XDR encompasses security analytics at its core to address the challenge of the many diverse telemetry feeds that come from different protocols, different products, and different security layers. XDR typically includes activity data coming from many different vectors – endpoints, servers, cloud workloads, email and networks in particular. A security analytics engine then processes that data and triggers an alert based on defined filters, rules, or models. Analytics are what ties the information coming into the XDR platform together to identify security events. XDR uses the best analytical technique or combination of techniques to make a detection – whether that is machine learning, data stacking or other big data analysis. XDR analytics analyses activity data and looks for different behavioral patterns across security layers to identify complex, multi-step attacks.
What differentiates an XDR platform is its analytical capabilities. Ultimately, the analytics are the foundation of the different XDR detection models. Their job is to correlate low confidence events, behaviors, and/or action within and across the different security layers.
Instead of a security analyst seeing isolated fragments of suspicious activities, XDR can correlate a series of events and identify it as malicious. For example, instead of having one alert for a suspicious phishing email, and perhaps another isolated alert for a suspicious web domain access. XDR can see the suspected phishing email as related to the rare web domain access on an endpoint, and subsequently followed by a file downloaded after a script was run. This would then lead to a high-fidelity XDR detection of a malicious activity to investigate.
XDR takes individual detected events and other activity data and does cross-correlation that it then applies cloud analytics to in order to do a more sophisticated and successful detection. XDR focuses on things the individual products can’t see alone.
When it comes to XDR analytics, the more, the merrier. More rules, more sources, more layers.
Detection rules and techniques: The beauty of XDR is that by leveraging a cloud infrastructure new or enhanced threat detection rules and models are pushed out regularly to look for different types of suspicious series of activities. With more and more use, machine learning detection techniques are continuously learning and refining to improve detection effectiveness and to reduce false positives.
Sources: Threat research and threat intelligence enables new detection models to evolve as the threat landscape evolves. Detection models should integrate internal and external threat information such as the MITRE ATT&CK™ tactics and techniques.
Layers: And of course, the more security layers added, the greater the cross-layer analytical capabilities of the platform, and thus exponential value for the customer.