Cybereason XDR: Achieving 10X Reduction in False Positives

Security Operations Center teams, regardless of size or sophistication, are at their breaking point. Alert overload and a “Fear of Missing Incidents” have led to unmanageable stress levels for SOC analysts. Making matters worse, more than half of those alerts are false positives — robbing analysts of time they could use on planning, training, and proactively improving their security program.

SIEM tools, intrusion detection systems (IDS), email protection tools, and firewalls can be notoriously “noisy,” firing off large volumes of alerts with limited context into the root cause, incident scope, and attack prioritization. It’s up to the human analyst to make sense of the alerts, track down impacted users and assets, and determine if it’s true malicious activity.

Over time, false positives desensitize your team to real threats. When facing massive volumes of false alerts, teams may change the threshold for alerts to be less sensitive or turn off protection entirely. Human processes simply cannot scale fast enough to handle the increasing volume of false positives and real threats.

The Cybereason MalOp Illustrated

AI-Driven Cybereason XDR

Let’s take a closer look at how AI-driven Cybereason XDR is able to distinguish between benign and malicious behavior to link behaviors across assets and identities for faster root cause analysis and incident scoping.

The real genius of the Cybereason XDR Platform is the MalOp™ (Malicious Operation) detection engine. The MalOp reveals the full attack story across every device, user identity, application, and cloud deployment. Whereas competing solutions require complex integrations with dozens or hundreds of security tools to gather necessary telemetry from across all endpoints, workspace and identity, network, and cloud assets, Cybereason AI-driven XDR ingests and correlates all of this data using the MalOp detection engine to identify malicious behaviors with extremely high confidence levels.

Based on the collected data, along with analysis and correlation by the MalOp detection engine, Cybereason XDR generates Evidence and Suspicions that build to reveal a MalOp.

These detections vary in severity level. For example, evidence is considered the least likely to be malicious and instead is meant to alert you to a certain behavior or activity (both benign and malicious) occurring in your environment. For example, when a Process Element connects to an RDP port, the MalOp engine generates the Connected to RDP Port evidence.

By contrast, suspicions are more likely to be malicious and therefore warrant your attention, but do not represent a repeated chain of behavior encapsulated by a MalOp. The detection engine generates a suspicion when an individual activity is potentially malicious, or when several pieces of evidence, taken together, might represent malicious activity. In general, the threshold for evidence to become a suspicion is deliberately low to minimize any chance of a missed detection.

A MalOp is a collection of related suspicious activities that are highly likely to be part of a security incident. Every MalOp has a number of related suspicions and evidence, which are listed in the MalOp details. When evidence and/or suspicions reflect a confirmed pattern of malicious behavior, the Cybereason platform deems the activity a MalOp.

Cybereason XDR investigates each and every event across the entire network (every computer, server, mobile device, and cloud workload). Behavioral analytics question these events (up to 80 million per second - more than any other XDR or EDR platform on the market) in real-time:

  • Was the activity identified as malicious in the past?
  • Is it a common activity for the organization, user, application and system?
  • Who executed the process?
  • What privileges did they have?

It is this AI-driven contextualization that gives Cybereason XDR its predictive capability to help analysts understand the full attack story and know what the attacker is likely to do next—all while ensuring they are focused on only the most important things taking place on their network.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven  XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Dan Verton
About the Author

Dan Verton

Dan Verton is Director of Content Marketing at Cybereason. Dan has 30 years of experience as a former intelligence officer and journalist. He is the 2003 first-place recipient of the Jesse H. Neal National Business Journalism Award for Best News Reporting – the nation’s highest award for tech trade journalism and is the author of the groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill, 2003). He most recently served as an intelligence advisor and co-author of a nationwide TSA anti-terrorism awareness training program.

All Posts by Dan Verton