Everything about XDR is around Correlations, not Hype


In the last several months the  is being used by almost every security product manufacturer.  It is one thing to say that you have it, but the hard work that goes into building the detections takes years.  It is not enough to say that you have a big data platform that you can dump things into and search; you need actionable detections that lead to meaningful correlations. Here are two key things to consider as you look at XDR.

Data Normalization – To get full visibility, the first thing you need to consider is the data itself. Every security product has a different way of presenting its logs and alerts. Network solutions, endpoint security tools, firewalls, identity tools, cloud security tools and many others all have their own alert formats and frequency.  Every  can store logs from these devices – that’s the easy part.


The problem is that creating complex, multi-dimensional rules to keep up with the current pace of attacks is nearly impossible. For example, on an IDS you could see upwards of one million alerts per day. Suricata rules may be able to filter out the known vulnerabilities down to 200,000, but from there you would normally have to create a series of rules based on your knowledge of the customer’s environment.


This is an area where leveraging machine learning (ML) across the IDS data can significantly reduce that number down to a manageable handful of alerts. Instead of writing rules to detect things, you can leverage ML to baseline what is normal behavior on that network. When does the customer normally log in?  Where do they log in from?  How long do they normally stay logged in?  Instead of 200,000 alerts, ML detections can reduce that to a handful. Seeing this information correlated across all ..

Support the originator by clicking the read the rest link below.