XDR can be an effective tool for financial services organisations to reverse the attacker advantage and thus avoid any serious damage. Yossi Naar, Co-founder and Chief Visionary Officer, Cybereason, discusses how leading XDR solutions provide an operation-centric approach to detecting and remediating attacks by automatically hunting for specific and anomalous behaviours that other solutions miss.
Financial institutions are under a constant barrage of targeted cyberattacks from nation states and other threat groups and individual criminals. They have the most to offer in terms of risk, reputation and value, as targets.
But at the same time, they also represent the most heavily fortified targets out there. The financial sector, as a whole, has made significant investments into cybersecurity. Organisations in the sector are usually early adopters when it comes to the best, most effective technologies and vendors. They have been among the first to adopt endpoint detection and response (EDR), ensuring full visibility and quick response. For a hacker to take on a financial institution, is to take a long, serious challenge. That’s why there are very few stories about massive hacks in this industry, making it a great role model for other verticals.
Now, financial institutions are turning their attention to extended detection and response (XDR) as they look to not only secure critical customer data, but their own employees and business reputation, in an industry where trust is essential.
Dealing with the endpoint data deluge and alert fatigue
Many existing endpoint protection (EPP) tools are simply not equipped to manage today’s threat landscape. If threats emerged as single, isolated attacks on a single company device, then financial institutions would have defences in place to mitigate the attacks. Unfortunately, attacks are not being carried out in this manner. They are coordinated across user identities, devices and endpoints. As such, financial organisations need solutions that can roll with the punches, enable real-time response, and better yet; anticipate — in order to prevent — the adversary’s next move.
Even if a company is using a solution designed to provide endpoint and extended network visibility, the security team is likely flooded with low-context alerts, instead of insight into important incidents.
Security tools that collect reams of endpoint data from a bank’s hundreds of thousands of servers and computers, but do not provide root cause analysis or cross-machine correlations, just create more work for security teams, not less. They simply do not provide security analysts with any context on root cause, attack scope and what to do about the alert, triggering a time-consuming process of manually querying across datasets to answer foundational questions. Alert fatigue leads to human errors and delayed responses, making it harder to spot a stealthy threat that is impersonating legitimate user or machine behaviours.
Organisations need a new approach to threat detection and response. The approach needs to understand and adapt to the modern enterprise: this includes devices, identities, network and SaaS. Enter XDR.
XDR solutions should provide security teams with not only visibility into potentially malicious activity on endpoints and throughout the network, but also deliver the most salient details on malicious activity that are correlated across all platforms, devices and users that are monitored by the solution.
The advent of XDR means security teams are not bound to protecting organisations using Indicators of Compromise (IOC) alone. They can turn to what’s known as Indicators of Behaviour (IOB) — the more subtle chains of malicious behaviour that can reveal an attack at its earliest stages — which is why they are so powerful in detecting advanced campaigns, such as the recent SolarWinds attacks.
Leading XDR solutions provide an operation-centric approach to detecting and remediating attacks by automatically hunting for specific and anomalous behaviours, that other solutions miss. By looking at IOBs, it’s possible to not only gain actionable visibility into an active attack chain, but to also use that same progression of threat behaviours to protect organisations against similar attacks in the future.
Conclusion
XDR is the key to eliminating obstacles for effective threat detection and response, including log management and data collection tasks, agent deployment and maintenance cycles, and complex, never-ending query building for data extraction and behavioural detections. XDR breaks through data silos and unifies device and identity context in a single, visual investigation experience.
XDR can be an effective tool for financial services organisations to reverse the attacker advantage by extending detection and response capabilities across the broader IT ecosystem that makes up modern enterprise environments. XDR allows defenders to pinpoint, understand and end malicious operations across the entire IT stack whether on premises, mobile or in the cloud.
It’s a game of cat and mouse with threat actors, with organisations always needing to stay one step ahead of threats. XDR offers an opportunity to find the needle in the haystack — the threat that could do material damage to a financial institution.