Why XDR is an analyst’s best friend
By Doron Davidson, Founder and VP of BD, SecBI.
Threat hunting is part of SecBI’s Universal XDR’s origin story. Back in a previous life, I used to manage the professional services of RSA Security when it got breached. At the time, it was considered an advanced attack, combining social engineering, phishing, malware, and privilege escalation. The kill chain was long, the investigation was arduous and time-consuming.
SecBI was the aftermath of the breach response, based on the belief that there had to be a better way – we began contemplating automation of this process. We needed a faster and simpler way to view the entire kill chain. We toyed with the idea of collecting data from the different security controls within the organization and finding what’s the context of a specific attack, providing that information with full scope visibility to an analyst, so that he can really understand what is happening, how to respond to it and if possible, even respond to it manually.
Fast forward to 2021, a lot has changed, but the need for what we now call XDR (Extended Detection and Response) has remained constant. The good news is that now there are plenty of XDR options available. Proprietary XDRs may be attractive to those with a single-vendor security strategy, but for most of us with multiple security vendor platforms in place, the universal XDR is the best way to go.
In short, SecBI’s Universal XDR can integrate data from multiple vendors into a single platform, essentially enabling us to retrieve data from the web and mail gateways, endpoints or the cloud, and on top of that we add a layer of threat intelligence. For example, ingest data from Checkpoint FW, Zscaler Web Gateway, Crowdstrike EDR Logs and Telemetry, Proofpoint email gateway, etc.
When the platform first ingests the data, it will normalize the data into a single unified view. This is particularly important for larger organizations that may have more than one vendor in the same silo or the same security control. For example, you might have an EDR from Crowdstrike and another from Cylance in the same organization. The platform will first normalize all the data of the entire organization into a unified view. Once normalized, we can run our full scope detection.
The attack can be visualized and correlated to over 250 of the MITRE ATT&CK techniques, as well as our own proprietary machine learning and detections to ascertain and find similar behaviors within the organization.
Based on those behavioral identifiers, the analyst can understand the full scope of the detected incident. For example, if we see a behavior by three users/end points within the organizations that are all communicating with the same host, it is most likely that if one of those users has a malware installed on his machine, the others have too. At this point, it makes sense that when an analyst is investigating this kind of behavior, it will scrutinize all three users/end points as a single probe.
The Universal XDR platform enriches the data with an additional layer of intelligence, providing the context for each incident, to better understand the details, and assigning each behavior a severity risk, based on what was detected within that behavior. If the severity is high enough, it will automatically trigger an explicit playbook that goes through an automated incident response process to orchestrate the workflow or integration with a specific set of security controls for the remediation.
If the severity is not high enough to trigger an automated response, it can still go through a threat hunting process or a breach response to proactively look up a specific behavior investigated, which can then result in the manually activation of a predefined playbook.
In short, SecBI’s Universal XDR does much of the heavy lifting for the analyst. What more could you ask from your best friend?