October 20, 2021 | 3 minute read
Robust telemetry is essential to any threat detection and response strategy. Organizations need the ability to collect threat information from across their IT infrastructure so that they can see what’s going on in their environments and correlate the intelligence across devices, personas, application suites, and the cloud so that it’s actionable.
This broad set of available data sources goes well beyond endpoint and server visibility alone. It extends to every affected device and user whether on premises or in the cloud, as attack chains can involve different parts of the network at once.
Gathering data for threat detection and response can quickly get messy for organizations with traditional security solutions. The problem is that not every solution provider has the capability to collect and process all the telemetry that’s coming from an organization’s infrastructure.
Those vendors commonly resort to "data filtering" where they eliminate telemetry before they send collected data to the cloud for analysis. This data could be useful for returning a timely detection, so if it’s not considered, that will only yield an incomplete snapshot of an organization’s security posture and will not answer the question, “are we under attack?”
Even with data filtering, however, some traditional solutions’ alerting practices can still complicate security teams’ work. These tools are prone to generate large volumes of alerts and false positives, some of which might not have anything to do with a legitimate security issue. As those alerts lack context, security teams have no choice but to investigate how alerts might be related to each other.
Such examinations might help teams to string together different pieces of an attack together manually, but they might also force security professionals to dig into false alerts, thus taking them away from other projects which might play a bigger role in augmenting their employer’s security posture.
These manual investigations are also prone to human error, a reality which gives attackers the opportunity to establish a foothold in an organization’s network, pivot to other assets, and exfiltrate sensitive information.
Having a lot of data is only one part of the equation for effective threat detection and response. It’s also important for organizations to have additional context that helps to put data into perspective. They need data quality as well as data quantity. They need fully contextualized and correlated attack stories in real-time without complex queries and protracted investigations.
Towards that end, organizations need to embrace an operation-centric approach to security. This type of method emphasizes the importance of visualizing the entirety of a malicious operation (MalOp™). That means using Extended Detection and Response (XDR) to gain visibility into every affected endpoint, every unauthorized configuration change, and every suspicious flow of outbound traffic.
It’s crucial that organizations can automatically gather and process all this information in real time. Doing so will allow their security teams to close the gap between their detection and response actions, thereby limiting attackers’ dwell time in their employer’s systems. It will also improve the operational efficiency of the security program by breaking down threat intelligence silos as well as freeing up both time and resources for other initiatives.
Cybereason can help organizations embrace an operation-centric approach to security. How? It recognizes that organizations can’t defend themselves against threats using Indicators of Compromise (IOCs) alone. Indeed, relying on IOCs assumes that someone has already seen an attack chain. That’s not always the case.
Attackers are constantly innovating new techniques and launching new campaigns. At some point, someone will be the first to experience them. No organization wants to admit that it could be them, but it’s a reality that applies all the same.
IOCs aren’t useless. But Cybereason understands that they’re at their best when they’re combined with Indicators of Behavior (IOBs). Organizations can use these subtle signs of compromise to defend themselves against threats—even if someone has never seen them before. The key is to get all the necessary data over to security teams. As discussed above, other solutions limit critical data collected because they can’t process or store it, but Cybereason collects and analyzes 100% of event data in real-time.
Cybereason doesn’t stop there. Its platform also provides vastly increased efficiency through a 1:200,000 analyst-to-endpoint ratio and automated or guided single-click remediations. This helps customers to improve their detection and response intervals by 93%.
The Cybereason XDR Platform comes with dozens of out-of-the-box integrations, and is designed to provide visibility organizations require to be confident in their security posture across all network assets, and delivers the automated responses to halt attack progressions, eliminating the need for both SIEM and SOAR solutions. Organizations can enjoy these benefits whether they drop their SIEM and SOAR entirely or augment it with Cybereason XDR.
Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.All Posts by Anthony M. Freed