When running a SIEM, you need to have a huge team of many Analysts Level 1, Level 2, Level 3… Escalations to lateral teams (sometimes to take actions such as isolating endpoints/servers, gathering/deleting suspicious files, etc). It takes a huge effort of labor and up to several weeks for simple actions, like creating an alert.
Here is an example:
Identify (difficult to forecast what the attacker is going to do) and design a previously unknown use case
Identify the log sources for the specific use case identified above
XDR has access to raw logs from agents, where SIEM traditionally only gets alerts
Test the correlation rules and move them to pre-production for several days or weeks
Activate the correlation rules in production to create just one alert, without any other related information. This means that your alert will not contain much useful information like context, origin of the alert and other assets/actors involved. So you still do not have a clue if this is related to other events, users, or artifacts across your infrastructure.
At this point and after engaging dozens of people during weeks you don't even have an incident, just an isolated alert. Then you need to put your analysts to work and investigate where this simple event comes from and the relationships with other events. You are still blind (incident wise).
Here is where your investigation day 0 begins—You need to figure out if you really have an incident and try to search other events that might be related to your first detected alert. Then, try to create an incident with more context, artifacts, related users and endpoints, hashes, etc.
The attack was not blocked—you are starting to work in a reactive manner to try to figure out all the damage done by the attacker during weeks, months or even years until you realize that something was wrong. Being optimistic, with a traditional SIEM the average time to detect a breach takes about 280 days (almost a year!). By that time your intellectual property has already been exfiltrated, your reputation can also be damaged and the losses can continue to production systems, financial loss, loss of compliance certificates.
With Cortex XDR, you just login into the console and out of the box the attacks were blocked in a proactive approach. You have all the incidents armed, fully populated with many alerts (with their correspondent criticality) related to the same incident and enriched with meaningful context coming from different events, users involved on the alerts/incidents, assets, artifacts, endpoints and other network assets firewalls included. Start a live terminal towards the endpoints under investigation with or without notification to the user. You can perform forensics on the affected endpoints, set up correlation rules automatically from a XQL query and a lot more. It's day 0 and Cortex XDR has already blocked the attack before the malicious actors succeeded and given you tons of actionable information to investigate and respond further with just a few clicks, without the intervention and/or escalation to lateral teams.
This is possible thanks to our intensive use of machine learning to profile malicious behavior. After a training period, a baseline is established and from there we can identify abnormal behavior.
On top of that, Cortex XDR has been entirely designed and built as cloud native, able to stitch together your cloud logs, on-premise logs, third party logs, endpoint logs.
Example: Investigate the causality chain, ask XDR for the parent and child processes of the CGO-Causality Group Owner which is the process that originated the alert. The verdicts (malicious, benign) are already there at your disposal, MITRE ATT&CK framework mapped techniques and tactics related to the incident.
And on top of that you can gather suspicious files, erase them, quarantine them, isolate endpoints or groups of them, block the execution at certain paths, inspect hashes and another myriad of information and reports. As previously mentioned, it's already available out of the box and fully automated.
With Cortex XDR, You do not need to waste your time, labor and budget trying to look for the needle in the haystack anymore.
As an example, please see the following screenshots:
Single Incident View:
Alerts & Insights:
Causality Chain Showing CGO, its Parent and Children: