Life With an XDR Without The Understanding of Relationship Centric Approach to Threats

Cyway Blog - Life With an XDR Without The Understanding of Relationship Centric Approach to Threats

The introduction of XDR is a major evolution in understanding the effectiveness to threats within an organization. The threat data is available to Security analysts in real-time query basis to take the relevant action.

With access to the data, many incredible things happen:

  1. The Security Analyst can research and respond to alerts in rapid succession, dramatically increasing their workload. 
  2. Armed with endpoint context, Tier 1 threat analysts can perform more sophisticated analysis, encroaching on the role typically assigned to Tier 2.
  3. By eliminating the high volume of tickets requesting context, customers or stakeholders of large enterprise are relieved of the deluge of inquiries. 
  4. Reduce costs by restricting the count of threat analysts in large organizations.

Inevitably, a breach will occur. When that does happen, utilizing a best-in-class EDR vendor that includes continuous and centralized recording takes the guesswork out of incident response. The attacker may have erased their tracks, but EDR recorded the attackers every move with an endpoint analysis, the cyber equivalent to a surveillance camera. With a complete historical recording of an attacker and their actions, incident responders do not need to fly to the scene of the crime, scrape RAM, or image machines to look for clues. The full recorded history of the attack enables on the spot incident response. 

Traditional XDR uses events to inspect suspicious behavior and events are considered in isolation and inherently weak signals will result in a deluge of alerts based on system triggers. This results in systems to rely on high strength signals to generate alerts to keep false positives under control. Today attackers are smart enough to evade some of these detections and are relying on much more subtle techniques that are harder to find.

The only way to highlight these threats is by including relationships as the foundational data instead of events. This allows the system to evaluate the entire relationship an attacker is forming within an infrastructure and thereby allowing the system to move back and forth in time to holistically look for suspicious behaviors. The system can also understand and visualize the entire attackers’ session or campaigns as opposed to generating alerts that analysts have to investigate in order to piece together the complete story. The power of relationships allows the system, to understand the entire scope of impact of the attack and enumerate the list of compromised devices, suspicious processes, suspicious external domains etc..

While its important for an organization to invest in any  EDR, SIEM or other event-centric platforms, it gets extremely cumbersome for security investigators to analyse all the collected rule and reach a conclusion on the lateral movement of threats within the organization.

It is therefore mandatory to pull all the data into a single data lake and forge relationship across data from all the available sources. Allowing the data to remain primarily within the existing tools but pulling in subsets of the data for analysis as needed. This allows customers to protect their existing investments and yet get all the benefits of a relationship centric XDR platform.