Automating the “R” in Your XDR Strategy

January 5, 2022 | 5 minute read

The advent of Extended Detection and Response (XDR) offers an edge against advanced attacks, but many of the so-called "XDR approaches" available today are actually little more than extensions of current EDR solutions that rely on known Indicators of Compromise (IOCs) to find and block known threats. While they can deliver more visibility across network assets, they don't deliver the correlation necessary to weed out novel attacks where known IOCs are not available.

In contrast, Advanced XDR leverages artificial intelligence (AI) and machine learning (ML) to automatically correlate telemetry from across disparate network assets to reveal attacks that have never been seen before. Advanced XDR detects earlier based on the more subtle chains of potentially malicious behavior to allow Defenders to remediate faster, and here's why.

Advanced XDR incorporates the two main priorities of Endpoint Detection and Response (EDR)—continuous monitoring and detection as well as automated threat response—across endpoints, but XDR also monitors for threats across an organization’s entire infrastructure, including user personas, application work suites, cloud workloads and more. Such critical functionality explains why XDR is often referred to as the future of cybersecurity. 

Analyst research and strategy firm ESG estimated that more than two-thirds of organizations will invest in XDR by the middle of 2022. That spending will factor into the expected Compound Annual Growth Rate (CAGR) of 19.9% by which the global XDR market is predicted to grow between now and 2028, per Grand View Research.

Automating is Key

According to the Computing Technology Industry Association (CompTIA), one of the most important benefits that’s helping to drive XDR’s growth is the ability to automate security operations in order to break down data silos and speed up threat responses. 

Advanced XDR provides the necessary visibility over an entire attack chain wherever it happens to reveal exactly how the attack progressed and which assets and users were impacted. It also offers automated and/or guided response options that Security Information and Event Management (SIEM) solutions cannot and Security Orchestration, Automation and Response (SOAR) solutions struggle to deliver at scale without a tremendous amount of manual intervention by security analysts and incident response teams.

One of the key strengths of an Advanced XDR solution is that it frees security teams from needing to investigate a barrage of alerts individually from a variety of point solutions to quickly answer the question “are we under attack?”

Advanced XDR does this automatically by correlating telemetry to reveal attack timelines from root cause to enable security teams to respond faster and more efficiently.

Breaking Down Data Silos

Many organizations’ IT infrastructure is more complex today than it ever has been, with decentralized networks that have all traditionally relied on their own specific security tools. The issue is that attacks have evolved to traverse these environments, allowing attackers to hide in the network seams because traditional security tools cannot correlate telemetry across all elements of a modern network.

They can’t identify attacks that leverage these diverse elements in one attack progression, limiting a security team’s visibility into an ongoing attack chain and thus complicating the task of piecing together an incident in its entirety.

Advanced XDR doesn’t rely on a flood of non-contextual threat alerts from across disparate assets, but instead automatically delivers deep context and correlations between these assets, sparing team members from the tedious task of constantly triaging and investigating unsubstantiated alerts manually.

In this manner, Advanced XDR breaks down information silos that would otherwise prevent security teams from obtaining a unified view of their organization’s security posture. It does this by integrating the functionality of firewalls, antivirus solutions, EDR, Identity and Access Management (IAM), Cloud Workload Protection (CWPP) and other security technologies into its detection and response approach.

Automation Speeds Up Response Times

Security teams can turn to SIEM tools, SOAR platforms and other incomplete solutions in an attempt to increase their visibility, but in the absence of automated correlations, security teams would still need to manually go about investigating alerts one at a time, and then attempt to correlate the alerts with one another in order to identify an attack chain. 

This manual process means they can (and often do) easily miss something in the process that leaves themselves exposed, even when they believe that they have  already remediated an incident. And if they do manage to identify all the different components of an operation, security teams would have spent a lot of time on their investigation instead of on launching an earlier response to arrest the activity. 

In its Cost of a Data Breach Report 2021, for example, IBM found that it took an average of 287 days for an organization to identify and contain a breach. This dwell time gives malicious actors nearly a year to hide out in a victim’s systems, conduct reconnaissance, move laterally to different parts of the network, and exfiltrate sensitive information. 

It’s therefore no wonder that data breaches with a dwell time of over 200 days cost organizations an average of $4.87 million, whereas those with a dwell time of less than 200 days cost $3.61 million. It’s also worth pointing out that the price tag for the former exceeded the average cost of a data breach at $4.24 million, damages which are already 10% higher than they were in 2020 and the largest cost ever in the history of IBM’s report.

Advanced XDR drastically reduces attacker dwell time through an operation-centric approach that focuses on Indicators of Behavior (IOBs) that make up an entire attack sequence, allowing security teams to end the attack as whole instead of remediating isolated elements of the operation.

For example, detecting and removing a piece of malware on an endpoint does little to prevent compromised user credentials from being abused again, and does not address attacker persistence on a targeted network.

The Advanced XDR Advantage

Cybereason enables organizations to embrace an operation-centric approach to security because, where other solutions limit critical data collected because they can’t process or store it, Cybereason Advanced XDR is designed to collect and analyze 100% of event data in real-time, processing more than 23 trillion security-related events per week, with absolutely no “dumb filtering.” This allows customers to improve their detection and response intervals by 93%.

The Cybereason XDR Platform comes with dozens of out-of-the-box integrations, and is designed to provide visibility organizations require to be confident in their security posture across all network assets, and delivers the automated responses to halt attack progressions, eliminating the need for both SIEM and SOAR solutions. Organizations can enjoy these benefits whether they drop their SIEM and SOAR entirely or augment it with Cybereason XDR.

Cybereason also recently partnered with Google Cloud to release Cybereason XDR powered by Google Chronicle, the first AI-driven XDR platform capable of ingesting and analyzing threat data from across the entire IT environment. With native integrations into Azure, AWS, and Google Cloud, Cybereason XDR monitors for signs of account takeover and data exfiltration, and can protect cloud workloads against emerging threats like exploitation of undisclosed vulnerabilities and zero-day attacks.

Other XDR tools do not have the ability to ingest all available telemetry at the endpoint level. They resort to “smart filtering” where telemetry is eliminated even though it might be useful for detection (not as “smart” as they try to make it sound). They must do this because they need to send all data to the cloud for analysis before they can return a detection. And to be sure, those vendors who filter telemetry from the endpoint because their platforms can’t handle data volumes at scale can’t truly deliver an effective XDR solution where telemetry volumes grow exponentially.

The Cybereason and Google Cloud partnership creates the most powerful unified XDR solution available on the market today by delivering planetary-scale protection and multi-layer prevention and response for predictive attack detection across the modern IT and security stack. No other XDR solution available comes close to matching the Cybereason and Google Cloud solution for speed and efficacy.

Cybereason and Google Cloud are dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Cybereason XDR powered by Google Chronicle, check out our Extended Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed