Welcome to Part 4 of our multi-part XDR (eXtended Detection and Response) blog series. If you haven’t read the earlier posts in this series yet, we recommend checking out the following:
- Part 1 discusses why organizations need to extend protection beyond the endpoint to stay ahead of adversaries
- Part 2 discusses why Endpoint Detection and Response (EDR) is a foundation and a cornerstone for any XDR strategy.
- Part 3 discusses why identity security is a cornerstone of an XDR strategy
In this post, we discuss the importance and value of security data for detection and investigation.
Challenges With Security Data Visibility
In today’s landscape of increasingly sophisticated cyber threats, organizations must be able to effectively operationalize the data housed in their cybersecurity tools to maintain visibility across their networks.
However, many organizations struggle with this due to the cybersecurity tool sprawl and point products, which do not integrate well, leading to inefficiencies in visibility, detection, investigation, and hunting. An ESG study found that 66% of customers surveyed admit that “if you keep your data in multiple silos, you’re guaranteed to lack visibility and miss critical detections.”
As a result, many organizations lack the visibility they need to defend against cyber attacks. Cross-stack visibility of security data is a cornerstone of any effective cyber defense strategy, and organizations that can’t achieve it are at a disadvantage. To address this issue, organizations must focus on consolidating their tools and integrating their data, enabling teams to operationalize their tools more effectively and gain the visibility they need to protect their information assets.
Why Legacy Tools Have Failed
SIEMs have been on the market for over a decade now, and they are still failing to meet the needs of organizations when it comes to detection and response. The problem is that SIEMs are designed to be reactive, not proactive. They rely on SOC teams to manually sift through data and look for patterns of malicious activity – a time-consuming and error-prone process that often leads to false positives or late detections. Additionally, SIEMs have very little automation, so they cannot keep up with the rapidly changing landscape of cybersecurity threats.
The security information and event management (SIEM) model is aimed to be the one-stop shop universal answer to reducing mean time to detect and respond. However, SIEM with its reliance on indexed architectures and on-premises infrastructure, is not a panacea.
Indexed architectures, while suitable for performing simple queries, struggle to keep up with the increasing volume and complexity of security logs. As a result, they often require lengthy search times and may not provide complete coverage of log types. On-premises infrastructure also brings with it concerns regarding scalability, as well as the need for physical space and maintenance resources.
The limitations of these traditional models have led many organizations to embrace modern cloud-native logging solutions. These options offer increased flexibility and scalability, allowing for rapid expansion during times of growth or additional monitoring needs. They also eliminate the need for physical hardware and maintenance costs, resulting in cost savings for the organization.
A major issue plaguing SIEMs is that they simply ingest alerts without any context among the atomic data points. For example, a single alert or threat may comprise thousands of pieces of telemetry. When looking at only alerts, analysts can be blind to additional activity and indicators that may be linked to a larger scope of malicious activity. While this approach may be suitable for high-level monitoring or compliance, telemetry is far superior to enable security teams to threat hunt and perform analytics effectively.
Telemetry includes data such as raw network flows, endpoint, and cloud activity that can provide context to the alerts being generated and give analysts the ability to quickly determine whether an alert warrants further investigation. Additionally, analysts can use this extra data to detect sophisticated attacks that may appear benign in isolation. However, feeding this essential security data into a SIEM for analytics can be prohibitively expensive, particularly for small and medium-sized businesses.
For SIEM deployments, time to value can often be a struggle. The implementation process may involve collecting and normalizing data from multiple sources, setting up alerts and dashboards, and fine-tuning configurations. This can stretch the deployment timeline and delay the realization of benefits such as improved visibility into network activity and threat detection.
According to the Panther.io State of SIEM 2021, over 18 percent of the IT security professionals surveyed indicated that the time it took to receive high-value alerts — from deployment to implementation — was 12 months or longer. Additionally, over 40 percent said their organization was overpaying for their SIEM relative to the system’s capabilities.
Unifying Security Data with XDR
To create human-understandable context among the alerts and logs flowing into traditional SIEM, most organizations build rules, dashboards, and playbooks on top of alert data. However, this approach needs more visibility into the underlying endpoint devices or cloud workloads. Looking only at summary-level data in a SIEM can make it difficult to centralize triage and investigation, making it more likely that threats will go undetected.
Collecting and storing this data is only half the battle – the real challenge lies in making sense of it all. EDR vendors have recognized this problem and are increasingly offering powerful cloud-native logging and analytics tools to ingest and analyze security and IT telemetry. This is where correlation comes in.
By looking at how different data sets relate to one another, analysts can uncover patterns and trends that would otherwise be hidden. For example, by correlating network traffic data with employee login records, it may be possible to detect unusual activity that could indicate a security breach. By simplifying access to relevant data sets like logs and indicators of compromise from other tools, security teams can gain a complete view of their organization’s security posture.
As the amount of data generated by enterprise infrastructure continues to grow, many security vendors are turning to artificial intelligence (AI) to help make sense of it. AI can be used to detect suspicious and malicious behaviors, and it can also help to identify anomalous activity that might otherwise go unnoticed.
Endpoint Detection and Response (EDR) vendors have expertise in developing behavioral AI models and performing large-scale analytics on telemetry sourced from native endpoint agents. It’s only natural that Extended Detection and Response (XDR) is an evolution of EDR that brings the same visibility, analytics, and response to any attack surface.
XDR solutions extend the core EDR platform, providing visibility into native endpoint, cloud, network, and identity telemetry and making it easier to detect and respond to threats in real time. This approach is more economical and can provide better visibility into potential threats because they can operationalize consolidated telemetry in a single console without needing to export the data to a SIEM for analysis.
XDR platforms powered by machine learning, like SentinelOne Singularity, produce correlated alerts that provide the precise context analysts need to make informed decisions, saving valuable time during endpoint triage and response. AI and automation, such as Singularity Storyline, remove the heavy lifting of data analysis and bring high-fidelity signals through the noise.
SentinelOne patented Storyline technology provides real-time, automated machine-built context and correlation across the enterprise security stack to transform disconnected data into rich stories and lets security analysts understand what happened in their environment. Storyline automatically links all related events and activities together in a storyline with a unique identifier. High-fidelity alerts allow security teams to see the full context of what occurred within seconds rather than spending hours, days, or weeks correlating logs and linking events manually.
Singularity XDR provides a single, unified platform for extended threat detection, investigation, response, and hunting with:
- Single source of prioritized alerts that ingests and contextualizes massive quantities of data across multiple native EDR data sources.
- Direct integration with other best-of-breed platforms like Zscaler, Okta, and Mimecast for the purpose of automatically enriching alerts
- Single consolidated view to quickly understand the progression of attacks across security layers.
- Single platform to rapidly respond and proactively hunt for threats
If you want to improve your organization’s current XDR strategy, you should focus on utilizing your organization’s security data. By doing so, you can more accurately detect and respond to threats. A modern XDR solution will integrate this data to give you a comprehensive view of your organization’s security posture. Request a demo today to see how our platform can help you implement an effective XDR strategy.