Pratum Blog

Man in front of XDR platform overlaid with Managed XDR

Extended detection and response (XDR) has become one of the hottest cybersecurity trends. XDR platforms offer impressive capabilities out of the box with their combination of SIEM, endpoint protection and other tools. But managed XDR services are critical to helping these tools reach their full potential.

XDR platforms offer three key advantages:

1

Active monitoring of your entire technology stack (including the cloud).

2

Real-time threat hunting and mitigation.

3

A well-integrated security stack built on a single vendor’s tools (Microsoft, in Pratum’s case).

XDR also gets a lot of attention as the next evolution in managed endpoint protection based on its ability to improve continually through machine learning. But XDR typically reaches its full potential only in a managed XDR setting. XDR needs Security Operations Center (SOC) professionals tuning the SIEM, endpoint protection and other tools in response to ever-changing environments, emerging best practices and the latest threat-defense strategies. You could think of XDR like a race car. It’s fast with anyone at the wheel, but it takes a professional driver to truly tap into the car’s capabilities. In this post, we look at how managed XDR constantly improves threat hunting on its own and how analysts tune the solutions for specific environments.

(Read this blog for an overview of XDR’s key components and advantages.)

Learning in Real Time

As XDR’s threat detection monitors all corners of your data environment with SIEM, endpoint protection, etc., it continually builds profiles of the attack vectors you face. In other words, every attack on your system literally makes it stronger as the XDR solution builds a database of actions designed to see and stop similar attacks in the future. While some of these profiles come built into the solution, a managed XDR provider can tune and create custom learning models specific to your business, data and network.

But your XDR solution’s ongoing education isn’t confined to what’s happening in your environment alone. Top managed XDR providers continually analyze security events worldwide and incorporate the insights into your system’s performance. For example, Microsoft reports that it analyzed 1 trillion security events in 2020, up from 300 billion in 2019. Every one of those events rolls up into the XDR’s machine learning, giving it something like the institutional wisdom of an intelligence agent who can personally watch and learn from every crime scene worldwide for years on end. SOC analysts can also build on this intelligence by correlating threat actors that are performing suspicious activity and reconnaissance against your organization’s systems and employees.

A managed XDR provider like Pratum also strengthens your XDR system based on situations we’ve seen throughout our client base and through our years of customizing rules for SIEM situations. We leverage every lesson learned across all the systems we manage, giving each client a best-in-class XDR installation, regardless of their organization’s size.

Tuned by Human Experts

Many XDR vendors promote their solution’s productivity right out of the box. At Pratum, we agree that XDR can immediately provide a marked step up from a traditional security stack as it extends threat detection and automated response into every area of your technology system and helps tools such as your SIEM and endpoint protection talk to each other. But a lot of XDR marketing understates the significant advantages you can gain from human experts tuning the solution. Pratum’s SOC analysts sit between the automated alerts and the customer, reviewing and responding to incidents. A SOC analyst provides a determination and recommendation for each alert, and they can answer client questions or provide additional context when needed.

It doesn’t matter how sophisticated the technology is if you aren’t monitoring the correct devices or logging the necessary event data. Pratum’s managed services helps clients ensure that their system is monitoring the right devices and delivering the right data so that machine learning and artificial intelligence can effectively do their jobs.

Pratum clients consistently find that retaining a cybersecurity firm for their managed XDR platform easily pays for itself in increased efficiency and security. Remember that it costs just as much to license a poorly tuned XDR as a finely tuned system. So it makes sense to invest an incremental amount on management to significantly increase your platform’s effectiveness.

Start With Proper Provisioning

Managed XDR pays off on Day One of provisioning as your organization decides what data to capture. If your configurations send the wrong event information to the system, even the best rules for reviewing login attempts, for example, never get to do their job. Mediocre provisioning is like hiring a 24/7 security team but installing security cameras that can’t see anything at night.

