Why Cybersecurity Industry is Moving From EDR to XDR Cynet360
Benjamin Bressington
Senior Full-stack Developer | Microservice | SaaS | React | Automation
Helping companies detect and remediate cybersecurity threats and vulnerabilities in real-time before they escalate into cybersecurity incidents that cause downtime, financial loss, and brand reputation damage.
Real-time cybersecurity solutions designed for your budget to help you build a cybersecurity culture and protect your assets. ChatFortress helps companies to detect and respond to cybersecurity threats in real-time by providing managed security solutions to protect, detect, and respond to cyber threats.
Providing Cybersecurity external vulnerability assessments, email security services, and endpoint monitoring solutions, cyber threat hunting, threat remediation, and security consulting services.
https://chatfortress.com/lp/threatfortress/ - Detect and Respond to cyber threats faster with our Autonomous End-point Breach Protection. Let our team monitor and detect cybersecurity threats against your network, users, files and hosts 24/7 via our ThreatFortress Cynet360 XDR and Response Automation platform.
https://chatfortress.com/lp/s-lp-10awareclaim/ - Claim $300 worth of Cybersecurity Awareness Training videos for FREE!
https://chatfortress.com/ for more information about ChatFortress
ChatFortress Email Guardian is the world’s first automated phishing, prevention, detection and response platform combining humans and machine intelligence with machine learning to automatically analyze, detect and remove malicious emails before and after they land in the inbox using a multi-layered and automated approach.
Alright, so everyone, I'm here with the amazing Roy. And we're going to be talking about the problem in today's market with the whole conversation around EDR versus XDR. We're gonna talk about what the hell XDR is, and why companies need to be thinking about moving into the next evolution of technology and adapting this ABA security frameworks. Because in today's market, there's a whole lot of problems. And I'm talking about today's market, which is COVID related work from a home distributed workforce. There's a massive issue that has been created because of this movement. So Roy, can you explain real quick and tell everyone who you are and why I have the privilege of talking to you.
My name is Roy, I'm the head of channel sales for senate and the privilege is mine. And thanks for joining. Um, basically, that's a great question, Ben, because XDR is an extended EDR. Like every other solution in the industry, especially in security, information security. It's a chase and never ending story of a chase. Basically, we always as vendors need to adapt ourselves to new methods of attack on new threats, and mainly new, new ways that the bad guy sees attackers are today, managing to bypass all those security postures and layers that we're adding to the network. And since the industry is advancing all the time, EDR, which are great solutions today, do not cut it anymore. It's easy to learn them. a medium or even basic advanced hacker has knowledge today. What are the basic remediations, what is the automation and how it works. And to bypass that, and even avoid all the traps that are being done by simple EDR. Still, EDR is good. It's one of the components that is contained on an XDR, but my phone is much more.
Can I ask a quick question about what you said in today's market. So you're talking about the EDR market. How does it compare like now to the work at home environment. So let's see if we can touch on that real quick. Because there's a lot of people who've just rushed into work from home in the distributed workforce, how some of the old EDR or the older EDR technology have is not adapted to this change.
So I think the main thing that was not adapted was that the perimeter is extending to the home. We're all first unfortunately, through this pandemic working from home. And this requires us to work remotely on resources off the corporate and the network can be SAS based cloud based whatever or even on prem or your organization. And to reach those, we're using some remote VPN messages. And those have those vulnerabilities and exploits that the attackers are basically using now. And it's easier.
In addition to that the one of the best or easiest leakage on a network is the end user, the unaware user, his behaviors the way he operates today. And even an additional challenge, not all cooperate, do provide a managed device to their employees today, some of them are using personal ones. So the security posture and layers on those devices is much different than what it is on a corporate device or on a network. And of course, it's not covered with the perimeter, and gateways that each organization has security sucks firewalls, email gateways, proxies, threat intelligence, and many more that are highly important to him. So by doing so they do have the ability to exploit.
In addition to that, on our personal devices, we have our personal Gmail account, your accounts, whatever, we have other devices that are a little bit more open social media, Facebook, our Instagram, maybe dm message, and by using them as well to exploit and penetrate and then user devices. Once that end user is connected to the network. And still there is an attack or an exploit on that device. Basically, the user by accessing a VPN or opening a network tunnel opens the entire network door to an attacker that is already existing on a personal device by that user.
