Why are leading market research firms so excited about XDR?
Q&A with CEO and Co-Founder Changming Liu
Ans: SIEMs have been the foundation of security operations for decades, and we should acknowledge that. However, SIEMs have made a lot of great promises, and to this day, have not fulfilled many of them, in particular, the vision of automatic correlation of detections holistically. This is the key problem we work to address at Stellar Cyber with our Open XDR platform
SIEMs – EMPTY PROMISES?
SIEMs have been the foundation of security operations for decades, and that should be acknowledged. However, SIEMs have made a lot of great promises, and to this day, have not fulfilled many of them…
Q. Let’s clarify that claim. When you say correlation of detections, what do you mean and why can’t SIEMs do it?
Ans: Detections are an event that looks anomalous or malicious. And the issue today in a modern security operations center (SOC) is that detections can bubble up from many siloed tools. For example, you have firewall and network detection and response (NDR) for your network protection, Endpoint Detection and Response (EDR) for your endpoints’ protection and Cloud Application Security Broker(CASB) for your SaaS applications. Correlating those detections to paint a bigger picture is the issue, since hackers are now using more complex techniques to access your applications and data with increased attack surfaces. Your team is either claiming false positives or an inability to see through these detections and get a sense of what is critical vs. noise. The main purpose of SIEMs is to collect and aggregate data such as logs from different tools and applications for activity visibility and incident investigation.
That said there are still a lot of manual tasks needed, like transforming the data including the data fusion to create context for the data, i.e., enrichment with threat intelligence, location, asset and/or user information.
Q. So let’s get back to the headline, why is this so key for security professionals?
Ans: Let’s take Analyst firm, Gartner, as an example. For their Security Summit, their number 2 trend — out of Top 7 Security and Risk Trends for 2020 — is a renewed interest in implementing or maturing SOCs with a focus on threat detection and response. They further note, “In response to the growing security skills gap and attacker trends, extended detection and response (XDR) tools, machine learning (ML), and automation capability are emerging to improve security operations productivity and detection accuracy.”
Q. That is telling, but let’s take a step back and say more about why XDR is new, and not just a wrapper on an existing tool.
Ans: XDR is a cohesive security operations platform with tight integration of many security applications on a single platform. SIEM is one of many such natively supported applications and works with the others, including User and Entity Behavior Analysis(UBA & EBA), Network Traffic Analysis (NTA) and Firewall Traffic Analysis (FTA), threat intelligence, etc. At Stellar Cyber, we define Open XDR as focusing on automatic threat detection and incident response use cases by correlating security events from many security tools. These are the primary challenges with SIEM-only products, which make them the tool primary for log management and compliance.
Q. What about architecture? How important is that to the buyer?
Ans: Open XDR is developed using new cloud-native architecture and services including micro-services-based architecture with containers and clustering. It is very flexible in terms of deployment, scalable in performance coupled with a Lucene-based search engine to make the query of information super fast – in seconds instead of hours or days as seen in many SIEM-only products. The same software can be deployed on-premises with hardened physical appliances, virtual machines, private or public cloud with horizontal scalability and high availability capability key to big data analytics running on an open data lake. These characteristics are also critical for the ever increasing data volumes and compliance requirement of zero data loss.
Q. What are other analysts saying?
Ans: Forrester, ESG, IDC and Omdia all say there are silos and gaps in today’s SOC. Tools need to look at detections across network, cloud, endpoints and users. All analysts talk about the idea of correlations across these areas as a true indicator of XDR capability. As an example, your SIEM sees a log telling you a user has accessed SQL at a time of day that is not typical, your NTA tool tells you that the user is sending the traffic outside your country, and your UBA tool tells you that additionally, the user has not typically used this app at those times or at those data rates. This paints a picture of a complex attack, yet siloed tools need manual intervention to draw the conclusion. Today XDR systems can paint this picture automatically through AI / ML.
Q. How would you help those learning about XDR to shortlist companies and make the right decisions?
Ans: This is key, and we think there are five primary foundational requirements of XDR:
- Centralization of normalized and enriched data from a variety of data sources including logs, network traffic, applications, cloud, Threat Intelligence, etc.
- Automatic detection of security events from the data collected with advanced analytics such as NTA, UBA and EBA
- Correlation of individual security events into a high-level view.
- Centralized response capability that interacts with individual security products.
- Cloud-native micro-services architecture for deployment flexibility, scalability and high availability.
And additionally for Stellar Cyber, the idea of Open XDR means we have an open ecosystem to ensure you leverage your existing security tools and best practices. We believe we reduce risk without disruption, and improve the fidelity of all your existing tools.
So, rather than being just one tool like a SIEM, Stellar Cyber’s Open XDR correlates inputs from many different tools, including its own integrated toolset and existing ones already in place, to produce higher-fidelity alerts, reduce false positives, and supercharge analyst productivity.