The Benefits of Cybersecurity Analytics Powered by XDR
 

Not only do today’s companies face an ever-growing volume of increasingly sophisticated cyberattacks, from botnets and credential harvesting to malware and, of course, spam. They also must confront an expanding blast radius for data breaches and other incidents as IT and security teams manage more applications, devices, and data — all of them interconnected in the name of helping employees work more efficiently. 

In this threat environment, companies can’t afford to take a reactive approach to cybersecurity risk management. The stress of responding to one incident after another contributes to burnout in cybersecurity staff while making it nearly impossible to get a step ahead of attackers.

Enter cybersecurity analytics. Mimecast partner Splunk defines cybersecurity analytics as “a proactive approach to cybersecurity that uses data collection, aggregation, and analysis capabilities to perform vital security functions that detect, analyze, and mitigate cyberthreats.” Analytics solutions aggregate data from many sources — event logs, firewalls, threat intelligence, virus scanners, user and device behavior, and so on — so companies have a single data source to work with.^[1]

Applying robust analytics to this data helps companies prioritize alerts, identify abnormal user or device behavior, and investigate how systems were compromised in past incidents to ensure that history doesn’t repeat itself. Platforms such as the Mimecast X1 Platform with a purpose-built data analytics layer help to ensure that security teams receive actionable insights and better understand the threats they face.

XDR vs. SIEM vs. SOAR 

Before diving into how cybersecurity analytics works, it’s worth understanding the current landscape of tools that analyze and respond to security threats. There are three main types of software incorporating cybersecurity analytics on the market:

• Security Information and Event Management: SIEM software logs data about security incidents. Companies may use several SIEM tools to get better visibility across their overall threat landscape. 
• Security Orchestration and Response: SOAR software automates remediation of and response to security incidents; this includes triaging more complex threats for review by security professionals.
• Extended Detection and Response: XDR software focuses on threat detection, investigation, and response, pulling and analyzing data from disparate security monitoring systems and automatically responding to threats in real time.

XDR is the newest — and arguably the most comprehensive — of these tools. It bridges the gap between SIEM and SOAR without the need for complex and costly custom integration or security analytics add-ons. In fact, Forrester has gone so far as to suggest that XDR is “on a collision course” with SIEM and SOAR — and XDR’s approach to cybersecurity analytics is a big part of the reason why.[2]

Traditional Tools Limit the Effectiveness of Cybersecurity Analytics

XDR is gaining attention because companies are finding that traditional tools fall short. Among the companies surveyed in a recent report from 451 Research, fewer than 40% said their SIEM solution collects data from at least 75% of systems that produce a log of security activity. In addition, nearly 30% said they lack the resources to investigate more than half of the alerts they receive. Critically, more than half (56%) of companies using SIEM need multiple security employees to manage and monitor alerts because SIEM tools aren’t designed for incident response.[3] 

In theory, SOAR products are designed to step in and provide automated response to the data and insight produced by an SIEM system. In practice, though, integrating the two types of solutions has proven challenging. This limits an organization’s visibility into its cybersecurity threat risk and its ability to automate threat response — which in turn limits the value and effectiveness of cybersecurity analytics.

6 Benefits of Cybersecurity Analytics Powered by XDR

XDR addresses these shortcomings by incorporating data aggregation, automation, analytics, and intelligence in a single solution. Cybersecurity analytics powered by XDR provides six major benefits: 

• Improved scale of threat response: As 451 Research puts it, XDR is a “force multiplier” for security teams. Automating event triage makes it possible to respond to more events in less time, freeing up analysts to devote more time to proactive work such as cybersecurity policy development.
• Real-time scanning: Because XDR solutions aggregate data from security monitoring tools across the company, they’re capable of continuous analysis of cybersecurity threats. This helps security teams assess threats in real time, respond effectively, and isolate affected systems to prevent an attack from spreading further. The breadth and depth of data also gives security teams insight into the full scope of an incident — information that can be used to improve incident response in the future.
• Behavior data analysis: The ability to identify abnormal behavior from users or devices is another benefit of the aggregation of data from across the organization. Behavior data analysis helps to identify insider threats: A user downloading hundreds of files at once, an account attempting to access applications outside its approved credentials, a device being redirected to a less secure network, and so on.
• Zero Trust support: In the Zero Trust security model, the identity of any user or device must be verified and authenticated before access is granted to an application or network. XDR can help companies stand up Zero Trust architecture because it enables monitoring and analysis of cybersecurity data both at and within the corporate firewall. The combination of visibility into security activity and automated responses to suspicious activity gives organizations the tools they need to support Zero Trust. 
• Toolset integration: XDR solutions, by definition, integrate data and functionality from cybersecurity toolsets that have previously been siloed. Open XDR systems go a step further, leveraging open application programming interfaces (APIs) to integrate best-of-breed systems. Organizations such as the Open Cybersecurity Schema Framework (OCSF)[4] and the XDR Alliance (of which Mimecast is a member),[5] promote XDR data-sharing standards and define workflows and best practices to improve toolset integration. 
• Threat hunting: Proactively searching for threats that typically evade SIEM or intrusion detection solutions (such as lateral movement inside the corporate firewall) helps organizations prevent attacks and improve their cybersecurity posture. However, companies with limited security resources often de-prioritize threat hunting because of the time and resources involved. Leading XDR solutions take advantage of their stream of cybersecurity analytics and insight to automate threat hunting.

The Bottom Line

The powerful cybersecurity analytics enabled by XDR can position companies to proactively monitor and automatically respond to security threats, helping them stay a step ahead of attackers while strengthening their security postures. The most effective cybersecurity analytics strategies ingest and query data representing all points of vulnerability. Find out how the Mimecast X1 Platform takes in data from email and other forms of corporate communication — the source of the vast majority of a company’s data breaches — to give security teams greater context about the threats they face and how to address them.

[1] “What Is Cybersecurity Analytics?” Splunk

[2] “Adapt Or Die: XDR Is on a Collision Course with SIEM and SOAR,” Forrester

[3] “The Rise of Extended Detection and Response,” 451 Research

[4] “Welcome to OCSF,” Open Cybersecurity Schema Framework 

[5] “The XDR Alliance,” XDR Alliance