The most essential issue at the security level is detection and response. However, there are still some pain points and difficulties that need to be solved in current detection and response, and there are still some challenges at the response operation level.
Various types of security protection equipment generate a large number of security alarms every day, causing security analysts to spend most of their time and energy on alarm information. As a result, high-value alarms are often submerged in the massive amount of alarms and cannot be discovered immediately. and block attacks, and high-value alarms will be ignored because more attack context cannot be obtained, and the best defense time is missed.
It is found that the reported alarms also face the problem of difficult attack traceability. For example, the complete attack link cannot be clearly seen, and there is a lack of a full threat perspective. How did the hacker get in, what vulnerability was used to get in, and which computer was hit first. The host, what was done on the host, how the lateral movement was carried out, the extent of the impact, and the losses caused, are all difficulties faced in tracing the source of the attack.
Massive alarms also bring operational pressure. Analysis caused by data islands between various security protection products requires switching back and forth between different platforms. The path for analysis and evidence collection is long and time-consuming, and there is a lack of automated analysis, judgment and processing. Means, etc., have caused inefficiency in safe operation and disposal.
Facing the security challenges in the new situation, security operations need to be further "shifted left". They need to have the ability to discover potential risks in advance and block threats in advance. They need fine-grained and effective security measurement capabilities and methods.
At the detection level, there are also blind spots in risk perception and threat detection in organizations. For example, vulnerabilities are common. There are blind spots in the quantification work between vulnerabilities and risks, vulnerabilities and assets, and vulnerabilities and threats. At the same time, there are widespread shadow assets, such as It is difficult for employees to use private services to comply with organizational security regulations, which creates a blind spot in the detection of shadow assets. Although organizations have collected a large number of security logs, more than 60% of organizations do not use the data, do not use the data effectively, and fail to generate security value.
Organizations also lack detection of some threats from a full perspective. For example, NDR threat detection based on full traffic cannot see endpoint files, processes, registry and other behaviors, and lacks an endpoint perspective; based on endpoint security threat detection, there is a lack of network visibility. Behavioral data lacks traffic-side data, resulting in data silos. Attackers will also bring threats and challenges to security by bypassing various detection technologies, and threats are always evolving. The shortage of high-level network security talents within organizations is the norm, and threat detection work is highly dependent on network security protection. product.
XDR extended threat detection response is not only a technology, but also a solution.
"X", scalability, refers to the multi-dimensional expansion attribute, emphasizing the overall transformation from isolated threat detection to comprehensive threat detection.
"D", detection analysis, refers to the collection, processing and analysis of data, emphasizing the detection of network attack activities faster and more accurately than the original system, from root cause analysis, correlation analysis, event analysis and other dimensions. Detection and analysis of security incidents.
"R", response processing, is closely related to automation, emphasizing the use of out-of-the-box automated operations to quickly respond to various tedious and boring security tasks.
XDR improves the speed and accuracy of threat detection and response through technical means such as multi-source alarm fusion, rule-based rapid detection, full-asset dynamic management and control, event-based analysis and disposal, and effectively improves the overall security solution.
XDR extended threat detection response solution, based on "TDIR" driver, pays more attention to actual security application effects:
In terms of threat detection, it can cover threat detection and response on the terminal and traffic sides. One platform can realize cross-dimensional security protection, which can effectively help enhance threat detection and protection capabilities and eliminate blind spots in threat detection.
In terms of investigation, combining rich telemetry information for complete attack source tracing can effectively help organizations improve the comprehensiveness of threat investigations, increase the detection effectiveness of security operations teams by 100 times, and allow security operations to focus on a small number of high-value attack events. .
In terms of response, rapid cross-end and cross-network analysis and response processing can effectively help organizations improve threat response efficiency, increase security operation efficiency by 8 times, and achieve minute-level alarm response speeds.
In the XDR extended threat detection and response solution, "threat discovery" in the three stages is the fundamental need and basic capability, and achieving safe operation is the key capability.
In the face of massive alarms, it can achieve a safe and operable state, has high-value scene mining capabilities, has a focus on security analysis, and does not blindly analyze or selectively give up because of massive alarms. It has the ability to trace the source of attacks, collect evidence, and turn them into events. It can clearly see the ins and outs of attacks and build a complete attack chain from intrusion to lateral movement. It has automated orchestration and response capabilities, and uses SOAR automated orchestration technology to orchestrate security operations into executable workflows, effectively releasing the effectiveness of security operations and focusing on high-value attack scenarios.
