Microsoft XDR Lessons from the Kitchen Matrix
Part One: The Kitchen Matrix
Last December, tech security expert Dr. Anton Chuvakin wrote a blog about stealing site reliability engineering (SRE) concepts for your SOC. I love this idea of transposing successful ideas from other areas and proving that some things really do work. Chuvakin mentions phishing automation being the first core “starter” playbook because it’s a time suck. Choosing use cases for XDR may be the wrong place to start. With cooking, selecting a recipe from thin air or even with Google’s help wastes valuable time. Similarly, choosing a time-intensive activity to automate usually fails.
I have a different proposal. I’m taking a lead from Mark Bittman’s Kitchen Matrix, a successful recipe anthology in which thematic matrices can be applied to cooking ingredients. Bittman is a hero of mine, and his formulas and improvisations are also applicable, I argue, to security operations.
We don’t need more XDR recipes. We need different recipes.
Although Kitchen Matrix is a cookbook, it’s organized much differently than what we traditionally see in the kitchen. Instead of organizing recipes alphabetically, or around appetizers, soups, entrées, and desserts, or even a cuisine, the book mixes and matches them, as well as techniques, which foster creativity while still being organized around outcomes. The recipes are 80% of it, but you as the chef must finish the dish.
Bittman says in his introduction, “Most of us who cook on a regular basis don’t constantly come up with brilliant and innovative dishes. …I’d be bored in a week. Instead, we stake out a sweet spot in the middle.”
XDR doesn’t have to be flashy or actions only. What if the most important automations weren’t isolating a host or blocking a user but choosing the right philosophical approach to what XDR automations can or should do?
In the cookbook, one of my favorite sections is on bell peppers. Bittman covers 16 ways to cook them. Sixteen! It is my favorite metaphor for XDR operations in Microsoft 365 Defender. Most people likely can think of two to four major ways they use bell peppers. It’s relegated to a side dish or included as a main entrée base — the holy trinity of onion, peppers, and carrots may as well be Defender for Endpoint, Defender for Cloud Apps, and Defender for Office. These tools on their own have XDR automations, but in console may not be the best place to start. And sixteen options? Wow, I didn’t even realize bell peppers (or M365 or Microsoft) did all that.
In my opinion, we need the Microsoft Kitchen Matrix for XDR. I would start to build it like this:
Microsoft XDR Authentication five ways
User; delegated user; multi-tenant user; or machine user authentication using the console; Azure AD; the graph API; Azure REST API; or OAuth 2.0.
Creating XDR Incidents five ways
Create incident at time of alert with M365 Defender; create at time of incident in Microsoft Sentinel; correlation of alerts from multiple tools that create more incidents in M365 Defender or Microsoft Sentinel; or creating incidents from additional third-party data sources using Defender for Cloud apps.
XDR Response Containment Intervention four ways
Contain user; contain device; change policy; dismiss user or device risk.
This three-step thought exercise allowed me to create what Bittman and I set out to do. We didn’t make 10 automations; we enabled 10,000, and ensured we had the right flexibility in the right places to cook different dishes or execute different XDR automations.
So what should be in your SOC’s XDR Kitchen Matrix? You decide.
Because no one should have to eat the same six things for dinner, your XDR options deserve the same.
Mona Ghadiri is a director of product management at BlueVoyant.