Deciphering weak telemetry signals by using AI to analyze behaviors and detect threats in real time is the future of extended detection and response (XDR).
VentureBeat continues to see CISOs and their security teams migrate from Endpoint Detection and Response (EDR) to XDR for greater consolidation savings and a more unified view of all attack surfaces and potential threats.
XDR is riding a strong wave of support due to its ability to consolidate functions while limiting data movement, two high priorities for CISOs today. Those benefits are especially important in an era of security budgets being scrutinized more closely than before. Add to that the ability to bring in more telemetry data, including sources that are behaviorally based that can be used to identify anomalous behavior, including insider threats, and AI’s potential impact to improve XDRs continually is clear.
XDR platforms vary in their unique approaches to AI and machine learning. Yet, all share the common phases of ingesting data, detecting threats attackers attempt to cloak in legitimate code, and automating investigation and response. Source: What is XDR? CrowdStrike blog, April 18, 2023.
VB Event
The AI Impact Tour – NYC
We’ll be in New York on February 29 in partnership with Microsoft to discuss how to balance risks and rewards of AI applications. Request an invite to the exclusive event below.
This year (2024) is turning into the year of security tech stack consolidation. Gartner predicts that by year-end 2027, XDR will be used by up to 40% of enterprises to reduce the number of security vendors they have in place, up from less than 5% today. The majority of CISOs, 96%, plan to consolidate their security platforms, with 63% saying XDR is their top solution choice.
Leading XDR providers are doubling down on AI, generative AI and machine learning (ML) on their roadmaps to deliver more consolidation in less time. CrowdStrikes’ move to use AI as a consolidation strategy in their XDR launch at Fal.Con 2022, followed by Palo Alto Networks and Zscaler, shows the selling consolidation pays. Every one of these vendors’ earnings calls reports consolidated revenue stats now, a sure sign the strategy is paying off.
Nikesh Arora, Palo Alto Networks chairman and CEO, said, “We collect the most amount of endpoint data in the industry from our XDR. We collect almost 200 megabytes per endpoint, which is, in many cases, 10 to 20 times more than most of the industry participants.” Leading XDR vendors with AI-based products released or in development include Broadcom, Cisco, CrowdStrike, Fortinet, Microsoft, Palo Alto Networks, SentinelOne, Sophos, TEHTRIS, Trend Micro and VMWare.
XDR platforms’ real-time availability of access, endpoint, email, network, and web-based app telemetry data are helping improve prediction accuracy. Those data sets are also used for continually training large language models (LLMs). The leading XDR vendors have been using endpoint data to train LLMs and further strengthen endpoint security.
Michael Sentonas, president of CrowdStrike, told VentureBeat in an interview, “If you look at CrowdStrike’s conception in 2011, one of the things that George talked about was that we couldn’t solve the security problem unless we used AI. In the lead-up to going public as a company, he also talked about AI, and since we’ve gone public, every quarter when we talk to Wall Street, we talk about AI. We’ve been using AI as part of our efficacy models our prevention models, and we leverage AI when we do threat hunting. It’s a big core part of what we do”.
Closing the growing gaps between identities and endpoint security is one of the challenging problems XDR providers are attempting to solve. AI and machine learning (ML) are proving critically important in identifying anomalous behavioral and system use patterns that could signal an attack. Attackers are cashing in on the proliferation of new identities assigned to endpoints and the resulting unchecked agent sprawl.
XDR platforms need AI/ML technologies to identify malware-free breach attempts while also looking for signals of attackers relying on legitimate system tools and living-off-the-land (LOTL) techniques to breach endpoints undetected. Attackers use stolen identities over 62% of the time to gain access, and 60% of enterprises are aware of less than 75% of the endpoint devices on their network. It’s also common to find organizations that aren’t tracking up to 40% of their endpoints.
VentureBeat spoke with several CEOs at RSAC 2023 to learn how each perceives the value of AI in their product strategies today and in the future. Connie Stack, CEO of NextDLP, told VentureBeat, “AI and machine learning can significantly enhance data loss prevention by adding intelligence and automation to detecting and preventing data loss. AI and machine learning algorithms can analyze patterns in data and detect anomalies that may indicate a security breach or unauthorized access to sensitive information well before any policy violation occurs.”
Ten areas where AI has the greatest potential to strengthen XDR
XDR providers tell VentureBeat that the challenge of parsing an exponential increase in telemetry data, performing telemetry enrichment and mapping data to schema are the immediate architectural requirements they have. There’s also the need for real-time cross-collaboration, analytics and alert prioritization. XDR’s current and future ecosystem is dependent on AI’s continued growth.
Here are ten areas where AI has the greatest potential to strengthen XDR:
Real-time Threat Detection and Response. Look for XDR providers to double down on AI/ML in this area, as the amount of telemetry data is growing rapidly. VentureBeat is seeing significant interest on the part of organizations adopting XDR for more real-time monitoring support and better accuracy when ti comes to threat detection and response.
Behavioral Analysis and Anomaly Detection. AI/ML is proving effective in detecting deviations in patterns of baseline behaviors for users, devices, and applications. Using AI/ML in this use case also helps to identify potential insider threats.
Reduction of False Positives. By relying on historical data and user feedback to improve their accuracy, AL/ML models are proving effective in reducing false positives and allowing security teams to focus on actual threats. XDR vendors prioritize this as a design goal, as SOC Analysts often ask for improvements in this area.
Automated Threat Response: Another high-priority design goal for XDR systems, all major XDR platform providers either are shipping this feature or have announced it. AI-powered XDR platforms can automate initial responses to threats, such as isolating compromised endpoints or blocking suspicious network traffic, speeding up incident response times.
More Accurate Threat Hunting. AI/ML models are proving effective in identifying signs of compromise legacy systems would have missed. One area where AI/.ML is paying off the most in real-time breach identification and a significant reduction in false positives and negatives.
Adaptive Learning. XDR platforms that have AI/ML models designed into them are continuously learning and devising approaches to protect against new attack techniques. Leading XDR vendors, including CrowdStrike, are using endpoint data to train their LLMs, which is a state-of-the-art use case illustrating adaptive learning.
Enhanced Real-Time Visibility and Correlation. Aggregating and correlating data from a broad base of telemetry data are now table stakes for any XDR platform because it’s needed to improve real-time visibility and event correlation.
Automating Manual Workloads on the SOC. SOC Analysts face the challenging tasks of documenting significant alerts and keeping up with reporting. Using AI to automate reporting that’s needed for compliance immediately frees them up to work on more complex – and interesting – tasks.
More Precise Predictive Analytics. An area of competitive intensity between XDR platform providers, predictive analytics continues to become more intuitive and real-time. Every XDR platform relies on them to forecast future attack trends and vulnerabilities. AI/ML is bringing greater predictive accuracy and insight to this area.
Consolidation is just the beginning
AI’s financial impact on XDR platforms is delivering short-term relief to the budgetary pains CISOs have regarding the pressure to consolidate their spending. All leading XDR vendors want to cash in on the consolidation push CISOs, CIOs and boards want to see in cybersecurity spending.
The long-term effect will be that XDR platforms become exponentially better at predicting intrusions and identifying breaches. Aggregating endpoints and all other forms of telemetry data to train LLMs is the future. From that perspective, AI/ML is just getting standard when it comes to XDR technology maturity.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.