Why Telemetry Correlations are Essential to XDR

Most organizations will be directing some of their security budget to incorporate an Extended Detection and Response (XDR) solution in 2022. As reported by TechTarget, 70% of organizations intend to allocate budget spend for XDR in this period, and it’s not difficult to understand why. 

The strengths and benefits of an AI-driven XDR solution are essential for today’s threat landscape. XDR takes the same concepts delivered by an Endpoint Detection and Response (EDR) solution—like continuous monitoring and threat detection coupled with automated response—and applies them beyond the endpoint to across an organization’s entire ecosystem. 

This includes application suites, cloud workloads and containers, user personas, and more. In doing so, XDR provides security teams with the visibility and contextual correlations they need to detect and stop entire malicious operations wherever the activity is taking place on an organization's network.

Where AI-Driven XDR Stands Out

Not all XDR solutions are created equal. For instance, an AI-driven XDR solution leverages artificial intelligence (AI) and machine learning (ML) to scale and bring efficiency to their detection and response efforts. These capabilities enable security teams to quickly understand the entire MalOp™ (malicious operation) from root cause across every affected device and user .

Even so, the central benefit that motivates organizations to embrace an AI-driven XDR solution is its ability to gather security telemetry from different parts of an organization’s infrastructure and correlate them to produce a complete picture of all related elements of an attack. 

This functionality enables an AI-driven XDR solution to deliver the deep context and correlations that security teams need to take meaningful actions about unfolding security incidents in real-time, as opposed to analysts spending their precious time triaging and investigating uncorrelated alerts and wading through false positives–none of which actually stops attacks.

XDR provides an operation-centric approach, where information silos are no longer a limiting factor for achieving comprehensive visibility. It combines telemetry from EDR, antivirus, firewalls, CWPP (cloud workload protection platforms), and other solutions together, and correlates the intelligence into one frame of reference with an emphasis on detecting the malicious behaviors that drive the attack campaign forward. 

Telemetry Correlation at Scale is Key

This advantage highlights the following lesson to keep in mind when performing detection and response: telemetry is the key to effective detection and response strategy, but when telemetry is incomplete, it can ruin those efforts. 

For instance, if the sources of telemetry are not properly tuned, the tools might generate alerts that are not actually indicative of a security incident. Those false positives end up wasting a security team’s time and effort. 

False positives can also contribute to a sense of alert fatigue, a sentiment which diminishes the overall effectiveness of infosec professionals. If security teams repeatedly determine that there’s no threat at the end of an investigation, they might be less inclined to respond to future alerts. This increases the likelihood of an organization suffering a digital attack. 

Processing the astronomical volumes of telemetry can quickly get messy for vendors whose solutions simply cannot handle the load. The so-called XDR solutions out there today do not have the capacity to collect, process, and correlate all the vast telemetry available on an organization’s infrastructure.

Those vendors are forced to resort to "data filtering" where they eliminate huge swaths of telemetry before they send the data to the cloud for analysis. This data could be useful for returning a timely detection or understanding the scope of an attack. But if this telemetry is never collected or analyzed, the solution will produce an incomplete snapshot of an organization’s security posture, and will not answer the question: “Are we under attack?”

Most of these vendors have simply taken an EDR solution with limited processing and analytics capabilities and tweaked it to ingest some telemetry from sources other than the endpoint. Yes, they can mimic some of the functionality that an AI-driven XDR solution delivers–maybe even enough to successfully get through a POC with a prospect–but they can’t actually deliver what they are selling in the marketing materials. They are incapable of handling the terabytes of data daily that are required to deliver true XDR. 

This is specifically relevant for endpoint data. Because of their alert volume and false positive rates, most EDRs can’t even provide a clear picture of what’s going on across an organization’s endpoints. Jamming even more data into tools that can’t actually correlate any of that information with non-endpoint telemetry is simply a fool's errand. As a result, infosec personnel are limited in their ability to visualize the complete attack chain so they can respond to the campaign in its entirety as opposed to alert-by-alert. 

The AI-Driven XDR Advantage

An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility organizations require to be confident in their security posture across all network assets, and the automated responses to halt attack progressions at the earliest stages. 

In addition, an AI-driven XDR solution should provide Defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces and more.


Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed