Correlating Data across Multiple Security Systems and Tools with XDRSyed Kaptan
Gartner defines XDR as solutions that “automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability.” This is a much simpler definition than what we have seen from vendors trying to compete in the XDR market space by fitting a square peg in a round hole. It stresses the importance of correlating data across multiple security systems and tools for the ultimate goal of providing better detection and response. Let’s explore the importance of correlation further by diving into the different components of XDR.
Every organization uses a different stack of security technologies including, endpoint detection and response (EDR) agents, network firewalls, web gateways, intrusion prevention system (IPS), security incident and event management (SIEM) tool to name a few, making their set of technologies somewhat unique to them. Not to mention, each of these technologies can be sourced from different vendors. This is one of the biggest reasons why finding one XDR platform that can integrate with all security technologies across multiple vendors is a challenge.
According to a recent CyberRisk Alliance (CRA) survey of 300 IT and cybersecurity professionals, only 17% said that they were very satisfied with their ability to correlate data across all products and services. Henceforth, a more effective XDR tool must have a framework that allows scaling of integrations easily and quickly with both existing and new technologies to extract data into one unifying view, where it can be correlated and prioritized for detection and response.
Extended detection is an important part of XDR as it must be able to allow security teams to detect a threat first before they can respond to it in a timely manner. According to a new report by Blumira and IBM, it can take organizations up to 212 days to detect a breach and 75 days to contain it. This clearly shows that organizations are way behind when it comes to detection versus response. If a security analyst is continuously monitoring individual alerts for possible threats from multiple security tools without any context and correlation then it is like finding a needle in a haystack. Consequently, an XDR tool must allow the analyst to automatically prioritize alerts by correlating data from different security tools and help bubble up that needle in the haystack.
Furthermore, having a mature threat intelligence management program is at the heart of detecting threats faster. Typically, organizations behave very reactively when they wait for an alert to come through first before collecting investigative data to triage that alert. For faster detections, organizations need to become more proactive in collecting data from both external feeds and internal tools to pre-emptively drive threat hunts for faster detections. According to the latest Gartner Market Guide for XDR, supporting frameworks like the MITRE ATT&CK framework can also help address a variety of XDR use cases including threat hunting.
When it comes to conducting an extended response, having the ability to take multiple remediation actions can be useful. For example, once a malicious file is detected that exploits a known vulnerability that has been downloaded on an endpoint and is trying to communicate with its command and control (C2) server for further instructions to execute, there are steps your security team should take. The security team should be able to quarantine that malicious file on the endpoint, block the C2 server’s IP address in your gateway firewalls, and patch all other endpoints on your organization’s network that can be exploited using the same vulnerability. Moreover, to close the feedback loop, the malicious file hash and the C2 server’s IP address should be provided to your organization’s SIEM for future sightings. An effective XDR tool should allow you to accomplish all these responses simultaneously and automatically as Gartner further validates this by saying, “…XDR can become a command and control center for other products it supports to act like a security operations platform.”
To learn more about the ThreatQuotient XDR Solution and the ThreatQ Platform, please visit: https://www.threatq.com/xdr-solution/