So that's a really important understanding that I don't think a lot of people affected in it like yeah, you might be using a VPN to protect yourself and you think you're safe, but the employees are using their own personal hardware or an employee is no longer an employee. Because of the COVID conditions. They're an independent contractor and maintained independent contractors or third parties don't get company hardware. So I'm accessing the corporate network through a VPN. But I'm accessing it from a machine that may have no antivirus, may have malware, I may download movies that have packed with malware or adware. I may have chrome plugins that are doing something I think if people actually step back for a second and understand that behavior issue of how users are using it in a totally different way. And that you cannot assume that just because they're bringing their own hardware means they're bringing protected hardware into your network. Am I understanding that correctly?
That is exactly correct. And by the way, one of the webinars we conducted two of them this year, really shows this, and even shows exactly the ways that COVID expanded worldwide, with the attacks and threat words that we have part of our offering contains an MDR, 24, seven proactive, MDR insock. And we detected various new methods of attack, and you were much busier, we saw at the beginning, on the end of February and merged a lot of attacks on Italy, Spain, and that is the exact time where COVID was really on the highest pick in Europe.
We did see at the end of April and May the highest pick on the United States, same methods of attack, most of them attacking and even those VPN had some vulnerabilities and exploits and not all of them were hardened. And by doing so, those attackers were using those security gaps to penetrate even VPN. And by using those and users that are working from a personal or remote device from their home.
Yeah, and the solutions we're talking about aren't just a large company problem. Even if this is a small company, 20 employees, 50 employees, this is a problem that's applicable to absolutely everybody because of how all companies are now working and evolving with their technologies.
So what would be one of the other use cases for the need to change or upgrade the EDR to the XDR solution. So what would be one of the other use cases you've noticed?
One of the other use cases would be that the way that attackers are operating today, and even the flow of the attack, the flat of the attack has an entire flow. So there's great engines that most of the vendors contained can be a next gen AV, which is awesome, but it's signature based and today to learn and bypass selection AV doesn't require an advanced attacker can be an EDR, as mentioned before, which are also in great, we have our MDR next gen AV as well. But to bypass that a little bit more advanced attacker can learn how the EDR operates automatically has those remediation according to some cases and learning about a vendor, it's very easy for an attacker they can implement or reach out.
In addition to that we're seeing today that a lot of the AI UVA or UVB a user behavior analysis or user entity analysis is becoming much more for challenge. So also out of the ordinary behaviors can be by an end user, for example, accessing on a Sunday morning, or trying to access from a given location that is not part of the company's policy, or even all those are out of the ordinary behavior.
Even Ben is reaching an application on a cloud environment that he didn't reach in the last three or four months. This is something suspicious a little bit. That can be in some cases, an attacker in disguise entity behavior analysis. Now this is a much better challenge. Because entities usually can be an application or a source, a process that is running through the network, between different segments or VLANs. Trying to reach out of an IP and a firewall that is not configured and all those out of the ordinary is in 90, 95% of the cases. This really indicates an attacker that is behaving.
In addition to that all methods and all attacks today never stops on files, or hosts which most edrs cover. They're expanding to the user level, and especially the network level, those messages, lateral movement, DNS tunneling, which consists of port scanning, and many more. So the attack needs to be detected on the network level as well.
In addition to the user, or follows the host, which most next gen AV and EDR do cover today and do it very well. So to be behind under the radar on a network traffic really requires a very advanced or sophisticated attacker. And in addition to that, you'll see XDR today to provide some capabilities to deceive those honeypots Technologies. One of the main challenges in the industry still before COVID and especially through COVID is those ransomware and advanced malware is those types of methods that operate very fast and do create damage can encrypt files or resources on the network. Those traps that decoys basically are a great message to avoid them, basically putting someone on a honeypot. And enabling Of course us to reach them.
