Shulou(Shulou.com)11/24 Report--

During the nearly one-month testing period, convinced that the XDR platform generated a total of 1615875443 security logs, aggregated into 278802 security alarms, and finally generated 94 security events, the alarm reduction efficiency increased by 2965 times. Each security operator can only handle 500 alarms per day. In the past, 10 + people spent 10 + days to deal with all security incidents. Now one person can study and judge all security incidents with high quality in one day. Security alarms can be combined with threat characterization to complete non-viral and scanning research. "

When the security engineer is confident enough to report this set of data, it turns out that "convinced that the XDR platform really brings security effects to users" is not an "empty talk".

Not only that, compared with the number of alerts of the same situational awareness station on the same day, we are convinced that the alarm reduction rate of XDR is close to 10 times.

Click to view each alarm, which is aggregated by a large number of logs

Just a month ago, the user was in deep trouble:

I bought all the safety equipment, but I didn't feel the effect.

In the past, the situation awareness and firewall construction were fragmented, the equipment was operated separately, and there were too many alarms such as viruses, Trojans and mining, and most of them were alarms triggered by business false positives, so it was difficult to find targeted attacks quickly.

Alarm research and analysis is difficult and inefficient.

The current network has different security devices of all kinds of manufacturers, and the alarms of each product are very scattered, so it is difficult to deal with the corresponding alarm analysis alone and the workload is too large, resulting in low efficiency of security response.

After being convinced that the XDR platform is launched, through the network end's ability to aggregate and analyze telemetry data, it can significantly reduce a large number of alarms from EDR and situational awareness (including third-party software), completely restore the attack storyline, and accurately attack the attacker's entry point and influence surface.

The security effect is intuitive and visible, and users can't help but wonder: how on earth did it?

First of all, we are convinced of the security events defined by XDR:

Collect multi-source telemetry data, weave fragmented information in the past, and form security events that users need to give priority to and reflect the full picture of the attack.

Be able to deeply understand the contents of the security log and do intelligent processing at a finer granularity level.

From telemetry data, security logs and security alarms to the security events defined by XDR, the high-performance streaming analysis architecture that relies on massive data combined with column storage is also the key difference between XDR and previous SIEM products.

From the perspective of architecture, one or more security logs may go through aggregation, de-duplication, reduction, filtering, fusion and other processing mechanisms to achieve the effect of alarm and noise reduction.

Next, let's talk about it in detail, convinced of how XDR can achieve extreme noise reduction.

Triple noise reduction method, the effect is visual

The essence of noise reduction is to compress effective information and provide rich contextual proof based on more effective data.

The ultimate noise reduction methods of XDR include network side noise reduction, terminal side noise reduction and network end correlation noise reduction.

1. Network side noise reduction

Many-to-one noise reduction: when a hacker uses multiple source IP to break the same asset, no matter how long it takes and whether it is successful or not, he is convinced that XDR only needs to present an event or alarm to the user, and it will be continuously updated in the alarm details after the alarm is generated for the first time.

One-to-many noise reduction: when an asset in the private network is occupied, hackers will horizontally scan multiple private network assets. No matter how many assets are scanned and how many scanning methods are used, they are convinced that XDR can only generate a security event with horizontal scanning through timeline correlation.

One-to-one noise reduction: hackers may use a variety of similar attacks in the process of continuously attacking an asset, such as using the same vulnerability to execute several different malicious commands. I am convinced that XDR can continuously aggregate into an alarm according to the hit security log.

Cross-stage association noise reduction: early dnslog, WebShell upload + communication, intranet horizontal and other attacks are linked together in different stages. We are convinced that XDR aggregates into a complete security event in an automated way.

two。 Terminal side noise reduction

Traditional virus detection and noise reduction: for traditional virus alarms, key factors such as virus path, virus name and virus hash can be extracted. According to the two modes of hash uniqueness and category uniqueness, XDR is convinced that the alarms generated by the same virus will be aggregated into one security event.

Advanced threat denoising: for advanced threats such as no-file attacks, we are convinced that XDR records everything that happens in the user's environment in chronological order, stringing all telemetry data into a graph. Based on the traceability graph, it is associated with time, assets, network, intelligence and other factors, and the entities and relationships related to the threat are selected as points and edges to form a small threat graph, and finally form a visual attack story chain.

Traditional virus detection + advanced threat noise reduction: if a hacker still sets up a suspicious file after a series of advanced threat attacks and is detected by EDR, he is convinced that XDR will match the antivirus alarm in the process chain, which means that traditional virus detection and advanced threat noise reduction are integrated into one.

3. Network-side correlation noise reduction

According to the relevance of "the same thing" happening on the network side, the network-side association can be divided into strong association, logical association and weak association. The stronger the association intensity is, the weaker the generalization ability is.

Convinced that the XDR network-side association engine can automatically and efficiently connect multi-dimensional security information, not only improve the detection rate of unknown threats and covert attacks, but also greatly improve the accuracy of security events through full traceability proof, and help the security team to make judgments, dare to make judgments, and deal with them efficiently.

It is worth emphasizing that all this is done automatically.

Third-party data collection, open platform can also grow

The key point is that the noise reduction capabilities are common among different manufacturers' equipment, and we are convinced that the XDR platform can collect data sources from many third-party manufacturers.

Convinced that XDR combines semantic recognition engine and multi-level association analysis engine innovation to automate the understanding of telemetry data and detection logs, "left-handed translation, right-handed aggregation", continuously combine multiple alerts generated by different devices for the same attack into one alarm, and integrate multiple attempts launched at different stages of the same attack into one event.

Convinced that XDR platform through built-in alarm noise reduction, intelligent countermeasure, threat characterization and other capability attributes, combined with security GPT and other AI technology to continuously empower, improve the effectiveness and efficiency of threat confrontation, build a new paradigm of security operation, achieve "second closed loop, 100 times efficiency, 10 million cost reduction" efficiency and ability to jump, helping each user to "security one step ahead".

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.