Technical Approach To Universal EDR
For security vendors and those in the XDR market specifically, there is an architectural axis of build vs. integrate. On one end, you have “Build / Acquire Everything” – vendors that are vertically integrated and want to be an enterprise’s entire security stack. On the other end, you have “Integrate with Everything” – vendors that build a single component or API meant to be pieced into a larger architecture. There are pros and cons for both approaches. The “Build / Acquire Everything” camp can tightly wire all components together to create a cohesive security experience, but they do so at the expense of being focused and likely won’t be best-of-breed. The “Integrate with Everything” camp revels in their afforded focus and can build a fantastic product with minimal scope, but require a certain buyer to layer them into their broader security portfolio.
At Stellar Cyber, we take the approach of being somewhere in the middle of this architectural axis – a balance between built-in capabilities (notably NDR, SIEM, TIP, and the XDR AI engine) and capabilities that we integrate with. One of the most important product classes we integrate with is EDR. We recently announced the Industry’s First Universal EDR, which is the ability to bring any EDR or EDRs to our platform, and we not only support them, but we make them better while ensuring a level of fidelity regardless of the EDR choice. In other words, it enables users to get the best of the built-in and integrate approaches – it offers an Universal EDR integration where the product being integrated is so tightly integrated that it behaves as if it was a native part of the platform, yet the platform remains open.
One of the biggest technical challenges we encountered when developing this capability was how to consistently generate high-fidelity alerts regardless of the EDR vendor. We describe our technical approach as “Alert Pathways” or the processing techniques required to go from source EDR data to a high-fidelity alert in Stellar Cyber. Every EDR is different, which was the basis for needing to develop a framework to handle each EDR effectively.
The framework and Alert Pathways described below are readily available backend features in the Stellar Cyber Open XDR Platform.
Alert Pathway 1 – “Passthrough Enrichment”
The “Passthrough Enrichment” technique takes alerts from source EDR systems, then enriches those alerts with additional threat intelligence and aligns them to MITRE ATT&CK. In a sense this is like adding some additional context after re-reporting the news, but can be highly effective if some particular alerts in the source EDR are of the highest fidelity. However, in our research, this approach is at best only partially applicable for any given EDR.
Alert Pathway 2 – “Deduplication”
The “Deduplication” technique applies Machine Learning to identify source EDR alerts that are duplicative and likely part of the same activity, and generates a single alert within Stellar Cyber to improve automation and analyst performance.
Alert Pathway 3 – “Machine Learning Event-Based”
The “Machine Learning Event-Based” technique is the most technically challenging because all source EDR events and alerts are processed via different ML alert models that generate new novel alerts within Stellar Cyber. This requires significant data study and a robust normalization process to pull off across EDR vendors.
Our Approach to Universal EDR
Our guiding principle for designing this framework is the security outcome for the end-user. Since no EDR is the same, this means that we apply different Alert Pathways to different subsets of alerts and events across different EDR products. For example, EDR 1 might have 10% Passthrough, 50% Deduplication, and 40% Machine Learning Event-Based, while for EDR 2 those ratios could be 0%, 80%, and 20% respectively.
For a company that doesn’t build an in-house EDR, we find ourselves at the bleeding edge of endpoint-based security research. This is internally exciting for the frontier itself, but most importantly because of what it means for our customers. There is so much more work to be done, and if you are interested in joining our talented security or engineering team, please check out our job openings.