So one of the things you're saying is that most people need to be aware that these attacks are evolving, and the attacks are becoming fluid and adaptive. They're not static. So if I'm just thinking, hey, I've got a security staff I've got, I've got a firewall and I might have antivirus and like I've got some type of maybe basic endpoint, it doesn't mean you're actually protected from today's real world threats because like the attackers are learning, and they've learnt all throughout COVID is that correct is like, that's what you're saying
COVID the logic works. And basically, the bad guys do try to exploit any vulnerabilities they can. And in addition to that, we see that even their attacks send a message expanding by using various tools altogether combined by the attacker and not only one method or combining a couple of them, trying basically to confuse those security posture layers that there is on the network or on the endpoint. So Tucker becomes more sophisticated, we need to be more sophisticated than he is.
So does the XDR solution that we're talking about which assign it obviously, help understand the attack timeline. So because with a lot of these attack timelines, they're just not like a today attack happening like today, right? Like, they could have been activity or domain activity of a month, or an extended period of time of multiple devices. Like if there's XDR help, like understand the full context because it's starting at the antivirus level?
Yeah, so of course, XDR contains an antivirus level as well. But that is a great question, Ben. Because if you look today, I mentioned all those layers. Next Gen AV EDR UEA network traffic, analytical deception, the differentiator of a true XDR. And what we do at sign it is that all those engines in real time sync, correlate or talk to each other. So of course, it's not only one after another layers added by the steps detecting or trying to understand what exactly is going on by the attackers method or activity is basically real time, sim capabilities of correlation from what the agent detects those five activity process activities, memory activities, network activities, user activities, processes, but all those engines in real time have the ability to define. So the real power is over time.
Yeah, so the real power is coming that you know, duct taping multiple independent solutions together, but actually starting to bring them together in a seamless solution, where the data can be understood and understood how it's connected rather than missing these vulnerabilities in a system
is that correct? That is exactly correct. And even taking a very simple example for that take for example, the power shows which a PowerShell can be a legitimate good operation or PowerShell can be a bad one or manipulation, often attacker, how do you define exactly if a PowerShell is a legitimate good one or not? Those AI and UEA capabilities? Basically understanding who, what, where, when and how. And by sneaking all those engines together, you really understand if that activity is the jet engine network, or is it a real, true legitimate event or threat on the network, okay. And that is, today we're hearing a lot of EDR having those various false positives due to the lack of source, AI and uda capabilities and really understanding what is going on.
So it's the contextual relevance of the data that the XDR provides that actually makes it even more powerful than just having all these duct tape solutions together, which they don't talk to each other and that creates sometimes bigger problems. So,
yeah, that is correct. But in addition to that, what we are doing is insane. It is adding to that one of the most valuable offerings at 24, seven proactive MDR services. So with all due respect, and we are highly proud of a lot of automation that is built in and you must have automation because today ransomware is or Transformers do operate very fast and won't give you the time of day to verify check it and then remediate or create any action you need to be even faster than the attacker and have those automation but still human intervention is required in some cases.
Therefore, having SOC and proactive MDR with a 24/7 eyes on the glass is something that is highly important for any organization, especially not only if that activity can be done by an employee that is working from home now due to COVID. So he does operate and there are challenges we all have married kids whatever or with our family and through home. Sometimes we do adjust different hours and we need to be a little bit different. So therefore 24/7 around the Sun around the cloud, there is a human intervention and something that assists.
One of the values is gone. bitzer isn't event automatically the system will create any remediation. But still, there will be an intervention by our experts that are containing malware researchers, reverse engineers, ethical hackers, incident response security experts that will guide, assist, and basically won't leave you. And this is the main offering that ChatFortress and sign it together are providing to their clients.
So really providing the client with that full end to end support 24 hour protection. So it's not just another system that's giving you an alert, storm alert after an alert often, where you then have to investigate. But you actually get the summary of, hey, this alert happened. But here is how it was investigated. And here's the next step recommendations of what you need to do to prevent this in future, protect yourself. And so you're not like spending hours or just wasting time and resources trying to work out what the hell is this alert? Because what we're seeing is a lot of companies are like, yes, they have these systems, but nobody's monitoring, they literally give up on the alert processing. And therefore like it's it gets to the point that if the system's not remediating the threat, kind of what's the point of popping the alert in the first place?
Yes, and in addition to that, not all organizations today do have the expertise and the update day to day, hour to hour, minute to minute on all those new factors and threats of attacks. This is our business, this is what we do, we're focused on. So is that assistance can be an even adding to what you mentioned, in some cases, there is a requirement for a full IR report or a full attack report, which is part of the services provided by us as well.