Without the support of a managed XDR provider, many IT teams get only halfway there with XDR provisioning. For example, our analysts frequently see systems configured to report only the traffic that gets through the firewall. If the firewall blocked an activity, you don’t need to worry about it, right? But XDR systems also need to see failed activity in order to get the full story and identify unsuccessful attempts.

Similarly, we’ve seen IT teams set up monitoring only for failed login attempts. Successful attempts must be legitimate and above review, right? But even successful, legitimate login attempts educate your XDR as it builds a picture of the baseline information that typifies a legitimate login. XDR systems can learn, but only if you’re giving them the necessary data. Think about your own daily routine during the week. You leave home at roughly the same time, take the same route to work, etc. Even if someone was able to steal your car, go to your house and use your garage door opener, they would still be tripping several alarms in XDR’s world by coming home at an unusual time of day, etc.

Get The Rules Right

With XDR, as with any automated system, humans must continually recalibrate the automatic responses. On the outside, attackers continually devise new tricks. On the inside, an IT team constantly adds and removes devices, services, users and more. Software and firmware get upgrades. As all of those elements change your system, a SOC team ensures that your XDR adjusts properly.

For example, an off-the-shelf XDR system might spot someone trying to login with an employee’s credentials from a new geographic location. If XDR deems the login suspicious and shuts it down, it may be locking out an employee trying to check in from the road. Once analysts know the situation, they could create a specific rule that lets the employee log in from that location going forward. But how would you write such rules for hundreds of employees who don’t notify IT every time they take a trip? Realistically, most IT departments would just start ignoring those alerts after a few of them turn out to be traveling employees. Alert fatigue has done its work.

Managed XDR analysts can do better. They could program rules to ask things like, How often has this employee logged in from different locations in the last six months? How many of those have been outside the U.S.? Is this attempt using that user’s normal web browser? Instant answers to those questions can help the system decide whether to shut down the attempt. Most XDR systems have these capabilities, but it takes a managed XDR provider watching industry-wide trends to truly tune the tools effectively.

Leveraging Data for Constant Improvement

Managed XDR also constantly measures how well your security stack is functioning. For example, Pratum’s device assessments typically find that the antivirus software on many endpoint devices hasn’t been updated since it was installed or that security tools are misconfigured. XDR can provide visibility to the business based on these security layers and report back how vulnerable the devices are and how much exposure the organization faces as a result. Similarly, XDR can look at how many attempts your firewall is blocking every day, confirming whether it’s doing its job. When aggregated, these metrics provide the business accurate information about its top risks and ways to improve.

That kind of insight becomes especially powerful when combined with a consultant’s expertise. Working together, XDR and a consultant provide a full picture of the people, processes and technology (the PPT fundamentals of information security) that make up your organization’s security. While the consultant is assessing the people and processes, managed XDR reviews the technology. With consultants and your SOC working hand-in-hand, you can eliminate gaps that commonly sabotage security stacks.

We’re ready to help you review how managed XDR could make your security stack more efficient. Contact us for a free consultation.

XDR: Extended Detection and Response text over mesh background

One of this year’s biggest cybersecurity trends promises help for IT professionals drowning in messages pouring in from every corner of their technology stack. If that sounds familiar, it’s worth taking a few minutes to learn what Extended Detection and Response (XDR) solutions can do. These platforms recognize that gathering more data isn’t the solution. The real challenge is collecting the right data from every corner of your technology ecosystem and coordinating an effective response in real time.

XDR expands on the capabilities of traditional Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) tools. While those resources undoubtedly made organizations more secure, they can leave a lot of gaps, especially in settings without dedicated security experts managing the tools. With all the diverse layers in most security stacks and the dramatic rise in employees working from home, it’s time for a leap forward. That has driven the development of XDR, which encompasses SIEM, next-generation endpoint protection and threat hunting.

