According to a Mandiant survey of 1,350 global business and IT leaders, when trying to secure their networks against cyber threats, nearly all respondents (96%) believe it’s important to understand the threat actors targeting their organizations. That’s hardly a surprise.
But then there’s this finding: 79% of respondents say that most of the time, they make decisions about cyberattacks without insights into who could be targeting their organization.
And this: 98% of respondents are satisfied with the quality of their threat intelligence – but nearly half (47%) said applying threat intelligence effectively was among their greatest challenges.
For anyone outside of the security industry, those stats sound incongruous. Not to cyber professionals, especially security operations center (SOC) teams. They face a daily barrage of incomplete and inaccurate alerts that lack vital contextual information, many of them false positives. In fact, the typical SOC receives an estimated 11,000 alerts per day, or 450 alerts per hour (Forrester Consulting: The 2020 State of Security Operations). About 30% of these are never addressed and 45% are false positives.
Alert overload may sound like the culprit, but it’s just a symptom. The root cause is that threat detection and response is unnecessarily difficult. To date, it has required too many complex point solutions that aren’t cut out to protect a growing attack surface. To investigate a single threat, a typical SOC analyst may rely on tools including endpoint detection and response (EDR); security information and event management (SIEM); security orchestration, automation and response (SOAR); user and entity behavior analytics (UEBA); a threat intelligence platform (TIP) and security analytics. Each of these products is useful, but without integration, analysts must learn and then toggle between multiple systems, often losing valuable context along the way.
As a result, SOC analysts know little about their adversaries, miss critical threats, and take too long to investigate and respond to them. Instead of devoting their time to detecting and addressing true threats, they’re jumping from tool to tool and alert to alert, digging for information and trying to connect the dots.
No wonder the Mandiant survey also found that 84% of respondents are very concerned their organization might be missing real threats and incidents because of the number of alerts and data they face.
Enter eXtended Detection and Response solutions, or XDR.
What is XDR – and how do traditional XDRs fall short?
XDR emerged in 2018 to address the many weaknesses in existing cybersecurity tools and approaches. As a sort of floor wax and dessert topping (remember the old “Saturday Night Live” skit?), it promises to consolidate siloed products and improve SOC efficiency by accelerating threat detection and incident response.
Unfortunately, to date XDR solutions haven’t lived up to this promise – not the X nor the D nor the R:
- The “extended” has been limited – they don’t touch operational technology (OT), IoT, Internet of Medical Things (IoMT) and other unmanaged devices that can’t have an agent put on them for various reasons.
- The “detection” has been OK in some cases but inadequate in others, continuing to generate too many low-fidelity alerts and false positives.
- The “response” options, again, don’t reach all connected devices, leaving significant business risk.
Furthermore, XDR solutions haven’t done anything to reduce the risk of an attack in the first place.
Forescout is addressing these limitations with the launch of Forescout® XDR, which converts telemetry and logs into high-fidelity, SOC-actionable probable threats. The SaaS solution automates the detection, investigation, hunt for and response to advanced threats across all connected assets – IT, OT, IoT and IoMT – from campus to cloud to data center to edge. It combines essential SOC technologies and functions into a unified, cloud-native platform, viewable and actionable from a single console.
Integration with other Forescout solutions reduces the attack surface – and the risk of a compromised or non-compliant device connecting to your network in the first place. And, it enables you to automate responses across the extended enterprise.
Let’s compare Forescout XDR to traditional XDR approaches in these three areas.
X is for “extended,” but not far enough
The “X” in XDR stands for extending detection and response across the entire digital enterprise. But for EDR vendors, from which many XDR vendors evolved, it’s largely an extension from monitoring endpoints to encompassing the network, servers and cloud as well. Forrester describes the evolution like this:
EDR shifted from being “flight recorders” satisfied with collecting system activity to incorporating analyst workflows into the offering a few years later. The move to XDR allows EDR vendors to apply the workflow-focused approach to more tools, potentially outpacing security analytics platforms in the process.
True extensibility protects all connected devices across the entire enterprise, including cloud, campus, remote and data center environments. Whereas closed (or native) XDR solutions may require that vendor’s tech stack (including EDR, network and cloud), open systems can leverage telemetry across the entire attack surface, picked up from multi-vendor security tools.