So and one of the things like I was just talking to a company, they're a law firm, and like they're written protocol for if somebody clicks on a malicious email link, their written protocol is apt to shut down the computer and then told that call the IT guy to literally come and remediate that threat. And I said, so how often does this happen? Well, most employees don't like to actually shut down and lose hours of productivity. So we've found that they aren't doing it as much as they should be. Because we all know we all get fished, we will click on an email, this is what this stuff gets designed for. And I when I showed them how our system can actually be protecting them 24/7, so even if they clicked on that link, the system will kick in and start to protect themselves before the bad stuff happens. Because we know users are going to get manipulated.
These criminals are manipulating users who can talk to people a little bit more about the competitive advantage of some of the user intelligence and maybe some of the case studies that you have available for these use cases?
Yeah, there's many of them. And one of the things that we have to solve, we have three main features that are highly important to solve those. And I'll touch base on that and give some examples. So you mentioned even law firms, which is great. They're using a lot of files, sometimes they contain a lot of sensitive data. So even the next year, some must have some fine monitoring capabilities. For example, defining a policy on a file that every access now to this file, trying to edit it deleted, move it, change your content, if it's not an authorized and authenticated user, we need to operate in very fast can be killing a process blocking it, modifying it, alerting it, and many others.
So most clients have that already defined with the rules that you mentioned that they do internally by an active director or other third party tools. But to be honest, they don't maintain it, because at the end of the day, it does shut down operation and efficiency of the employees.
Therefore, such solutions and capabilities are highly important. It provides the ability not only to have that monitored and enforced. But in addition to that, if there is a requirement of tools, we added the ability to customize and create a playbook according to a different need or scenario. And each client, let's be honest, is different from the other on their business ways or aspects or needs or requirements, the ways your user operates, and especially how they user are now operating remotely as well. So we do need to adjust that. Yeah, that configuration in less than 30 seconds is something extremely valuable.
And it's really that unique fluidity to be able to evolve a system to keep up with today's changing market. Because let's face it, a lot of businesses are adapting and changing quickly. So read a new study just the other day that most companies have now 16 more cloud based systems in their head when they started pre COVID. So it's kind of changed the way we're operating and so as security protocols need to adapt and move with this. So what would be one of the other main use cases you'd see for people who have like HIPAA compliance? If we talk about compliance standards and compliance requirements, because there's a lot of people worried about the HIPAA side, what would you suggest or recommend?
So first of all, an XDR, one of the morals advantages is having those best practices and predefined already that are compliant can be to HIPAA and PCI GDPR, and many more that we're facing today. And it has to be we'll have it in addition to that, you do have, you must have so easy ability to customize and change that accordingly, or if not protected in an automation way.
For example, for such cases, we have a full incident view, which is an autonomous responder, basically, this is a fully automation of the system that if you even configured the compliance or not does understand with all the engines, how is a process running on the network, legitimate or not, and where it's expanding? And can even not only check if this threat is now existing on one device, but really scans the entire network? Can you mention cloud environments, virtual private clouds today, data centers, or even on prem or home, as well. And we need automatically to cover that for an organization today that their employees are working through home, to have a scan and know exactly on each employee's home personal device, if this same threat that I detected in one place existed, the other is a challenge that is time consuming, and basically can create a shutdown on the network until you really define to have a pure forensics, understanding an activity but what's going on.
So a lot of companies haven't realized or haven't really come to the full graphs yet that they're distributed workers have created multiple new security environments, because you might be unaware that somebody in your house has a server plugged in. So for example, one of your employees may be a tech hobbyist. So they've got some servers, they got some interesting stuff that other employees don't, right, because everyone's got family members, and most people are into technology. And like these environments can be all different. And as you just mentioned, like how you scan everybody's home environment to see somebody may be bringing in more threats than your others. And this is where our solution can help assist with that, right?