Three computer screens with various XDR dashboards

XDR solutions provide a more complete view of activities across your entire data estate and take proactive action against hackers. XDR can:

  • Monitor and protect data across endpoints and core infrastructure
  • Extend protection into the cloud
  • Provide a single monitoring environment
  • Consolidate log/event management
  • Constantly incorporate cybersecurity best practices from incidents happening around the globe

XDR systems automate much of the monitoring and response, thanks to artificial intelligence and machine learning. With a cybersecurity consultant fine-tuning the system, XDR solutions continually spot emerging threats unique to your environment and stop them in their tracks. In this blog, we’ll summarize how XDR platforms work. And in the next post, we’ll share examples of how a well-tuned XDR system gets more effective every week thanks to customized provisioning, playbooks and more.

Why Your Security Stack Could Be Better

You’re probably wrestling with a security stack that consists of multiple tools for endpoint protection, SIEM, antivirus and more. Those tools most likely come from a variety of vendors and stretch across on-prem, cloud, and remote work environments. With alerts popping up each day on multiple dashboards, your security stack tends to feel less like a well-oiled defensive machine than a loose coalition of militias spread across your frontier. It’s hard to tell when two alerts coming from different corners of your environment are actually part of a single, larger event. All that distraction from false positives and alert fatigue leaves bad guys a lot of defensive gaps to sneak through and a lot of network chatter to hide in.

Larger cybersecurity trends only amplified the challenge in 2020 as most organizations saw their workforce scatter across a wide range of personal devices and unknown networks. In most organizations, it’s time for a solution that pulls all of it together.

How XDR Improves Endpoint Protection

XDR’s basic value proposition is monitoring the full extent of your technology ecosystem, turning daily noise into a meaningful signal and into actions that actively stop threats. In a simple example, XDR will notice a correlation between something happening on one of your firewalls, something happening on one of your endpoints and an activity in the cloud. Before XDR, those may have simply shown up as multiple alerts on multiple dashboards. XDR connects the dots and surfaces a meaningful alert. In one recent test, for example, Microsoft’s XDR solution used its machine learning tools to reduce 1,000 alerts down to 40 high-priority incidents. Default rules associated with traditional SIEM solutions typically don’t provide enough customization or sophistication to protect businesses like that. Several factors can cause this, but the problem usually involves too many alerts that turn into false positives and lead to alert fatigue.

An XDR solution offers not only advanced threat detection, but the ability to stop threats, even if it’s an attack no one has ever seen. With a traditional SIEM/SOC setup that lacks properly tuned automation rules, alerts travel to an incident responder, who must determine whether the activity represents a threat. If they decide it’s a bona fide security event, they then must identify the action to take and then manually deploy the proper remediation. In an XDR environment, all of that happens automatically, sometimes within milliseconds.

Screenshot of Malicious Activity Group YTTRIUM

An XDR solution typically consists of the following elements:

  • Endpoint detection and response (EDR)
  • SIEM
  • Security Orchestration, Automation and Response (SOAR) capabilities
  • Threat-hunting capabilities
  • Playbooks
  • Human analysts (whether on-prem or contracted)

XDR actively monitors traditional devices such as servers, routers, firewalls, endpoints, mobile devices and IoT devices. But it also extends to cloud computing and storage services, as well as SaaS tools such as Microsoft 365, Dropbox and more.

Threat Vulnerability Management Dashboard

When you open the XDR dashboard, you’ll see how a threat entered your system, the damage it’s trying to do and how it’s attempting to pivot among different devices. And thanks to XDR’s threat hunting and response features, it can close off attack vectors long before you review the alert or report.

As you consider the best way to protect your organization in a cost-effective way, we recommend exploring the advantages of moving to Managed XDR.

Check out this video for an overview of the
Microsoft Defender platform that Pratum uses:


New Rules to Protect Critical Infrastructure text overlaid on voltage tower

Executive orders are having a moment as President Biden launched his term with a flurry of signings, many of which reversed orders signed by President Trump. Among the orders caught up in the transition is one affecting the nation’s power grid cybersecurity.

