With a focus on understanding identity in cloud environments, one cybersecurity vendor says its new solution can find cyberattacks, wherever they start.
Cybereason XDR (Extended Detection and Response) aims to expand on the promise of XDR, which helps security operations teams detect and respond to advanced threats by correlating data across endpoints, servers, cloud workloads, networks and email. The solution, which sees Cybereason venturing out of its endpoint detection and response (EDR) comfort zone, adds identity to the mix—something that Cybereason Director Eric Sun says is an important key to understanding more about impending threats.
“We’re seeing attacks not only start and end on the endpoint, but stealing identities and compromising credentials,” Sun said. “It’s about being able to find an attack wherever it starts, whether it's a credential or a device. It’s about getting visibility into user behavior and anomalous activity on any account.”
Combining identity and cloud data with endpoint data helps security teams investigate and stop attacks, especially those that use lateral movement to reach more valuable cloud resources. This could fill a gap for organizations struggling to gain visibility into their cloud workloads for critical applications, said Dave Gruber, a senior cybersecurity analyst at ESG Global.
Understanding identity has to focus not only on devices and endpoints, but identities being used across cloud services, Sun said. To do that, Cybereason XDR integrates with cloud services to understand authenticated privileged actions. “Basically, whenever users sign into these cloud consoles, we can now take that data and mesh it with what we know about the devices to stop advanced cyberattacks,” he said.
To improve visibility, Cybereason XDR combines cloud, endpoint, network and log data with a data processing engine to expose malicious operations. A searchable in-memory graph gathers endpoint, identity and user behavior. Once detected, every activity can be tracked, analyzed and remediated.
Instead of “chasing alerts,” the solution focuses on enabling users to intercept malicious operations, stopping them in their tracks. It does this by exposing important information about attacks, including the root cause, where it started, affected users and assets, tools the attacker is using, relevant outgoing communications and recommended remediation actions.
Cybereason XDR also provides detailed correlations across both indicators of compromise (IOCs) and indicators of behavior (IOBs). It recognizes the most subtle signs of compromise derived from across the whole of an organization’s network, the company said.
While extended detection and response is still fairly new and somewhat amorphous, Cybereason, as an EDR vendor, is in a good position to come out with a robust feature set like this out of the gate, Gruber said
“The heavy lift for Cybereason and other endpoint players is their ability to rapidly build and ingest more types of security data beyond the endpoint,” he said. “I’m happy to see Cybereason focus on cloud and identity, given the accelerated investments by so many companies in their digital transformation initiatives moving core applications to the cloud.”
Gruber said he expects to see other endpoint vendors follow this lead as XDR gains momentum and buyers begin to question EDR investments versus XDR. While Cybereason isn’t first with its extended detection and response offering, its strong analytics platform sets the company up to offer a competitive solution as it ingests more types of security data over time.