Back to BlogRSAC 2023: A New Approach to Threat Response – XDR
“Uncoordinated telemetry in the market just creates more noise.”
— Jeetu Patel, Executive VP & GM of Security and Collaboration at Cisco in Threat Response Needs New Thinking. Don’t Ignore This Key Resource keynote at RSAC 2023
Noise is a common concept associated with the growing amount and complexity of security tools in the industry today – too much data generated by systems results in thousands of alerts, requiring energy and attention to manage and determine what’s a priority or not.
In the Monday RSAC 2023 keynote opening delivered by Patel, he emphasized the need for a set of security defenses that are completely coordinated and synchronized. One major era-defining breakthrough he touched on was the approach of a cross-domain, native set of correlated telemetry that will fundamentally change how we respond to threats. He also mentioned artificial intelligence.
These breakthroughs will change three key things – the experience we have with security, the efficacy of security, and the practitioner’s efficiency with how they can make their entire security platform more effective.
The problem with isolated defenses is that it’s too hard to spot modern-day attacks that are, in any way, differentiated from the way typical legitimate users act and look. A totally integrated platform that centralizes all of the information across your environment to give you insight into every action is necessary – and that’s the notion of XDR (extended detection and response).
Cisco’s Tom Gillis, Sr. VP & GM of Security Business Group highlighted the fact that it’s increasingly clear that attackers are getting good at emulating both user and application behavior. That means if you’re only looking at one domain (an email stream or an endpoint), you’re missing more than half the picture.
He used PowerShell as an example – it’s a utility used by sysadmins to update and patch a Windows machine. Cisco found that 80% of ransomware attacks came from an unknown process spawned out of PowerShell. This is commonly known as a ‘living off the land’ technique used by attackers to hide their actions and evade detection by leveraging legitimate tools commonly found in an organization’s environment.
However, you can’t just block PowerShell. You need high-fidelity data to identify suspicious behavior related to the PowerShell activity; a way to monitor and track that process as it makes a connection to the network, starts moving server to server looking for a customer database, then looks for customer credit card numbers. This is an example of cross-domain telemetry.
What exactly is a platform? It’s a term often used throughout the history of security and can mean pretty much anything. Cisco defines it as a plug and play system that has individual components that can gather telemetry from email, web, endpoint and the network; put it together in a coherent way to identify and stop threats; and orchestrate an intelligent response.
An XDR platform pulls in that data from different sources, extending your reach beyond just the endpoint to include data from your entire hybrid environment.
Blumira’s open platform gives you broad visibility, leveraging the capabilities of:
- Cloud SIEM – Easy to deploy, centralizes and retains your logs for one year; come with out-of-the-box managed detections and response playbooks
- Endpoint Visibility – Blumira Agent is frictionless and lightweight, giving you visibility into remote Windows endpoints and the ability to contain endpoint threats
- Automated Response – Teams can immediately block traffic from known malicious sources and automatically isolate hosts associated with critical priority threats