The increasing sophistication of threat actors has made it increasingly difficult to reliably protect an IT environment with traditional cybersecurity solutions. Extended detection and response (XDR) platforms enhance cybersecurity by working in conjunction with legacy security tools to detect emerging threats that might otherwise be missed.
The effectiveness of XDR solutions depends on the breadth and quality of the telemetry made available to the platform. The complexity of modern IT environments requires the broad collection of diverse telemetry from all areas of the infrastructure.
What is Telemetry?
In the context of XDR, telemetry is the data collected by an IT environment’s multiple security solutions. The available information goes far beyond traditional system logs and provides XDR with more extensive and detailed data about the environment. This information includes items such as DNS queries, network connections opened, and processes started.
The security tools provide different types of activity data that are consolidated by the XDR platform as it hunts for unknown threats. XDR then employs data analysis to identify and generate high-priority alerts to streamline the work of cybersecurity personnel.
An XDR platform depends on reliable and diverse telemetry to identify potential threats to the environment. The analytical artificial intelligence (AI) and machine learning (ML) components of the platform require raw materials with which to work. Telemetry provides the raw materials which are essential for a successful XDR implementation.
One of the key features of an effective XDR platform is its ability to combine weak signals from different sources throughout the environment to detect threats. This capability has become increasingly important as threat actors become more adept at leaving smaller footprints and remaining undetected by traditional cybersecurity solutions. Collecting telemetry from more sources provides XDR with the information it needs to identify threats such as lateral movement through the infrastructure that may indicate the presence of an intruder.
What Are the Sources of Telemetry?
Telemetry can be collected from a wide variety of sources throughout an IT environment. The objective data available from an IT infrastructure can be used for purposes such as performance and availability monitoring. It also provides the necessary raw materials to power XDR.
It’s important to note that XDR can selectively ingest telemetry as it performs threat detection. There is no need to gather all telemetry from the environment. We need to, rather, focus on the telemetry which is sufficient to perform detection. XDR concentrates on the information necessary to provide details on detected potential threats instead of collecting all telemetry all the time.
Different types of telemetry can be gathered from the following sources and made available to an XDR solution.
Network components
Valuable information regarding network components and performance is available and needs to be monitored. Specific aspects of network performance that should be watched include:
- DNS queries;
- Network connection details such as source, destination, and port number;
- Application usage to identify potential performance issues;
- Monitoring ports for security breaches or performance delays;
- Data retrieval speed and storage usage.
Servers
Important data is available from the servers that make up an IT environment. Information that can be used by XDR includes:
- Process creation to identify when threat actors attempt to execute malicious code;
- Authentication logs to identify successful and failed access attempts;
- Processor usage which can identify abnormal patterns or requests that may indicate a threat;
- Server statistics that show historical changes in server usage and anomalous user requests.
Email security solutions
Security solutions put in place to safeguard email communication can offer useful telemetry to an XDR platform. The information available from email security tools includes:
- Attempts to deliver malware through malicious links;
- Indications of increased phishing attacks which may be in preparation for a targeted cyberattack;
- New correspondence patterns which may indicate compromised email accounts are being used for nefarious purposes.
Endpoints
An IT environment’s endpoints are targets for threat actors intent on gaining access to an organization’s IT environment. Telemetry that can be gathered from endpoints and used by XRD includes:
- Network connections that are established or attempted;
- Files created and accessed;
- Commands executed on specific machines;
- Modification to the registry or system settings.
Cloud resources
A majority of organizations make use of cloud resources in their IT environment. These resources offer additional telemetry that needs to be incorporated into an XDR solution including:
- Authentication logs;
- Changes to access control parameters;
- Provisioning of new cloud resources;
- Resource utilization and consumption;
- Network performance including dropped connections and latency.
Why is Comprehensive Telemetry Required for Effective XDR?
Comprehensive telemetry is required due to the multiple attack vectors that exist in a typical IT environment. One of the rationales for the development of XDR platforms was to bolster the ability to identify threats to endpoints as IT environments increased their use of devices housed in remote locations.
Sophisticated advanced persistent threats (APTs) can be especially hard to identify and effectively mitigate. Threat actors attempt to gain access to any component of a targeted IT environment that enables them to subvert security. Once they have gained a foothold in the infrastructure, they attempt to remain hidden while moving laterally through the environment.
They may be in search of high-value targets for data exfiltration or be performing long-term surveillance to address their specific agenda. In any case, XDR can more effectively detect the presence of APTs with comprehensive and wide-ranging telemetry.
Recent events have made it clear that focusing solely on endpoint protection leaves critical infrastructure components vulnerable to threat actors. Let’s take a look at an illustrative example of how a sophisticated advanced persistent threat (APT) group attacks infrastructure components.
The case of Chinese APT group UNC3866
A Chinese hacking group known as UNC3866 appears to be behind attacks on unpatched FortiGate firewall devices. The multi-faceted threats posed by these attacks include:
- Utilizing a zero-day exploit to write files without authorization to firewall disks;
- Maintaining Super Administrator privileges within the firewall;
- Redirecting traffic to enable connections to persistent backdoors;
- Establishing persistence on the devices through a custom API endpoint;
- Corrupting boot files to disable OpenSSL 1.1.0 digital signature verification.
A theory put forward by some cybersecurity experts is that the group has chosen to attack firewalls, an integral component of traditional cybersecurity defenses, due to the increased effectiveness of endpoint security solutions. This highlights the fact that providing robust cybersecurity must involve telemetry from endpoints and traditional infrastructure components. A one-dimensional approach is insufficient to address today’s sophisticated threat actors.
XDR helps address the need to analyze additional data by the consolidation and prioritization of collected telemetry. This enhances the productivity of SecOps teams by eliminating the need to monitor multiple cybersecurity solutions.
How Samurai XDR leverages Comprehensive Telemetry
Samurai XDR ensures the ability to use comprehensive telemetry by incorporating integrations that provide a more complete picture of the threat environment. Supported integrations are available to seamlessly ingest telemetry from a wide range of industry-leading sources such as Cisco, Fortinet, and Microsoft. This also means that all of security alerting is brought together in one location, removing the need for “swivel-chair management” of multiple alert views.
Samurai XDR also enables additional telemetry to be collected and ingested into its data lake as generic log sources that can be used for threat hunting via the platform’s advanced query feature. The advanced AI and ML capabilities of Samurai XDR make productive use of all available sources of telemetry to detect threats to the IT environment.
Get in touch with the security experts at Samurai and learn how you can enhance your organization’s cybersecurity with the addition of this valuable XDR solution.
Featured articles
How to Build a Resilient Cybersecurity Strategy for MSPs
26 September 2024 | Webinars
In today's rapidly evolving threat landscape, MSPs are on the front lines of cybersecurity. As threats become more sophisticated, MSPs...
MSP Blueprint: Proactive Threat Hunting with XDR for Enhanced Cybersecurity
12 September 2024 | Cybersecurity 101
This article explores how Managed Service Providers (MSPs) can leverage Extended Detection and Response (XDR) to enhance proactive cyber threat...
The Importance of XDR for Regulatory Compliance
5 September 2024 | XDR
The SEC's 2024 cybersecurity disclosure rules mandate public companies to disclose incidents and detail their risk management strategies. Even non-public...