Extended Detection & Response (XDR) can play a pivotal role in enhancing a zero trust architecture when coupled with more fine-tuned Identity and Access Management (IdAM). Solutions like Accenture's XDR for Government provide comprehensive security monitoring through flexible as-a-service delivery that focuses on data and identity monitoring. By offering state-of-the-art technologies as a fully managed service, agencies can take advantage of advanced analytics and automation to identify and mitigate cyber threats at machine speed.

This high degree of automation is key to supporting the zero trust framework. Under zero trust, monitoring extends beyond the network perimeter to encompass a wide range of activities and endpoints as well as the supply chain. In this significantly broader landscape, speed to react and an automated response is essential. XDR enhances the zero trust effectiveness by elevating the speed and volume of anomaly detections and rapid responses.

Security breaches and advanced persistent threats (APTs) are assumed in a zero trust architecture, making detection and response speed critical to eradicating the threat before significant damage occurs. XDR addresses this need, using automation, artificial intelligence (AI), and analytics to quickly address spurious attacks and more effectively isolate and remediate the sophisticated, targeted attacks that can cause real damage.

XDR provides end-to-end, intelligence-driven, integrated threat monitoring, and automated incident response using industry best practices. It brings together advanced security operations center (SOC) components, including real-time threat intelligence, user and entity behavior analytics, AI-driven event correlation, and security orchestration, automation and response (SOAR) capabilities, to address the full cyber threat lifecycle.

To ensure that these various tools work together as a cohesive whole, XDR is often delivered as a fully integrated Platform-as-a-Service (PaaS) or managed service offering. By opting for XDR as a managed service, agencies can also utilize highly skilled, multidisciplinary teams and documented playbooks to further accelerate threat detection and resolution.

For example, Accenture XDR for Government is a FedRAMP-authorized solution explicitly built around government agencies' needs. It brings together best-of-breed SOC components and investigatory tools as a fully managed service to measurably improve cyber resilience while lowering operating costs in most cases. It integrates natively with existing security systems and can serve as either a primary SOC or as a strategic component of a multitiered defense.

Key capabilities for Accenture XDR for Government include:

In the case of Accenture XDR for Government, 80 percent of all alert responses are automated – delivering operational security at unprecedented speeds and significantly reducing the time-and-effort requirement chasing spurious alerts, freeing highly skilled experts to tackle more high-value tasks.

This widespread adoption of analytics and automation allows Accenture XDR for Government to deliver significantly faster incident response and remediation. In production environments, it detects incidents, on average, in under one minute. Response time is based on a service level objective (SLO) of eight minutes or less, with an average time to resolution of 15 minutes. In contrast, Accenture's Third Annual State of Cyber Resilience Report – Federal Edition found that most federal agencies currently take days or weeks to find and fix security breaches in their enterprise.

XDR detections are mapped to the MITRE ATT&CK framework, using artificial intelligence to expedite analysis and adapt defenses. Typically, XDR will deliver a customer portal that presents IT leaders with streaming security intelligence, providing a more complete view of the organization's overall security posture.

XDR's customer value ultimately depends on the end user's technology deployment and data availability. With this in mind, the Accenture XDR team can work with customers to assess their technology and help them maximize capability coverage and integration. A FedRAMP-authorized XDR service will integrate seamlessly into the existing security fabric and can provide first- or second-line defense, serving as either a primary SOC or as a strategic component of a multitiered defense.

A number of other security infrastructure offerings go partway toward meeting the demands of a highly complex security landscape. The government has pursued these solutions with varying degrees of success. It's instructive to take a look at how XDR does and does not resemble these alternate methodologies.

With its focus on the growing universe of endpoint devices, Endpoint Detection & Response (EDR) can be a powerful tool for managing security at the endpoint. However, EDR cannot effectively peer into network traffic and cloud workloads, which means it provides a more limited view, leading to unverified alerts that can overwhelm a traditional SOC. By providing a more granular and contextual perspective, XDR can automatically resolve many of these alerts and prioritize those deemed the most significant risk.

Managed Detection & Response (MDR) is precisely that – a managed service offering that delivers SOC capabilities as a service around a specific tool. Given the constraints on cybersecurity talent, this can be a valuable and cost-saving alternative to in-house staffing.

Most MDR offerings don't provide the defense-in-depth offered by employing various cybersecurity tools, have limited visibility into network traffic and cloud workloads, and lack sophisticated data integration, correlation, and analysis.

At a casual glance, XDR may resemble components of both SIEM (secure information and event management) and SOAR (security, orchestration, automation, and response), as it leverages both technologies. However, XDR adds additional capabilities to provide a more robust and resilient monitoring and response solution.

SIEM tools alone typically don't offer the same fidelity of threat detection nor the ability to proactively hunt for APTs and insider threats using threat intelligence and UBEA. And SOAR can help ensure more consistent responses but typically address only low-level threats versus the more complex, targeted attacks that XDR focuses on.

By acquiring XDR as a managed service, organizations can leverage several significant advantages.

In an environment where cybersecurity talent is scarce, agencies can take advantage of highly skilled and trained, multidisciplinary teams addressing the full cybersecurity lifecycle. Coupled with the use of analytics and automation, these economies of scale can deliver better coverage at a lower cost.

An as-a-service model also makes it easier to stay ahead of the threat. Near-term, agencies benefit from the collective knowledge and specialization enabled by a shared service model, which means that new risk areas can be quickly identified and responded to. Thinking about the longer-term effects, the shift to an outcome-based model with defined SLAs can drive continuous performance improvements. For example, a managed service provider has the incentive and the ability to quickly procure and implement new tools to maintain or bolster cyber defenses in the face of emerging threats.

Finally, working with a managed service provider can be a leapfrog event for agencies seeking to grow their cybersecurity maturity. For example, Accenture's companion Level-Up framework assesses 800 characteristics to chart a five-step cybersecurity maturity progression to bring federal agencies to a fully predictive model.

An adaptive security model like zero trust is a lifestyle. By definition, it's about maintaining a constant state of risk-based vigilance. And as both the technology and threats evolve, strategies and privileges need to change with them.

For federal agencies, this reinforces the need to layer in zero trust capabilities and controls over time, building from the inside/out and outside/in simultaneously to secure the enterprise. This approach will help agencies reduce risk and better protect critical assets by improving identity management and device security while also implementing more agile and intelligent detection capabilities to respond faster to the inevitable breach and limit its impact. For example, should an alert identify suspicious activity attached to elevated account privileges, XDR can implement an automated playback to halt that activity, leveraging user identity as a cue to initiate corrective action automatically.

In this context, XDR can play a critical role, acting as the central nervous system that integrates an end-to-end zero trust architecture. Specifically, it provides real-time visibility and alerting across the entire network and environment, monitoring enforcement of core policies, providing insight with context, and empowering teams to take fast action when required.

Furthermore, solutions like Accenture XDR for Government, a cloud-based, FedRAMP-authorized platform, use open standards to integrate across endpoints, networks, cloud workloads, applications, security devices, and users, and can become fully operational in 90 days or less. With its integrated capabilities mapped against a defined maturity curve, agencies can use Accenture XDR for Government to develop their zero trust competency and grow their maturity.

¹ Joseph Blankenship, Heidi Shey, Defend Your Digital Business From Advanced Cyberattacks Using Forrester's Zero Trust Model (July 2, 2020), Forrester

² Peter Firstbrook , Craig Lawson, Innovation Insight for Extended Detection and Response (March 19, 2020), Gartner