Not only that, that is it. That is exactly correct. But I'll take even myself as an example, that I have my two kids, but we're all on the same Wi Fi network, the same company today as the same family. And my kids, let's be honest on their devices not really secured in accessing some website that I do believe are easily targeted for attackers, so they can penetrate through using more open social media. And we are zero less aware. We have those devices, those Alexa or Apple play and many more that are open. So by connecting our entire home network, to our corporate network, due to the fact that we were the first workforce working from home opens another sweat that we need to address understanding of course, protect.
Exactly, exactly. So was it some parts of the system you wanted to demo and show to people as like some of the real insight and now it's going to be a deep dive. So if people want a deep dive, they can use one of the links below to schedule a time with this. And we'll actually walk them through why this solution can give them a competitive advantage. But I know Roy was going to do a quick overview on some of the features to explain why this solution has been selected. Because it was one of the top EDS by godda. Recently, there's some wonderful reviews on the system and awards being allocated, but I just wanted to break down why this EDR wasn't created, oh, this XDR wasn't created in the last 12 months, right? The company's been around for what seven plus years is it?
were six years on the road nearly? Yeah, we're a company that was spun out of the company that is called bug six, the biggest defensive security company getting out of Israel. And by the way, another company in a group highly known in the US market is go simulate, which is a breach and attack simulation platform. All three companies buy as the same co-founder and owner. And of course on the same floor here. Each management and development team. One of the biggest advantages we have as all three companies threat intelligence are embedded in each of everyone's endpoints. And each company does have its own Mauer research department and dark web, which gives us a huge advantage over all of our competition, in addition to our own stretch intelligence, as well. So now we're nearly six years on the road running. I think
it may be that it may be a first time people are actually hearing about this company or this product, but like there's actually a massive backing behind these products, massive threat research, and there's some really amazing talent and that's what's giving the the sonic product suite, a competitive advantage in the market and it's really making a lot msps extremely happy with how we're reducing their workload. Because if you look at our web offering the solution to msps, we're reducing your back end workload. So you can grow your business and scale your business without getting stuck managing client endpoints dealing with a lot of the stuff that prevents growth of your business. So but Roy, I'll let you share the screen and, and tell us some stories with some of the exciting stuff.
Great, we'll do so. So basically, what we're seeing here, domain radar is the main dashboard screen, one of the main differentiators that we're providing the building fully multi-tenancy environment. So even for partners, as you mentioned, or clients have that, in some cases, we do have a need for clients that are larger distributed to have that multi tenancy and different policies, environments, or management and privileges rights to regions departments as well. And the radar, as you can see over here, really indicates that we're scanning the clients that work 24/7, and divided by our full fundamental pillars, which is another differentiator that we didn't even have the time to touch base edrs today are great for files and hosts. But we covered the file pillars the user healer pillar, the host sends the network which is extremely valuable, and today is a must, especially looking at how the muscles of attackers are today at 2020. And of course, 2021 will be more challenging, and we're already done and ready to address them as well.
You'll see that we provide a score to everything and make the end user life very simple. Basically attaching a score to a color that will define the type and severity of the alert. And everything in our system is clickable. So when you click on an alert, you can be easily navigated to it.
In addition to this dashboard that says a lot to cover. And as you mentioned, we'll be more than happy to drill down to a deeper demo. And feel free to reach out to Ben with the links below. We even created that as a fully multi tenancy platform designed from day one for our service providers and our clients as well. With the ability to see all clients alerts in real time in a single dashboard, with zero alerts and emergency access by the recent to the latest, providing each client's name over here as well as the ability to have a pop up window without the need to navigate.
From this dashboard with all the details about what happened on the alerts, easily clickable and getting more and more and more details. Even the automation of creating a hash is our signature from future reference. If there is now something new we detected fully automated with us the ability from each alert to have various options of remediation whitelisting analysis in sending to sandbox engaging with our sock verifying files, built in radiation actions very rich, enabling them for file for user for host which we are the most advanced in the industry providing various options of remediation. But without even the ability of fully configured automation with us, scientists will still provide us the ability to have a built in auto playbook in a click of a button performed by you which is already predefined can be for ransomware, installation, command, persistence, USB and many many more.
