How Open XDR Can Prevent Cyberattacks
Analytics seems to be the answer for almost anything, and security is no exception. Most professionals agree that analytics could hold the key to uncovering early actions from attackers with the goal of minimizing or eliminating damage and theft. Behavioral analytics has the ability to find abnormal behaviors—if it can achieve an acceptable level of fidelity without drowning security teams in a flood of alerts and false positives. The gulf between behavioral analytics’ potential and the current reality is wide. Like most compute applications, behavioral analytics are limited by what information they have and how it is used. It’s the garbage in, garbage out principle.
The GI/GO Problem
The problem of “garbage” data plaguing security behavioral analytics solutions is different than what you might imagine. The most fundamental shortcoming of such data stems from the siloed nature of security systems. To truly identify an attack in progress, data must come from a broad array of sources. An attack may originate at a certain point, but then it progresses step-by-step to achieve its purpose. It is the identification of these steps that influences the ability to accurately pinpoint an attack and curtail it. It seems somewhat ironic that, to zero in on a specific attack, organizations need to broadly ingest data from a wide variety of sources, monitor the full attack surface and all infrastructure.
Endpoints, servers, cloud resources, networks, user activity and applications must all be considered in piecing together an accurate picture of attack activity. For example, a user may take an action on an endpoint that then triggers an action on the network—whether the network is a traditional on-premises one or not—which then involves a server or data center. Actions are connected, just like the cartoonish depiction of human anatomy in the children’s game, Operation. “The knee bone is connected to the…” Actions may happen simultaneously or progressive, playing out and cascading in a sequential fashion, but they can best be understood and evaluated when considered all together.
Establishing Context for XDR
Analyzing data broadly establishes context, which is crucial for identifying an attack. It also has the ability to amplify a weak signal or data point that might otherwise be overlooked—but which actually represented the smoking gun of an attack. Conversely, taking in data from multiple sources enables a significant reduction in false positives or ones that don’t meet a threshold of significance.
Integrating all data sources, monitoring the gaps and correlating the information is crucial to truly uncover and preempt an attack. The traditional security model that involves layers of security and multiple systems, likely from different vendors, is still a good one. This model needs to be leveraged to take advantage of each tool and system’s specializations and broad deployments, so that data can be combined to produce true intelligence. The combination has a exponential effect that otherwise would not be possible. In fact, combining data from multiple systems renews the value of each system and makes the investment worthwhile.
XDR Benefits
Open extended detection and response (Open XDR) systems were developed to integrate, correlate and analyze all these disparate systems and leverage their data for accuracy, speed and efficiency. The advent of XDR was a significant departure from the traditional approach siloed systems. Open XDR is not about replacing systems or trying to “own it all,” but establishing a cooperative that finally gives organizations new means of finding and stopping attacks early.
Analytics are making a tremendous impact across enterprises and organizations to bring new levels of understanding and intelligence and enabling better, more precise operations in areas ranging from customer service to finance, sales and marketing. Analytics introduced a new level of excellence, efficiency and effectiveness to many corporate functions. Within security, analytics has proven value, but the garbage effect of too little data or too-narrow sourcing have limited success. Pulling data broadly from all security systems, as well as from other sources, gives analytics what they need to identify and prevent attacks.
