November 16, 2021 by Brian Dye
What is the XDR paradox? It’s the hottest term in security but there is no consensus yet on the right definition. Why is that? Many organizations have deployed EDR and are benefiting from it, but also looking to the gaps that EDR can’t address such as unmanaged / compromised devices or network-centric TTPs. Likewise, many vendors of EDR/SIEM products have realized they have the same general workflow (analyze data, present an alert, triage it, etc). As a result, different vendors are starting to cross-pollinate the EDR / NDR / SIEM markets, resulting in plenty of debate about what “XDR” really means and why.
Our view is simple: what matters here is the underlying data. That data dictates which TTPs can be found, which threat hunting workflows are possible and what security-adjacent use cases are supported. Among the “canonical” security data sources, network data is critical to support zero trust rollouts, threat hunting programs, SOC automation initiatives, or analytics work. Simply put, the endpoint is great for depth but needs the network for breadth: enabling cost effective visibility, broader MITRE analytics coverage and accelerating incident response for both known and unknown threats.
Our partnership with Microsoft’s new Defender for IoT offering is a proof point of both the XDR market dynamics and the power of the right data. The Defender platform already has a data lake, analytics team, and sophisticated incident response capabilities. They have extended that platform to embrace network-centric workflow and analytics. This included working with Corelight to ensure that our mutual customers can maximize the impact of the Defender platform - after all, the best data enables the best analytics!
Why Corelight then? We founded the company around Zeek®, which was already the de-facto standard for network traffic analytics. Unlike a rigid standard though, it is constantly growing and evolving - curated and used by the world’s elite defenders. Since those beginnings we invested to improve and extend the insight we provide using a combination of novel network data, behavioral analytics (ranging the spectrum from machine learning to heuristics to signatures), and integrated forensics support (such as Smart PCAP). Throughout, we have followed the design patterns of the sophisticated open source community and focused on enabling faster incident response, more successful threat hunting and broader MITRE tactic coverage.
Our focus is to ensure that defenders everywhere both have the best network INSIGHT available to help them and can ACCESS that insight in the best way possible for them. That accessibility is core to our OpenNDR strategy and our excitement about this Microsoft Defender for IoT partnership. Simply put, giving analysts access to great data in an existing platform / familiar UI results in less technology proliferation, more efficient analyst training and better automation leverage for security engineering teams. That could be through your SIEM, your MSSP or now Microsoft Defender for IoT. Because while the approach will vary, the need for great network insight is consistent - and there is no better source for that insight than Corelight.
It’s not about us … it’s about you. Happy (threat) hunting!
By Brian Dye, CEO of Corelight