As mentioned before, it's the ability to create in less than 250 seconds, your own tailor made playbook has easily been done on each alert. So you can even define that specifically to that alert. And of course, having the ability to go on a full automation and that is the best value by having a full incident view. An incident view is something very simple, really giving you a full understanding, even if you're not a high techie, or an IR guy exactly what is the attacks, the flow of what was performed, but you have a full coverage of automation. And the incident view really shows us a full description of what happened the impact to the network root cause if there are further action needed a summary remediation as well as the autonomous responder, which is something highly valuable, containing three automatic steps and investigation steps, a finding step and remediation.
So for example, what we're showing over here is that an end user got a chrome update, and double clicked pop up and double clicked on it. And of course, we are easily defined by the combination of all engines, that it's not a real chrome update living off the line binary. All the flow below automatically is performed by us checking exactly if this malware executed if there is any network activity and traffic if any type of message was exploited. And once we detected that automatically will scan the entire clients network doesn't matter if it's an on prem data center cloud to see if there's existing to additional servers hosts or endpoints, and easily detect and define where there are and can navigate in a click of a button to each and every one of them.
A summary of the findings fully automated and of course once we define that fully automated remediation For example, in this case, termination and deletion of those tasks and processes, not only to the first device detected 205. And all this process over here, was fully revealed, resolved, and remediated in this case in one minute and six seconds, which is extremely fast for this flow.
In addition to that, we provide a lot of deep forensics understanding. Seeing exactly, for example, on the demo we showed over here of the chrome executable, a full timeline of the flow of the attack from the moment we detected it until now everything clickable seeing the file users network segments that were part of it, see the exploit host that was now under any security threat, understanding which files are connected to it, because it can all be related users and can be remote ones working from home as well, as mentioned, networks. But most important having all our engines together sinking correlating in real time to this find the types of severity level attach a score, and by that I can fully automated.
In addition to that, one of the main differentiators we're bringing to the market is all those decoys. And a simple example for that is when you're looking at your network. And having for example, a domain controller, what we did and added is also small decoys, adding more and more fake traps of domain controllers. Or as you can see below those fake and traps of hosts files users networks, for example, can be a file that is named password or an Excel file that is called a credit card list.
A username CFO, many of those that are really for ransoms and attackers are those traps that enable and you mentioned the ability or the request to have those predefined or playbooks or to adjust according to each of our requests. For example, the law firm you mentioned so easily, you can look at a playbook that is already configured for examples or run somewhere and see that signup provides the first step as a quarantine, after that isolating, showing isolated status, and then disable the user. Not enough and needed more to tailor made according to that clients need to request it's as simple as dragging and dropping everything. But you mentioned even the need today to work on remote resources, applications or having us working from home. With other network connections. You can even define and get alerts on Windows patches or define those black and white lists of applications allowed to be used by the user. And there's various of them built in already in the system, just click on them. And choose as easy as that to just double click Choose and save and have those wider blacklists even define an application patch validation, see that you're really updated and no security vulnerabilities or threats on all versions already existing in your network and being an opening for an attacker to access or define the agent validation as well. And many baselines in addition to that.
It's highly important to provide a report from the system, having vulnerability assessment reports, fresh reports and inventory reports. And many more than always automatically can be delivered by email and showing you and your company security team and executives exactly what is happening on the system in real time. And of course, there is by far, much more and more. And I would highly recommend you reaching out or clicking on the link below that Ben just configured for monitoring, understanding events, creating remediation, detection abilities, and much more.
So this is really we're not talking about just a basic solution. This is a do it yourself solution that we are providing you a fully monitored solution that's fully responsive, you're never going to be held alone or worried about what to do next, because you've got multiple teams here supporting you to be successful in your cybersecurity practices. So I'd highly recommend if you want more information, click on the links below. Come find out more and come in and find out how we can provide you with up to a $10,000 cybersecurity business grant to get access to this technology and help you grow your MSP unlike anyone else in the market.
So if you're really interested, click the link below. But thanks to Rory for taking a few minutes to answer a few questions that we found that a lot of people are talking about in the industry today. And I think if people were really paying attention, they would have got some great value from this session. And I'm sure there's going to be a lot more in the future. But thanks, Roy,
Thank you very much was a pleasure. Thank you Ben. Bye bye
ChatFortress LLC
Contact Us:
Call USA: +1-307-999-7755
Call Canada: +1-778-400-7727
Call AUS: +02-8007-5410