In May 2020, Trump issued Executive Order 13920 with the intent of reducing U.S. reliance on foreign components for critical infrastructure, specifically in the Bulk Power System (BPS). Details on its implementation came out in December 2020, and then Biden suspended Trump’s order in February 2021, pending further review.

Regardless of how it all shakes out, the public utility world and its supply chain should take note. The electrical supply chain will see changes from the executive orders and a recent compliance update that strengthens security requirements throughout the electrical supply chain.

This blog provides an overview of where things stand.

Threats to the Power Grid

The power grid plays an obvious role in national security. In its document summarizing Trump’s executive order, the Department of Energy (DOE) reports that “in 2018 alone, cyberattacks on supply chains increased by 78%, which is the most likely vector for adversaries targeting the grid.”

Multiple government organizations have been sounding the alarm for some time about the threat foreign adversaries pose to the United States through highly advanced cyber programs. (The Office of the Director of National Intelligence and the National Computer Security Center are among those who have voiced their concerns.) In late 2020, revelations that Russia had widely compromised United States government systems provided shocking confirmation of the threat’s reality.

Trump’s executive order addressed the fact that importing foreign components into our BPS could open a backdoor to substations, control rooms, and power generating facilities. Hackers may, for example, insert malware directly into electronic devices. They could get control of that system and potentially find a pathway into the larger grid that goes unnoticed until the damage is done. In a report explaining Trump’s executive order, the DOE points to a 2015 attack in which hackers broke into the control systems for 30 Ukrainian substations.

Implications for Power Industry Organizations

The real-world impact of Trump’s executive order became more clear in December 2020 when the Secretary of Energy (who was given authority to implement EO 13920) issued a “Prohibition Order Securing Critical Defense Facilities,” effective January 16, 2021. Biden’s suspension of the order puts many aspects of the implementation—and the future of Trump’s order as a whole—in doubt.

As of this writing in mid-February 2021, here’s what we know about the implications for anyone working within the BPS:

  • The original executive order cited potential adversaries including China, Russia, North Korea, Venezuela, Cuba and Iran. However, the Secretary of Energy’s prohibition order involved only China. In the short term, this limits the scope of components that BPS companies will have to replace or procure from other sources.
  • Biden’s suspension of EO 13920 for 90 days (that order is tucked into this larger order on climate change) means Trump’s order may never be implemented as written. But during the suspension, the DOE is asking companies to exercise caution via this language, “The Department expects that, during this 90-day review period, Responsible Utilities will refrain from installation of bulk-power system electric equipment or programmable components specified in Attachment 1 of the Prohibition Order that is subject to foreign adversaries’ ownership, control, or influence, and that Responsible Utilities will continue to work with the Department on identifying and mitigating supply chain vulnerabilities.”
  • If the DOE implements Trump’s executive order, it will probably use a phased approach in order to minimize supply chain disruptions and make compliance easier. For now, the prohibition order affects only the nation’s most essential utilities—those that supply critical defense facilities (CDF). This means that those who service CDFs with voltage of 69kV or above are banned from acquiring, importing, transferring, or installing BPS electric equipment made in China. It includes the “point of electrical interconnection with the CDF up to and including the next ‘upstream’ transmission substation.” In the months to come, companies can expect to see additional phases rolled out and a greater impact on the overall BPS.
  • Even with the limited scope described in the prohibition order, there will surely be cost increases and procurement delays this year as companies adjust to the order.
  • The Secretary of Energy will create a “prequalified” list of vendors that are authorized as safe for future transactions.
  • The DOE and other agencies will collaborate to monitor any vendor and/or equipment that has posed risks to U.S. national security and will take the appropriate actions (such as replacement) to eliminate any threats.
  • The Secretary of Energy will establish a task force that coordinates the Federal Government with private entities in the power and energy infrastructure to manage risk and implementation of the order.

As you determine how these actions impact your business, Pratum can help. Contact us to learn about how we can identify the risks in your supply chain and manage the costs of additional security measures.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.