By Samuel Jones, VP of Product Management at Stellar Cyber
A few years ago, a shift occurred in security where it became less about assessing and protecting locality and more about seeing the big picture. Like science, journalism, judicial consideration, and even witness credibility, effective security depends on your point of view. Point of view skews or informs a full and accurate understanding of what is happening, why, and whether it is significant.
Witnesses to an accident are affected by where they are at the time and how their perceptions are colored. Internal biases and past experiences play a role in the way ones sees and assesses an incident, and even the bystander effect may color one’s perception by the way others respond. Memory and cognitive bias play a role. Even GPS technology requires multiple data points to determine a location accurately.
Security is highly susceptible to point-of-view factors such as depth and breadth of data, source bias, and overall context as well as historical perspective. The old individual tool approach lacks breadth and depth of data and has the inherent bias of looking at a part of infrastructure or attack surface rather than the whole. EDR, for instance, focuses on the endpoint—not the complete attack surface—even if it does try to pull in network-related data. The question of what is actually happening and where the attack is heading has a limited horizon.
As attacks are examined in hindsight and as they are viewed in updated kill chain diagrams, it is clear that most attacks today are progressive: they have a starting point, but the objective is often something else entirely. A limited perspective will not only undermine accuracy but also relevance. The result may be a never-ending wild goose chase with excessive false positives. It may be that something crucial is missed that could otherwise have provided an early indication of an attack to enable swift mitigation. In contrast, seeing the whole over the individual parts is essential to discovering today’s attacks. Uncovering east-west activities is important to establishing a context and achieving accuracy and fidelity.
The advent of Open XDR came following a realization that the old, siloed approach to security with individual tools was no longer adequate to meet modern-day attack challenges. Strategies and procedures revolved around the new approach to enable security teams to see the forest for the trees and have a far greater chance of finding an in-progress attack in its early stages. It paralleled the realization that security teams are overworked and understaffed, and that there is a growing shortage of security professionals. At the same time, security teams were asked to take on more responsibilities, including becoming enablers of digital business initiatives and partner more closely with risk teams or considerations. Teams needed to be more efficient and effective.
Open XDR started with the notion that existing security tools were valuable; they only needed to share data to be centrally integrated, correlated, and examined using machine learning-based behavioral analytics. All sources of intelligence should be included without artificial limits caused by vendors that “can’t play nicely with others.” Lightweight sensors should be able to fill any gaps. The entire attack surface and infrastructure should be covered.
Today, organizations are using Open XDR to move from a model of analysts responding to individual alerts from individual tools to one of producing incidents showing proper context and having actionable information. With this approach, teams can prioritize higher-risk incidents and gain far greater ability to find and stop attacks early.
Successful security requires multiple points of view to reveal what is really happening. Multiple inputs provide greater resolution and a more comprehensive understanding. Speed and accuracy are vital. Today, security really does depend on your point of view.
Samuel Jones is the VP of Product Management at Stellar Cyber. Sam is an experienced product development leader with a track record of building AI and security products that customers love. He has a strong background in AI/ML, data infrastructure, security, SaaS, product design, and defense. Sam has held product and engineering positions at companies including Palantir Technologies and Shield AI, and worked for the US Air Force on cyber defense strategy. Sam earned his Bachelor’s degrees in Electrical and Computer Engineering from Cornell University.