How Strategic Detections Set XDR Apart

Data breaches set a record high volume in 2021. According to CNET, 1,862 publicly reported data breaches took place over the course of the year. This volume surpassed the 1,108 data breaches in 2020 and broke the record of 1,506 security incidents set back in 2017.

It was a similar story with data breach costs. For example, the Cost of a Data Breach Study 2021 revealed that average data breach costs had risen from $3.86 million to $4.24 million—the highest average total price tag of the report’s history. The study also revealed that it took organizations an average of 287 days to identify a data breach. 

For those victims, data breach costs rose to $4.87 million. Meanwhile, organizations spent just $3.61 million in the aftermath of a data breach they detected in fewer than 200 days. 

More Tools, More Complexity

Some organizations think that they can protect themselves against data breaches by simply investing in more tools like Security Information and Event Management (SIEM) solutions, Endpoint Detection and Response (EDR) platforms, as well as Security Orchestration, Automation, and Response (SOAR) suites. 

But throwing more money at these solutions doesn’t necessarily help organizations with their breach defenses. On the contrary, it introduces more network complexity, making security more difficult. 

CPO Magazine reported that many Fortune 100 companies today work with as many as 100 different vendors. That’s a lot of alerts for security professionals to investigate. Suppose they only have manual analysis processes.

In that case, infosec personnel could find that they’re spending most of their time looking into potential threats and inevitably chasing down false positives instead of making a meaningful contribution to their organization’s security programs. This can create a feeling of alert fatigue where security professionals start deemphasizing threat alerts; a decision that can leave their organizations at greater risk of attack.

Of course, organizations need talent with the training and experience to help manage all those tools. But that comes with challenges as well. Most notably, 88% of organizations said they were anticipating that the cybersecurity skills gap would affect their security strategies throughout 2022, reported HelpNet Security

Half of the respondents to that same survey said that they expected the impact of the skills gap to be significant. That effect doesn’t just include the challenge of finding skilled talent. It also encompasses the reality that many junior analysts end up leaving for a different position after just a couple of years, thus forcing organizations to train a new group of analysts all over again. 

It’s a cycle that complicates passing down the knowledge of an organization’s systems and security requirements within an internal team.

XDR as the Way Forward

Acknowledging the challenges discussed, organizations don’t need “more” detection capabilities. These technologies could end up taxing security teams that are already stretched thin. Instead, they need solutions with “strategic” detection capabilities that can weed through the noise.

This is where Extended Detection and Response (XDR) comes in. XDR extends continuous threat monitoring and detection and automated response capabilities across endpoints, applications, cloud workloads, and user identities. But all XDR solutions are not created equal. 

For instance, an AI-driven XDR offering leverages artificial intelligence (AI) and machine learning (ML) to scale and bring efficiency to their detection and response efforts. These capabilities enable security teams to quickly understand the entire MalOp™ (malicious operation) from the root cause across every affected device and user.

Unlike pseudo-XDR offerings that are essentially just EDR tools with a cloud extension, an AI-driven XDR solution does not require that valuable telemetry be filtered out due to a platform’s inability to handle the volume of intelligence available. Yes, pseudo-XDR tools can appear to have some of the functionality that an AI-driven XDR solution delivers–perhaps even enough to get through a POC with a prospect successfully–but they can’t actually deliver what they are selling in the marketing materials.

How AI-Driven XDR Stacks Up

AI-driven XDR doesn’t suffer from the challenges plaguing other security tools that can’t predict or understand data across the entire environment. Take Security Information and Event Management (SIEM) tools as an example. Their effectiveness hinges on the wide variety of data sources to which they have access. Still, they tend to generate a lot of false positives and too many uncorrelated alerts, contributing to a sense of “alert fatigue” among security teams. 

Then there are SOAR tools (Security Orchestration, Automation, and Response) that suffer from the same obstacles as SIEMs and come with some additional hurdles.

For instance, SOAR solutions need integrations so that infosec personnel can streamline their threat detection and security analytics capabilities across their employer’s infrastructure. Additionally, they need to set aside some upfront investment for building automated workflows and response playbooks in the beginning.

But SOAR tools never delivered on their promise to provide orchestration across various security tools. Indeed, without the necessary correlations and context required for an analyst to understand what all the ingested telemetry means, SOAR cannot effectively coordinate a response.

Thus, there is no option to effectively automate responses that ideally would not still require manual analyst intervention. Ultimately, SOAR created a much tidier mess, but it's all still a mess.

There’s also an argument to be made about what defines a truly mature XDR offering versus pseudo-XDR solutions that are nothing more than an EDR tool with cloud integration. All XDR platforms integrate with threat intelligence to spot known Indicators of Compromise (IOCs), as we wrote about previously, but only an advanced XDR solution can detect based on Indicators of Behavior (IOBs).

IOBs are the more subtle signs of an attack in progress which include otherwise benign activity one would expect to see occurring on a network. When these “legitimate” behaviors are chained in certain sequences, they produce exceedingly rare conditions or represent a distinct advantage for an attacker.

This is where the context-rich correlations across endpoints, the cloud, application suites, and user identities that a mature XDR solution delivers are critical for detecting malicious activity at the earliest stages of an attack.

Additionally, leveraging artificial intelligence (AI) and machine learning (ML) to correlate telemetry from across an organization’s infrastructure is a vital aspect of a mature XDR solution. The application of AI/ML allows Defenders to move from a detect and respond mode to a more proactive “predictive response” posture where the likely next steps an attack can and would take are instantly anticipated and blocked, eliminating the opportunity to progress the attack to the next stage.

This predictive capability is the key to the future of security, enabling organizations to “defend forward” by understanding attacks from an operation-centric approach, where analysts are freed from chasing alerts that point to individual elements of an attack in favor of a holistic view of the entire attack story from root cause to every affected device, system and user. And only an AI-driven XDR solution can deliver this “predictive response” capability that will shorten detection and remediation periods from days or weeks down to minutes. 

The AI-Driven XDR Advantage

An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility organizations require to be confident in their security posture across all network assets and the automated responses to halt attack progressions at the earliest stages. 

This approach also provides Defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces, and more.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven  XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed