How an Integrated Approach is Key for Security Operations

Dwell time has a lot to do with the overall cost of a data breach these days. For example, the Cost of a Data Breach Study 2021 revealed that average data breach costs had risen from $3.86 million to $4.24 million—the highest amount in the report’s history. 

However, this cost increased to an average of $4.87 million for organizations that took longer than 200 days to detect and contain a data breach. By comparison, organizations spent just $3.61 million on data breaches that they detected in fewer than 200 days. 

Understanding the Elements of an Integrated Security Approach

The costs discussed above emphasize the need for organizations to bolster their data breach defenses. One of the ways they can do that is by adopting an Integrated Security Approach (ISA) to their security efforts. In doing so, however, organizations need to make sure that they’re fulfilling all the constituent elements of such an approach.

As defined by the Georgetown Journal of International Affairs, the purpose of an ISA is “to fuse all the incoming information and create a correlation in the rate that will allow insights derived from this fusion to be relevant to foiling the threat.” 

This counteraction involves setting up an early warning system to detect signs of a potential attack as well as a preventative component by which organizations can block the materialization of threats. It also entails a mechanism for not only quickly detecting incidents and determining the potential scope of those events, but implementing a mitigating response in a timely manner. 

Not every detection and response strategy is useful for creating an ISA, however. Take Security Information and Event Management (SIEM) as an example. Yes, security teams can use SIEMs to centralize threat alerts across their environments, but most SIEM tools don’t contextualize those warnings. 

As a result, infosec personnel receive a deluge of uncontextualized and uncorrelated alerts and false positives, resulting in alert fatigue. It’s then up to team members to manually triage and investigate each alert to understand what’s going on in their organizations’ environments. Even if they succeed in fully identifying an issue, their SIEM tool won’t help them when it comes time to respond.

Other traditional detection and response strategies suffer from their own shortcomings. For instance, Security Orchestration, Automation, and Response (SOAR) tools are like SIEMs in that they also tend to overload teams with uncorrelated alerts lacking proper context.

There’s an additional drawback here is that SOAR platforms vary in their integrations and ingested data sources. As a result, teams might not be able to leverage their SOAR tool to affect the necessary response to security incidents in their entirety—if at all.

Finally, there’s Endpoint Detection and Response (EDR). This type of solution does provide a much-needed step-up over other antivirus and antimalware endpoint security capabilities. But it’s still limited in that EDR extends continuous threat detection and monitoring along with automated response at the endpoint level only. EDR therefore can’t help to correlate what the attacker is doing on the endpoint with other impacted network assets like identity, application suites or cloud deployments.

XDR to the Rescue

Organizations need something else beyond SIEM, SOAR, and other traditional solutions when it comes to creating an effective ISA that significantly reduces attacker dwell time. This is where an Extended Detection and Response (XDR) solution driven by artificial intelligence (AI) and machine learning (ML) comes into play by automatically correlating and contextualizing telemetry from across endpoints, cloud workloads, applications, identities and the network. 

XDR provides security teams with comprehensive visibility across the kill chain, all without requiring security analysts and incident response teams to manually investigate a flood of individual alerts. XDR allows security trams to move detection further to the left in the kill chain to reduce dwell time and disrupt attacks earlier in the attack sequence.

An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility required to be confident in their security posture across all network assets and the automated responses required to halt attack progressions at the earliest stages. XDR optimizes an organization’s security stack in three ways:

  • Maximizing Integrations Across the Security Stack: XDR saves time and effort by automating the delivery of actionable, context-rich intelligence from telemetry ingested across the entire security stack without requiring analysts to do the heavy lifting required to triage every alert generated. Analysts can quickly understand the earliest signs of compromise and end malicious operations faster through native integrations with email, productivity suites, identity and access management, and cloud deployments. This is the power of the “X” in XDR.
  • Detecting the Entire Malicious Operation: The correlative power of XDR allows security teams to adopt an operation-centric approach to detection by revealing the entire MalOpTM (malicious operation) from root cause across every affected device, system, and user. With XDR, analysts can focus on ending attacks in progress rather than spending valuable time trying to manually piece together the attacker’s actions and activities by sorting through an unorganized and uncorrelated mass of alerts generated by disparate security tools, each designed only to reveal an isolated aspect of the entire attack. This is the power of the “D” in XDR.
  • Predictive Automated Response: Understanding the full intent of an attacker’s behaviors and how they are related across the different elements of an organization’s network through an operation-centric approach means analysts are empowered to predictively anticipate the attacker’s likely next moves and preemptively block the attack progression with automated or guided remediation, depending on the security policies in place. Only an operation-centric approach can reduce attacker dwell time from months to minutes, which is the power of the “R” in XDR.
  • Proactive Threat Hunting: Finally, XDR enables organizations to engage in proactive threat hunting. This activity is vital as it allows organizations to search for suspicious chains of behavior that can surface attacks sooner and minimize the damage that those operations might cause. With XDR, security teams can pivot between events and hunt for threats without needing to craft complex queries. They can also incorporate lessons learned from successful hunts into custom detection rules and logic for future threat hunting engagements based on an operation-centric approach. This is the power of unifying all three aspects of XDR in one solution.

In addition, an AI-driven XDR solution should provide Defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces, and more.

Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed