22 Jun Why There Are Silos And Gaps In SOCs… And What To Do About It
Stellar Cyber CEO and co-founder Changming Liu on XDR
– Contributed by Stellar Cyber
Santa Clara, Calif. – Jun. 20, 2020
Q. Why do you think people including CISOs and analysts are so excited by XDR?
A. SIEMs have been the foundation of security operations for decades, and we should acknowledge that. However, SIEMs have made a lot of great promises, and to this day, have not fulfilled many of them, in particular, the vision of automatic correlation of detections holistically. This is the key problem we work to address at Stellar Cyber with our Open XDR platform.
Q. Let’s clarify that claim. When you say correlation of detections, what do you mean and why can’t SIEMs do it?
A. Detections are an event that looks anomalous or malicious. And the issue today in a modern security operations center (SOC) is that detections can bubble up from many siloed tools. For example, you have firewall and network detection and response (NDR) for your network protection, Endpoint Detection and Response (EDR) for your endpoints’ protection and Cloud Application Security Broker (CASB) for your SaaS applications. Correlating those detections to paint a bigger picture is the issue, since hackers are now using more complex techniques to access your applications and data with increased attack surfaces. Your team is either claiming false positives or an inability to see through these detections and get a sense of what is critical vs. noise. The main purpose of SIEMs is to collect and aggregate data such as logs from different tools and applications for activity visibility and incident investigation.
That said there are still a lot of manual tasks needed, like transforming the data including the data fusion to create context for the data, i.e., enrichment with threat intelligence, location, asset and/or user information.
Cybercrime Radio: Meet Stellar Cyber and the Open XDR Security Platform
Protecting applications and data
Q. So let’s get back to the headline, why is this so key for security professionals?
A. Let’s take analyst firm, Gartner, as an example. For their Security Summit, their number 2 trend — out of Top 7 Security and Risk Trends for 2020 — is a renewed interest in implementing or maturing SOCs with a focus on threat detection and response. They further note, “In response to the growing security skills gap and attacker trends, extended detection and response (XDR) tools, machine learning (ML), and automation capability are emerging to improve security operations productivity and detection accuracy.”
Q. That is telling, but let’s take a step back and say more about why XDR is new, and not just a wrapper on an existing tool.
A. XDR is a cohesive security operations platform with tight integration of many security applications on a single platform. SIEM is one of many such natively supported applications and works with the others, including User and Entity Behavior Analysis (UBA & EBA), Network Traffic Analysis (NTA) and Firewall Traffic Analysis (FTA), threat intelligence, etc. At Stellar Cyber, we define Open XDR as focusing on automatic threat detection and incident response use cases by correlating security events from many security tools. These are the primary challenges with SIEM-only products, which make them the tool primary for log management and compliance.
Q. What about architecture? How important is that to the buyer?
A. Open XDR is developed using new cloud-native architecture and services including micro-services-based architecture with containers and clustering. It is very flexible in terms of deployment, scalable in performance coupled with a Lucene-based search engine to make the query of information super fast — in seconds instead of hours or days as seen in many SIEM-only products. The same software can be deployed on-premises with hardened physical appliances, virtual machines, private or public cloud with horizontal scalability and high availability capability key to big data analytics running on an open data lake. These characteristics are also critical for the ever-increasing data volumes and compliance requirement of zero data loss.
Q. What are other analysts saying?
A. Forrester, ESG, IDC and Omdia all say there are silos and gaps in today’s SOC. Tools need to look at detections across network, cloud, endpoints and users. All analysts talk about the idea of correlations across these areas as a true indicator of XDR capability. As an example, your SIEM sees a log telling you a user has accessed SQL at a time of day that is not typical, your NTA tool tells you that the user is sending the traffic outside your country, and your UBA tool tells you that additionally, the user has not typically used this app at those times or at those data rates. This paints a picture of a complex attack, yet siloed tools need manual intervention to draw the conclusion. Today XDR systems can paint this picture automatically through AI / ML.
Q. How would you help those learning about XDR to shortlist companies and make the right decisions?
A. This is key, and we think there are five primary foundational requirements of XDR:
1. Centralization of normalized and enriched data from a variety of data sources including logs, network traffic, applications, cloud, Threat Intelligence, etc.
3. Correlation of individual security events into a high-level view.
4. Centralized response capability that interacts with individual security products.
5. Cloud-native micro-services architecture for deployment flexibility, scalability and high availability.
And additionally for Stellar Cyber, the idea of Open XDR means we have an open ecosystem to ensure you leverage your existing security tools and best practices. We believe we reduce risk without disruption, and improve the fidelity of all your existing tools.
So, rather than being just one tool like a SIEM, Stellar Cyber’s Open XDR correlates inputs from many different tools, including its own integrated toolset and existing ones already in place, to produce higher-fidelity alerts, reduce false positives, and supercharge analyst productivity.
– Contributed by Stellar Cyber
Sponsored by Stellar Cyber
Stellar Cyber’s industry-leading security infrastructure data collection, analysis and automated anywhere detection and response (XDR) mechanisms improve productivity and empower security analysts to kill threats in minutes instead of days or weeks. By accepting data inputs from a variety of existing cybersecurity solutions, integrating them, and analyzing them under one intuitive interface. Stellar Cyber’s Open-XDR platform helps eliminate the tool fatigue and data overload often cited by security analysts.
Founded in 2015 by industry pioneers from leading companies including Aerohive, Netscreen, Fortinet, Vectra, Juniper, Cisco, VMware, Gigamon, and A10 Networks; Stellar Cyber is based in Silicon Valley, and venture backed by Valley Capital Partners, Big Basin Partners, SIG – Susqehanna and Northern Light Venture Capital.