7 Hot New XDR Security Offerings At RSA 2021
Here’s a look at seven XDR security tools released at RSA 2021 that help customers address compliance needs, reduce the endpoint attack surface, and automate threat detection and response functions.
Seeing The Bigger Picture
Vendors attending RSA 2021 have invested heavily in making it easier for customers and partners to obtain insights from multiple sources across the enterprises, get visibility into and reduce the endpoint attack surface, and mitigate incidents in near real-time through automated threat detection and response capabilities that execute directly on the endpoint.
Extended detection and response (XDR) centralizes security data by combining security information and event management (SIEM); security orchestration, automation, and response (SOAR), network traffic analysis (NTA), and endpoint detection and response (EDR). Obtaining visibility across networks, cloud and endpoint and correlating threat intelligence across security products boosts detection and response.
XDR offerings can integrate with everything from the endpoint and firewall to analytics and threat intelligence feeds to server and email security tools. Here’s a look at how seven vendors attending RSA Conference 2021 are leveraging XDR to meet the threat detection, incident response, and compliance management needs of customers.
Exabeam Fusion XDR
Exabeam Fusion XDR addresses threat detection, investigation, and response without disrupting an organization’s existing technology stack. The product combines behavioral analytics, automation, and pre-built integrations with hundreds of third-party security and productivity tools to overcome weak signals from multiple products and find complex threats missed by other tools.
Customers using Exabeam Fusion XDR can easily identify and respond to critical security issues, intrusions, and attacks from a single, centralized control plane, substantially increasing analyst productivity and reducing response times. The offering differentiates normal behavior from abnormal activity, applies risk scoring to identify notable issues, and automatically reconstructs security incidents.
The product contains prescriptive workflows guided by pre-packaged, use case specific context to enable security analysts to defend against common and evolving threats such as external, compromised insider, and malicious insider attacks. Exabeam Fusion SIEM, meanwhile, includes all Fusion XDR features and capabilities plus access to centralized log stage, powerful search, and compliance reporting.
Sophos XDR synchronizes endpoint, server, firewall and email security to provide a holistic view of an organization’s environment with deep analysis for threat detection, investigation, and response. The platform offers two types of data retention, including up to 90 days of on-device data as well as 30 days of cross-product data in the cloud-based data lake.
Blending on-device and data lake forensics provides contextualized insights that can be leveraged by security analysts through Sophos Central and via open APIs for ingestion into SIEM, SOAR, PSA and RMM systems. The data lake hosts critical information from Sophos’ endpoint, network, email, cloud, and mobile products, and will feed into the company’s data repository later this year, according to Sophos.
Security and IT teams can easily access this data to run cross-product threat hunts and investigations as well as to drill into granular details of past and present attacker activity. The availability of offline access to historical data further protects against lost or impacted devices, according to Sophos.
McAfee MVision XDR
McAfee expanded its MVision XDR offering through correlations with the company’s endpoint security product, SASE platform, and threat intelligence tool to protect against the most advanced threats while simplifying security operations. MVision XDR is now enriched with actionable threat insights from McAfee’s SASE tool, which detects cloud threats that occur within web and SaaS environments.
This improves situation awareness, drives better and faster decisions, and elevates the SOC to a new level of efficiency and effectiveness, according to McAfee. MVision XDR now automatically correlates attack telemetry from multiple data sources and fuses with active threat campaigns to reveal the full picture of an adversary’s work across the entire attack lifecycle.
By combining the latest machine learning techniques with human analysis, MVision XDR simplifies analyst workflows across complex threat campaigns to accelerate investigation and move rapidly to resolution. Plus the integration of MVision Insights with MVision Cloud Security Advisor delivers actionable intelligence to security teams through correlated security posture scoring across all vectors.
Fortinet’s FortiEDR offering has been enhanced with MITRE ATT&CK tags for system activity, new MDR service options, and the recently announced extended detection and response capability. FortiEDR can now help secure workers’ computers on and off the network, providing visibility into and reducing the endpoint attack surface with a lightweight agent whose operation is transparent to users.
Not only does FortiEDR prevent attacks pre- and post-execution by integrating endpoint protection with EDR, but it also detects threats that bypass the prevention layer and quickly responds to minimize business impact. FortiEDR also delivers around the clock threat monitoring, alert triage, remote response and environment tuning for additional expertise and insight, according to the company.
FortiEDR delivers patented ransomware protection without any dependency on shadow copies that the more sophisticated cyberattacks disable. The offering also provides durable behavior-based protection and ongoing analysis and automatable response that can roll back malicious changes without taking machines offline to re-image.
BlackBerry Optics 3.0
BlackBerry Optics 3.0 offers a cloud-native architecture and advanced query capabilities that are integral to the company’s XDR strategy. With Optics 3.0, BlackBerry said Edge AI threat detection and automated response capabilities execute directly on the endpoint device so an incident can be mitigated in near real-time.
The resulting telemetry, alert, and forensic data gets stored in the cloud data lake along with non-endpoint related telemetry data, according to BlackBerry. Security professionals can then query and analyze the multiple sources of telemetry data to gain greater visibility and context into an organization’s security environment, BlackBerry said.
As part of BlackBerry’s XDR roadmap, the company said it will continue to add new products and additional sources of security telemetry – like user behavior, identity, network, data, application, and cloud – to the Optics 3.0 cloud data lake. This will enable data correlation, automated workflows, and automated threat hunting to enable more efficient and effective detection and response.
Cisco SecureX continues to help customers simplify the move from EDR to XDR with more than 30 pre-built workflows, 40 turnkey integrators and new orchestration capabilities. It delivers valuable insights from multiple sources across the enterprise including device managers, endpoint detection and response and anti-virus to consolidate, discover, normalize, and work with the actual device inventory.
In addition, Cisco Secure Client enables faster XDR while reducing agent fatigue by providing a single agent across user, cloud, and endpoint protection. It reduces agent fatigue as well as the overall cost of deploying, maintaining, and managing multiple endpoint agents on a single, unified endpoint platform to effectively secure a customer’s entire IT ecosystem.
Cisco Secure Endpoint’s advanced search technology bolsters XDR value with more than 200 endpoint queries out of the box to get real-time answers to support investigations, threat hunting, and IT operations use cases such as tracking artifacts about endpoints. It doubles the number of built-in queries that can run from within the product to speed up and simplify threat hunting, Cisco said.
AT&T Threat Detection And Response For Government
AT&T Threat Detection and Response for Government combines threat detection, incident response, and compliance management to meet the security needs of federal, state, and local government agencies. It is fast to deploy and easy to use, leverages rich automation and orchestration capabilities, and is highly effective at detecting and responding to threats.
The offering can be integrated with other IT and security tools and allows a single pane of glass view for visibility across the IT environment both on-premises and in Microsoft Azure Government, AWS GovCloud U.S., and Google Cloud Platform environments. It is fueled with continuous threat intelligence to help protect against advanced threats including malware and ransomware, according to AT&T.
AT&T Cybersecurity Consulting offers professional services, including security expertise as needed, to help agencies optimize their implementation of AT&T Threat Detection and Response for Government. The product can help customers meet regulatory reporting requirements and reduce cyber risks, and is available now.