The following is the third installment of our five-part blog series outlining how Cybereason XDR maps to each of the five objectives contained in the U.K. Government Cybersecurity Strategy for 2022-2030.
In this blog, we are focusing on the objective of Detecting Cyber Events. Cybereason XDR supports both capability outcomes outlined in the U.K. Government Cybersecurity strategy for detecting cyber events.
Outcome 14: Government networks, systems, applications, and endpoints are monitored to provide proportionate internal detection capability
Government entities that are looking for holistic monitoring solutions, those which work to monitor networks, systems, applications, and endpoints, should look toward implementing an XDR solution. If you’re confused about XDR and its definition, it can easily be broken down into its three components - Extended (X), Detection (D), and Response ( R ):
- X: The ‘extended’ nature of XDR is more than just tool consolidation, as was the original intent of SIEM. XDR intelligently bridges the telemetry between endpoints, workspaces, networks, and applications such that the output is the insight of an overarching malicious operation, rather than just a consolidation of alerts.
- D: Detections in XDR move beyond a binary question of “did an event occur or not” to correlating events across the security stack to provide high-fidelity alerts. By extending the scope of detections beyond the endpoint, the alerts become fewer but more accurate.
- R: The ultimate goal of any detection and response solution should be to accurately respond in a timely manner. Attackers take advantage of the time it takes defenders to investigate and triage an incident, so the ultimate protection is to minimize this time such that an attacker cannot fully carry out their attack. Expedited investigations stemming from high-fidelity alerts brought about by enriched detections, not only lead to quicker response times but also a clearer idea of what the correct course of action should be.
Cybereason achieves all of the above in a unique way through its XDR Platform:
- Cybereason XDR collects and analyzes all telemetry from the existing toolset within an environment. This is crucial as it allows for organizations to maintain their existing administrative domains. We achieve this through Cybereason Connect, an application that enables the integration of telemetry from existing security tools with the click of a button.
- Cybereason leads the XDR market in detection capability (Cybereason detected 100% of all 19 attack steps by Wizard Spider and Sandworm during the latest MITRE Engenuity ATT&CK® Evaluations for Enterprise), and that is because we take a ‘Big Data’ approach. With the extended MalOp™ (Malicious Operation) Detection Engine, powered by Google Cloud, we are able to apply AI-driven analytics to petabyte-scale data sets in real-time.
- With guided and automated remediation across impacted systems, Cybereason enables security operations teams to end attacks before they get started or do any material damage.
Outcome 15: Shared detection capability provides detection at scale across government. A large part of effective detection is the ability to share both proactive and reactive detections in a timely manner across the whole government organization.
Cybereason XDR takes an operation-centric approach with its MalOp (Malicious Operation) Detection Engine. The MalOp reveals the full attack story across every device, user identity, application, and cloud deployment. Whereas competing solutions require complex integrations with dozens or hundreds of security tools to gather necessary telemetry from across all endpoints, workspace and identity, network, and cloud assets, Cybereason AI-driven XDR ingests and correlates all of this data using the MalOp detection engine to identify malicious behaviors with extremely high confidence levels.
For proactive detections, it’s important to have a program of strategic threat hunting in place in order to find the attacker in an early stage of an attack, long before existing detection rules would raise an alert. The Cybereason UI provides various intuitive screens that can be used to hunt for malicious behavior or investigate behaviors that Cybereason has already deemed malicious. Although MalOps require immediate response, there is often additional evidence that is of importance to threat hunters. SOC teams can now dedicate their Tier 1 analysts to work on the MalOps while their Level 1 or 2 analysts perform hunts and have insights to easily communicate across the organization.
Read previous installments of this blog series:
Part 1: Cybereason Support for the U.K. Cybersecurity Strategy
Part 2: How Cybereason Enables the U.K. to Defend Against Cyberattacks
Learn more about how to protect your organization against these attacks here.
Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
