Security analytics is at the core of XDR, to address the challenge of the many diverse telemetry feeds that come from different protocols, different products, and different security layers. XDR typically includes activity data coming from many different vectors – email, endpoints, servers, cloud workloads, and networks in particular.
A security analytics engine then processes that data and triggers an alert based on defined filters, rules, or models. Analytics are what ties the information coming into the XDR platform together to identify security events and their severity.
XDR uses the best analytical technique or combination of techniques to make a detection – whether that is machine learning, data stacking, or other big data analysis. XDR analytics examines activity data and looks for different behavioral patterns across security layers to identify complex, multi-step attacks.
XDR security analytics correlate low-confidence events, behaviors, and/or action within and across the different security layers.
Instead of a security analyst seeing isolated fragments of suspicious activity, XDR can correlate a series of events and identify it as malicious – as opposed to one alert for a suspicious phishing email and perhaps another isolated alert for a suspicious web domain access, for example. XDR can see the suspected phishing email as related to the rare web domain access on an endpoint, subsequently followed by a file downloaded after a script was run. This would then lead to a high-fidelity XDR detection of malicious activity to investigate.
XDR takes individual detected events and other activity data, cross-correlates the information, and then applies cloud analytics in order to issue a more sophisticated and successful detection. XDR focuses on behavior that individual products can’t see alone.
When it comes to XDR analytics, the more rules, sources and layers available, the better. But it is also the quality of the data that's important. If the quality and analysis of your findings are not insightful, your data collection is not necessarily useful.
Detection rules and techniques: By leveraging cloud infrastructure, new or enhanced threat detection rules and models are pushed out regularly to look for suspicious series of activities. With more use, machine learning detection techniques can continuously refine rules to improve detection effectiveness and reduce false positives.
Sources: Threat research and threat intelligence enable new detection models to evolve as the threat landscape evolves. Detection models should integrate internal and external threat information such as the MITRE ATT&CK™ tactics and techniques.
Layers: The more security layers added, the greater the cross-layer analytical capabilities of the platform, and thus exponentially greater value for the user.