Building Enterprise Immunity with XDR

Nils Lonberg, a Ph.D. from Harvard, was a revolutionary scientist who made groundbreaking contributions to cancer research. In the book The Elegant Defense, author Matt Richtel outlines how “for centuries, the fight against cancer had been built on the idea of attacking the cancer,” but Lonberg leveraged the fact that cancer gets out of control because the immune system receives “a signal to stop from the cancer,” and thinks the signal is legitimate. He focused on targeting how the cancer interacted with the immune system, and his work was published in the 2007 New England Journal of Medicine. 

Although XDR is not meant to cure cancer, there are critical parallels between what Lonberg uncovered and how an organization can work to protect itself from modern attacks. To illustrate this point, we can look to the inner workings of the HAFNIUM attacks, which occurred on March 2, 2021.

The attacks exploited four zero-day vulnerabilities in Microsoft Exchange’s mail and calendar software, which not only gave access to Microsoft Exchange servers, but also disguised the malicious actors as legitimate users. With this seemingly legitimate access, the attackers could remotely communicate with the compromised servers, allowing them to steal data and cause further damage. 

The key here is that robust protection mechanisms are not as binary as saying “good file” and “bad file” or “good user” and “bad user.” You must understand the interactions between malicious actors (or even suspicious actors) and your environment. 

So how exactly do we go about understanding these interactions? First, we can break down your organization into the following components, which are typically secured by distinct and separate tools and platforms:

• • Various Endpoints 
  • Workspace & Identity Integrations
  • Cloud Deployments (Identity and Workloads)
  • Networks

These separate tools exist with the correct intentions. For example, to protect your networks you would typically want a solution that specializes in protecting networks, rather than one which is generalized and mediocre. However, this leads to an inefficient system: numerous alerts coming in from each of the components, and no way to tell if it’s all the same malicious operation and how exactly this operation is interacting with your environment.

What’s needed is the ability to collect all telemetry in one place (not to be confused with centralized logging) and make it interactive and actionable to create a more holistic story.

This is where Extended Detection and Response (XDR) comes in. According to Gartner, XDR “is a platform that integrates, correlates and contextualizes data and alerts from multiple security prevention, detection and response components.”

Essentially, it builds bridges between all the various technology stacks, such that it can see malicious movements and interactions with the environment. Going back to the Hafnium example, this would shift the question from simply “Is this user a legitimate user” (an identity-based question) to a broader series of questions:

• • “Is this a legitimate user?” (identity-based) 
  • “Does this user typically log in at this time?” (behavioral + identity-based)  
  • “Does this user typically log in from this IP Address?” (identity-based + network-based)
  • “Is it strange that this user is requesting a dump of passwords?” (identity-based + endpoint based)

Immunity is having the ability to sense a threat to the system and respond in a timely manner. If we were to translate this to your organization’s “immune system,” or security operations, we can see this as having a minimized Mean Time to Respond (MTTR) to threats.

As can be seen by the improved line of questioning presented by XDR, suspicions can be raised earlier and actions can be taken to mitigate risks (such as presenting 2FA for a suspicious log-in), instead of waiting until the damage is done to realize that indeed, the “legitimate user” was actually an attacker. 

Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Cybereason XDR powered by Google Chronicle, check out our Extended Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to XDR.