A Comprehensive Fabric for Threat Detection and Response

Securonix XDR. What is it?

Why would the leader in modern, cloud based SIEM solutions also offer an XDR product?

Extended detection and response (XDR) is defined as an extension of endpoint detection and response (EDR), with the intention of expanding the sources of telemetry beyond the endpoint and streamlining response. The required XDR capabilities can be provided by a single vendor or as a hybrid solution composed of products from multiple vendors.

XDR is attractive because the endpoint has no visibility into threats in places such as cloud services, and it may not be possible to put an agent on all endpoints of the organization (or with access to the organization’s data). The addition of other data sources can also provide more context to findings from EDR, improving the triage and investigation of alerts. Bundled capability packages reduce the cost of and time required for integration and deployment. Finally, there is also content developed and tuned to leverage the expanded universe of data available. All of this translates into ease of use and reduced operational costs.

But the first wave of XDR solutions leave a couple of important things behind. First, they were designed as closed, proprietary packages. Some vendors present their XDR product as the definitive threat detection solution. However, there are no vendors out there who can offer all the necessary pieces you need for end-to-end effective detection and response. Some will have endpoint and cloud, others endpoint and network, but if you investigate the complete needs of most organizations, there will be missing pieces in that puzzle. Buying into one of those proprietary solutions will also bring the dreaded vendor lock-in situation. What if you are happy with the built-in cloud monitoring solution, but want better EDR capabilities? Even if you can live without the best of breed for all pieces, what would you do with the pieces you already have paid for and integrated into your other systems? The displacement cost is not negligible and will make CIOs cringe.

Second, many offerings take the approach of delivering “extended EDR” instead of “extended detection and response”. Sure, EDR has been a blessing to threat detection and response needs; a lot of threat activity happens on endpoints and visibility there is crucial. But at the same time, technology environments have been evolving in a way that managed endpoints, capable of running EDR, are becoming less relevant. Many cloud threats, for example, may not involve an “endpoint”. User credentials can be stolen and abused in cloud apps without touching a managed endpoint. The world, these days, is hybrid. Attacks unfold gradually and across technology and control boundaries, not just on endpoints at a point in time. XDR solutions built over EDR struggle with these types of threats, as the endpoint is still the main entity used to correlate and tie together all the events related to threat activity.

Securonix XDR is built to address these issues.

The core of our solution is the modern, cloud native SIEM engine used by our next-generation SIEM. At first, putting SIEM technology as the core of an XDR solution may seem counterintuitive. SIEM deployments are usually seen as projects that take months of data integration and use case development. That’s not the case here, and I’ll tell you why.

The complexity often associated with SIEM deployments comes from two points. The first is related to older SIEM technology, where you would take months to deploy and maintain a huge infrastructure footprint, only to get a sluggish system hard to maintain and operate. Our next-generation SIEM solves those issues through its cloud native platform, which eliminates infrastructure maintenance and operation overhead.

The second reason is that, for pure threat management use cases, a full-blown SIEM might be overkill. They are very often deployed to collect and retain data from the entire environment (usually for compliance reasons) and used to meet requirements related to compliance reporting, access management, threat detection, and threat hunting. That’s a lot! Doing this for a mid-sized organization will indeed take months and requires lots of effort. But what if your SIEM deployment scope is solely aimed at solving the threat detection and response problem? In that case you only need to collect the data required by those use cases. No need to spend time and effort collecting and storing every log entry generated in your organization, having to write custom parsers, and creating compliance report definitions along the way. All the content required for your use cases, from parsers to playbooks, is available out of the box.

A modern platform with pre-built detection and response playbooks for a targeted and well-defined scope. Easy and fast to deploy. That’s what all the XDR players are promising, right?

Yes, but we can go even further.

Our platform was born as a UEBA platform, with innovative analytics at its core. Forrester has recently compared the major SIEM (they call it “Security Analytics Platforms”) platforms in their famous wave report, and Securonix obtained the top mark in Analytics. Using this analytics engine as the core of our XDR solution gives us unprecedented detection capabilities.

Our analytics supports tracking events based on identities and other entities (such as the endpoint). The events from a compromised account being used across multiple systems, in the cloud and on-premises, can be tied together and identified as a single threat, something that would be very hard to do by trying to tie things together based only on the endpoint. For example, this is a threat chain that was detected by our platform:

 

 

There was no endpoint event generated during this attack. The account was compromised in Office 365, and the user may have been accessing her mailbox from a personal device, without a corporate EDR agent.

Our platform also provides strong event enrichment capabilities. This is not only about adding some user details from Active Directory. We can go above and beyond by adding data from threat intelligence sources, identity and access management (IAM) solutions, HR systems, CMDBs, and even vulnerability assessment tools. We can correlate events based on enriched data, combining together related events that are usually not seen by other XDR products as part of the same threat.

With robust UEBA capabilities and strong enrichment we are able to detect threats like no other XDR can. But to be truly XDR, we need to provide response capabilities too. Securonix SOAR capabilities are part of our next-generation SIEM. It’s not simply adding a SOAR product on top of a SIEM product, but having the combination built in a truly integrated fashion. Pre-built response playbooks provide the ability to automatically contain aggressive threats such as ransomware.

Finally, Securonix XDR provides a clear evolution path for your security operations architecture. You may not need a SIEM now, but as your organization grows and security maturity increases, expanding log collection and retention, as well as implementing more complex use cases, will eventually become necessary. Instead of going through a traumatic rip and replace project or adding complexity by adding a completely separate SIEM on top of your XDR, with Securonix you can turn your XDR implementation into a next-generation SIEM simply via a license update.

Deploy future-proof advanced threat detection capabilities, avoid vendor lock-in, and leverage best-of-breed threat detection solutions in your security architecture with Securonix XDR.

The Ghost in the Machine: Tracking Stealthy Fileless Malware in the Windows...
5 Cyber Threats Facing the Financial Service Sector in 2024
What are Insider Threats?
What is the MITRE ATT&CK Framework?