Products and Solutions

The XDR Perspective: RSA’s View on Extended Detection and Response

Oct 28, 2020 | by Brian Robertson |

The security industry has seen a series of evolutionary eras.  Since the appearance of the Morris worm, it’s been a game of cat and mouse to protect our increasingly critical digital infrastructure. 

First there were signature-based antivirus solutions, evolving to perimeter-based “defense in depth” approaches.  Security Information and Event Management (SIEM) solutions arrived to help organizations make sense of a cascade of alerts from disparate systems, followed by network deep packet inspection solutions that watched traffic in real time for anomalous activity.  Endpoint detection and response (EDR) solutions added protection at the computer layer, and Internet of Things (IoT) monitoring systems addressed the explosion of IP-connected devices in organizations.  More recently, User and Entity Behavior Analytics (UEBA) and Security Automation and Response (SOAR) tools added an additional layer on top to increase the effectiveness of the whole security stack.

All these innovations gave rise to the “Evolved SIEM” era of cybersecurity. This term describes a system that handles all types of information and adds Threat Detection and Response tools. As the leader in delivering evolved SIEM technology, RSA NetWitness® Platform defends against today’s most sophisticated threats and continues to adapt to emerging challenges.

Now, our industry is entering a new evolutionary era – “Extended Detection and Response,” or XDR. The basic principle of XDR is that it consolidates multiple security products into a cohesive security incident detection and response platform.  So when RSA NetWitness Platform customers and prospects ask, “What is RSA’s perspective on XDR?”, the simple answer is that we know it well – we’ve been providing it for years.

How Does XDR Compare to Evolved SIEM?

As noted, XDR consolidates many security functions into a single, cohesive platform. Industry analysts list XDR’s primary requirements as:

·         Centralizing normalized data

·         Correlating security data and alerts into incidents

·         Providing a centralized incident response capability as part of incident response procedures and security policies

RSA NetWitness Platform has been delivering on this vision for years. Evolved SIEM provides functionality that goes well beyond log centric SIEMs, which typically have a narrow compliance focus. Traditionally log centric SIEMs were used as the system of record for security organizations. XDR, however, is focused on the activity of detection and response. When comparing log-centric SIEMs, XDR, and evolved SIEM, it becomes apparent that evolved SIEM brings together the best of log-centric SIEMS and XDR.  The following chart shows how evolved SIEM encompasses XDR’s critical capabilities and, like log centric SIEMs, functions as the system of record. 

 

RSA NetWitness Platform as an XDR Solution

RSA NetWitness Platform for XDR extends detection and response capabilities to identify threats that have bypassed preventative controls, leveraging data from across the network and deep on endpoints. Real-time visibility into all internal (east-west) and internet-bound (north-south) network traffic, virtual infrastructure and cloud computing environments, and deep, process-level endpoint visibility enables RSA NetWitness Platform for XDR to detect intrusions as they are happening.  This data is enhanced with UEBA that detects behavioral anomalies -- across the network, machines users, and applications. Once incidents are detected, RSA NetWitness Platform for XDR uses automated response systems to prioritize and streamline how incidents are addressed and resolved to speed investigation and avoid impact.    

The RSA NetWitness Platform technology stack illustrates a clear delineation of the ways in which it can meet requirements for XDR.  RSA NetWitness Platform for XDR collects and normalizes network traffic data, endpoint data, as well as user-based logs. That harmonized data set is then leveraged by orchestration and automation capabilities and multifaceted analytics to quickly identify risks, detail incidents, and take immediate action before those potential risks can cause harm.

Adding Identity for Cyber Resiliency

Adding identity service powered by RSA SecurID Suite brings an organization’s threat detection and response beyond XDR and compounds using the benefits of both solutions. With this leveraged approach, organizations can mitigate identity risk and maintain compliance without impeding user productivity. It ensures users have appropriate access and confirms they are who they say they are with a modern, convenient user experience. RSA NetWitness Platform can also leverage RSA SecurID data to bring deeper user visibility into threat detection and response activities. 

Combining RSA NetWitness Platform and RSA SecurID suite delivers extensive preventative controls, which are critical in addressing cybersecurity challenges in the digital era. This multi-dimensional approach allows organizations to control access to complex environments to keep cybercriminals at bay. If, by chance, they do find their way through the perimeter defense, this security posture provides organizations with the visibility they need to detect and evaluate intruders’ every move and stop them in their path. 

Learn more about RSA XDR - Extended Detection and Response

Recommended for you