Three belated observations from a security expert who wanted to build a multi-layered defense system but did it just like everyone else
The first insight from our cybersecurity expert is: SIEM does not help detect sophisticated targeted modern attacks involving low-profile tactics and tools, regardless of the correlation rules written for this purpose. The problem can be solved using Endpoint Detection and Response (EDR) solutions, which collect telemetry data from hosts and provide greater correlation and threat hunting capabilities. Yet no matter how many security events SIEM systems aggregate from across the infrastructure, many cyber threats continue to fly under the radar.
The second insight is: all siloed solutions that have already been implemented must work together cohesively. A security expert’s main task is to set up as many defense layers as possible to protect against threat actors. This means not only that security events must be correlated across them, but also that each solution must communicate with neighboring defense systems. For example, if an antivirus system is triggered, the trigger must cause the EDR to react, the suspicious file must be sent to a sandbox for analysis, after which the sandbox must send the extracted indicators of compromise (IoCs) to NGFW, and so on. This is how our security expert — and the entire market — eventually began using Security Orchestration, Automation and Response (SOAR) solutions designed to combine all defense measures into a single system and automate incident response. It sounds promising, but no matter how deeply the solutions are integrated with each other, SIEM alert fatigue remains a serious issue that causes security teams to overlook real incidents.
The resulting third insight is that there is no need to send all events to SIEM because most notifications are useless in detecting threats. A new category of solutions has emerged as a result, and these solutions are designed to route and filter events in SIEM. This is how our security expert was drawn into a never-ending race to make the information security system more manageable, unified, and universal.
Eventually, Extended Detection and Response (XDR) systems entered the market. These systems were designed to make the life of cybersecurity teams easier. As a kind of “elite niche” in the cybersecurity market, XDR solutions are devoid of the shortcomings of all previously known approaches to creating multi-layered defense.
They help to:
- Collect, correlate, and analyze data across various sources, giving security experts a powerful tool that continuously monitors all events within the network and on each device, as well as external events that can pose a threat;
- Make incident response much faster, which minimizes damages and quickly stops adversaries;
- Detect the widest possible range of threats, from phishing to sophisticated targeted attacks, in a fully automated manner;
- Hunt for threats using telemetry from EDR from hosts, network traffic and email from a single Security Data Lake;
- Provide 360-degree visibility and manageability across all security solutions in order to get the most out of each of them.
- Conduct in-depth investigations into incidents from patient zero (the first infected device on the network) to any further attack propagation, which helps control all potential infection vectors in the infrastructure.
Simply put, XDR is a new category of solutions designed for advanced detection, response and threat prevention. XDR solutions collect essential data only in a balanced and high-quality manner. They analyze signs across all security solutions, thereby giving security teams full control over the assets entrusted to them.
The solutions in this category fall under two types:
- Solutions that collect only essential data across security systems for the purpose of more effective threat detection and advanced analytics when analyzing alerts or individual events.
- Solutions that complement each other without affecting any existing solutions, all the while eliminating all the shortcomings described in the above introduction, namely conflicts between solutions, lack of management, alert fatigue, and difficult-to-detect threats.
The fact that XDR solutions have become the answer to the most painful challenges faced by security teams became clear just after this technologically advanced and “smart” solution for protecting companies worldwide emerged. Now that you know what an XDR solution is and how and why it should be used, let's talk about what you need to pay attention to when choosing one.
We have prepared this blog post to share with you why we decided to develop our own XDR, what lies “under the hood” of the system, and how this superweapon can be used above and beyond protecting companies or their clients. XDR helps analyze adversary activity, learn how to hunt for threats, and contribute to the fight against cybercrime — a mission worthy of a superhero. Let's go.