Key Building Block for a Complete XDR Solution - Part 2: Detection

By Trellix · February 22, 2023
This story was written by Deepak Seth.

In part 2 of this blog series, I will cover the third key security pillar organizations must consider when choosing the right XDR solution for their environment: Detection. Previously I covered two other key security pillars: Visibility and Threat Intel.

Detection is very crucial because organizations can’t stop what they can’t detect in the first place. While evaluating an XDR solution, organizations should review the tools and techniques used to detect threats across various attack channels the moment they arise, so the SecOps team is able to respond to them in real time.

SecOps teams are stressed and under continuous pressure from management to prevent security breaches. Organizations are operating in the threat landscape where prevention is no longer possible to achieve. Even organizations that have implemented with best-of-breed point products are still being compromised and critical data being posted on the dark web. Breaches will continue to occur and stopping them will remain a very difficult challenge for the organization. However, organizations can adopt and invest in an XDR architecture/platform featuring well-defined tools and procedures for detecting and remediating threat actors present and hidden in the environment as quickly as possible.

Threat hunting and proactive detection of advanced threats are important SecOps activities an organization can’t ignore. With the help of threat hunting, potential malicious threat actors can be detected and security policies across various solutions can be updated. When organizations are evaluating XDR solutions, it is important to include well-defined and field-tested automated playbooks and procedures for the SecOps team.

Let’s get into more detail on how an XDR “Detection” security pillar can aid in the overall data protection strategy. An XDR solution should provide the following data protection capabilities:

• Data at Rest -- Detection of potential data leakage on various endpoints including desktops, laptop, servers, cloud assets, peripheral devices, or any BYOD.
• Data in Motion -- Detection of potential data leakage taking place over the network.
• Data in Use –- Detection of potential data leakage – intentional or unintentional – while data is being used.

An XDR solution should also quickly correlate potential data leakage occurring as a result of any advanced attack in progress or of the attacker laying the groundwork for a more sophisticated attack in the future. A true XDR solution makes this correlation possible by using a SecOps playbook to correlate a specific malware alert from the security sensor installed at endpoint, email, network, or cloud attack channel with the data protection solution. This provides the SecOps team immediate visibility to potential data leakage incidents caused through active intrusion. An XDR solution usually includes a dashboard providing this level of correlation to the SecOps team.

A MITRE ATT&CK technique commonly used by advanced attackers is moving laterally within the organization’s environment after the initial infection. The threat actor navigates the environment until locating and capturing critical business data. An XDR solution uses field-tested, automated rules, workflows, and policies that allow detection of such lateral movements. The XDR solution correlates information from multiple security solutions, giving the SecOps team visibility of threats during the lateral movement phase.

Let’s now understand how the detection security pillar of an XDR solution can help the organization in reducing the overall dwell time. As noted in the Mandiant M-Trends threat analyst report from 2022, the typical dwell time for detecting an intrusion is still around 21 days, which provides an attacker with ample time/window of opportunity to infiltrate the environment before the SOC team identifies a potential intrusion, triages the alert, extracts IOC’s, attempts to validate those IOC’s by leveraging threat intelligence data, and makes a determination if the alert is a true positive.

An XDR solution’s ability to link events together reduces dwell time. XDR correlation can detect low and slow intrusions that tell an analyst what happened during the breach. XDR should gather all events that may attribute to the alert, giving the analyst visibility on unique events that a vendor’s trigger may not yet identify. An analyst can visualize these patterns of correlated events and search for additional context that may have affected another system or credential. In order for XDR to correlate events, the organization also sets up a policy that triggers on a weak signal that combines additional weak signals and makes it a bigger alert. Or to put it simply: weak + weak + weak = Alert! An XDR solution leverages these multiple low-fidelity events to trigger an actionable alert from various solutions such as network, email, endpoint, data, cloud. Once this alert is triggered, organizations can reduce the 21 days of dwell time into a few minutes or days, especially if the attack is low and slow.

For these reasons, detection is considered one of the most crucial security pillars of an XDR solution. Without detection, SecOps team is challenged to create policies to prevent and respond to advance threats.

Stay tuned for the next blog in this series, in which I will explain the role and importance of response, the fourth key security pillar for evaluating an XDR solution.

Learn more about Trellix XDR platform.