Discover our Microsoft XDR Capabilities