Forescout XDR is an open XDR that works with the security solutions you’ve already invested in to increase their value. It can ingest data from any managed or unmanaged connected device and supports more than 170 vendor data sources and 12 EDR solutions (including those from Crowdstrike, VMware Carbon Black, SentinelOne, Microsoft and Trend Micro), along with other leading security, infrastructure, enrichment, application and cloud sources, as well as Forescout solutions.
D is for “detection,” but still too many low-confidence alerts and false positives
Threat detection is almost entirely data- and rules-driven. More data doesn’t necessarily mean better detection. But better data and data science most certainly do. The breadth of data – from the device types that characterize your extended enterprise – and the way these sources are processed and managed determine the breadth of threats that can be detected and the mean time to investigate and respond to them.
Most XDRs normalize data to enable analysis but stop there. Forescout XDR enforces a common information model (CIM) to normalize ingested data, but that’s just the starting point. That normalized data is then auto enriched at line speed with user info, IP attribution, geolocation, critical asset information and more. This significantly enhances the value of the data for correlation, detection, investigation and threat hunting purposes. Next, our two-stage threat detection engine uses a blend of five techniques – cyber intel, signatures and TTPs, UEBA, statistics and outliers, and context-aware AI/ML – to weed out false positives and generate high-fidelity, high-confidence threats that warrant deeper investigation.
Rule breadth and depth are equally important. Forescout XDR includes more than 1,500 verified, out-of-the box detection rules and models for those sources. These rules are regularly updated, and you can also create custom rules based on your environment. The rules applied in the first stage of the engine create “indicators” that are associated with a user, device or bucket (in the case of cloud). Indicators suggest a threat but need more correlation.
During stage 2, the engine looks for patterns or sequences of indicators that were generated in stage 1 that together are more probably a true threat. It’s this output from the “machine brain” that analysts (humans) then need to investigate.
The upshot? For every 50 million logs ingested per hour, Forescout XDR typically generates one high-fidelity detection (probable threat) that warrants analyst investigation.*
* Based on aggregate Forescout client data averaged over a one-year period (Dec 2021-2022) across 30 enterprises, representing a range of company sizes and industries.
Per the Mandiant survey findings, there’s no shortage of threat intelligence out there. The game changer is enabling SOC teams to apply that threat intelligence at will, so they know who is targeting their organization and how. Forescout XDR has powerful threat intelligence capabilities built into it, leveraging IOC data from 70 global sources of threat intel. That intel is correlated into a searchable graph model database of “known bad” domains, URLs and IPv4 & IPv6 addresses. Each IOC is dynamically assigned a confidence score based on an assessment of the quality of the source. This confidence-scored IOC intel is then leveraged by the threat detection engine, and by customer SOC teams, to accelerate and improve the threat detection and investigation process.
R is for “response,” but still too many gaps (cloud, OT, IoMT)
Similar to asset remediation, incident response requires tight orchestration across multi-vendor products. Closed XDRs typically can’t effectively automate and orchestrate the right response workflows across all connected assets and settings. Forescout XDR is integrated with and leverages Forescout® eyeSight and Forescout® eyeControl to automate responses that can touch every managed and unmanaged connected device across your enterprise. Based on the NIST Incident Response Life Cycle, Forescout XDR also supports integrations with common case management systems including ServiceNow and Jira Software. And finally, true threats identified by Forescout XDR can also be fed to an existing SIEM for centralized orchestration and incident response.
Better detection and response of true threats
Why is Forescout entering the XDR market? To better serve the growing risk and compliance needs of our enterprise customers. Complete visibility is the core challenge – to see the status of all connected devices across your enterprise, not just traditional IT devices. This is the foundation of everything Forescout does. With the acquisition of Cysiv last year, we have enhanced our capabilities with cloud-native data analytics and a world-class threat detection engine to provide closed-loop threat detection and response across managed and unmanaged assets.
The emergence of XDR as a category was a big step in the right direction for SOC efficiency, but not the huge leap that SOC analysts, in particular, deserve. Forescout’s entry into this market continues the evolution. XDR may be rooted in EDR, but visibility takes the category to a whole new level.
Got 30 minutes?
Learn more about Forescout XDR in this brief conversation with the people who engineered it: CTO Justin Foster and Director of Data Science Virendra Bisht. If you like what you hear, request a personal demo tailored to your organization’s needs.