X Marks the Spot in an XDR Solution
By Arie Fred, VP of Product, SecBI
The market is buzzing with the newest acronym in threat detection, XDR. So let’s break down the concept of an XDR solution. “XDR” stands for “extended detection and response” meaning a unified incident detection and response platform that automatically collects and correlates data from multiple security components to facilitate accurate response. The advantage of a multi-source or extended detection and response is to overcome the gaps in single source, siloed security solutions.
Just to fill the gap between EDR and SIEM?
Some pundits have said that XDR solutions have evolved to fill the gap between endpoint security solutions (EPP and EDR) and SIEM. Endpoint solutions offer a way to investigate what’s happening at the endpoint (the target of many cyberattacks), while a SIEM collects and display logs that enabled security teams to understand what was happening on their networks. Organizations are frustrated with SIEMs inability to investigate the activities on the endpoint and also from the EDR tendency to produce a multitude of disconnected alerts, without providing the ability to see the full scope of the alert.
Detect, correlate, prioritize and remediate
SecBI’s machine learning technology has been refined to provide automated, prioritized alerts with complete storylines and all the information the analysts needs in order to resolve the most acute alerts quickly. When designing our solution, we looked at the main challenges security analysts face when combating sophisticated attackers:
- Digesting enormous amounts of data
- Handling multiple sources of data, part of it encrypted
- Finding correlations within the data
- Prioritizing the handling and remediation of events
SecBI automates ingesting huge amounts of data, and quickly finding correlations to identify suspicious activities. When first introduced, it was a big shift from the traditional network traffic analysis approach, that strives to inspect every data packet. But with larger portions of traffic being encrypted, SecBI’s approach proved to be the more efficient, as it enabled to identify anomalies and correlations even within encrypted traffic. The system automatically finds correlations, prioritizes the alerts according to severity and suggests the most effective mitigation actions to the analysts. While the technology was originally built for ingesting communication log data, we have now extended it to receive an “X” amount of multiple data sources including endpoint solutions, cloud security tools and network traffic to provide a complete picture for better detection. In addition, analysts receive details of the incident from the root cause to the full kill chain. This enables analysts to overcome the typical mistake of partial detection and reveals if the alert is part of a larger, synchronized attack.
Differences among XDR vendors
Today, there are around a dozen vendors offering an XDR solution, with Palo Alto Cortex the most well-known. However, organizations should be aware that when the XDR solution comes from a vendor promoting their own EDR solution, the organization is expected to replace their own endpoint solution with that one of the XDR. In addition, the former EDR vendor – now XDR vendor – probably lacks the depth required to analyze and correlate network traffic. In a similar fashion, SIEM/SOAR vendors offering XDR solutions are also at a disadvantage when it comes to analyzing network traffic and suggesting traffic-based correlations, tracing the root cause, and reconstructing the rest of the attack.
However, there is one vendor offering a vendor-agnostic XDR platform, connecting an organizations existing security tools, making each tool more effective by integrating with one another, and that is SecBI.
Finally, most vendors who tout “automated response” (The “R” part of XDR) usually offer pre-determined playbooks, which while facilitating response, are limited by the experienced gained at the organization and the complexity of building the playbooks. SecBI XDR Platform offers extended automation with simple integration. Customers benefit from both options: A wide range of predefined automated workflows, and the flexibility to inject responses into the workflow for pinpointed actions. It’s configured for easily adding playbooks and connections to different security appliances for a wide range of mitigation and update of policies on all relevant security appliances.
To XDR or not to XDR? Go vendor agnostic.
While very much the buzzword of the moment, a true XDR solution isn’t just a marketing fad. It offers real benefits to organizations by integrating its existing security tools for better detection and response of security teams on a vendor-agnostic platform.
Contact us to schedule a demo of SecBI XDR today.