Two major threat intelligence companies made big moves this week to augment or bolster the capabilities of their extended detection and response systems. It’s the latest sign of the growing maturity of the XDR market as businesses look for solutions that can translate the mountains of telemetry and threat data they produce into actionable, real-time detection.
Cybereason, founded in 2012 and based in Boston, announced June 20 that it had acquired empow, a cybersecurity startup located in Tel Aviv, Israel. Empow spent six years developing a patented machine learning-based correlation and prediction engine and executives at Cybereason have plans to fold the underlying algorithm into their XDR system to improve its automation and behavior detection capabilities.
Less than two days later, Sophos announced it has purchased another startup, Braintrace, which sells proprietary network detection and response technologies that’s also based in part on machine learning. Braintrace and its workforce of data scientists, developers and security analysts will be used to support both Sophos’ rapid response teams and their XDR customers by serving “as a launchpad to collect and forward event data from firewalls, proxies, virtual private networks and other sources,” Sophos said.
“You can’t protect what you don’t know is there, and businesses of all sizes often miscalculate their assets and attack surface, both on-premises and in the cloud,” said Joe Levy, chief technology officer at Sophos in a statement. “Defenders benefit from an ‘air traffic control system’ that sees all network activity, reveals unknown and unprotected assets, and exposes evasive malware more reliably than Intrusion Protection Systems.”
Empow’s also comes with “out of the box” integration for 70 other IT and security vendors. As Forrester has noted, a big part of the promise of XDR lies In its ability to take in many different types of security data and security teams often gravitate towards tooling that can easily integrate with other third-party systems.
That’s same rationale was also cited by Sophos, a full-service cybersecurity company that sells a variety of systems, tools and other products, when purchasing Braintrace. By buying the firm and incorporating NDR technology into Sophos’ Adaptive Cyberseurity Ecosystem, they’re essentially adding new analytical capabilities across their entire suite of software, hardware and services,
“We built Braintrace’s NDR technology from the ground up for detection and now, with Sophos, it will fit into a complete system to provide cross-product detection and response across a multi-vendor ecosystem,” said Bret Laughlin, CEO and co-founder of Braintrace.
Lior Div, CEO and co-founder of Cybereason, told SC Media that two factors are creating pressure on threat intelligence companies to augment or improve their XDR systems. The first is a post-COVID business world that has embraced a mobile workforce, pushing many endpoints outside the boundary of the traditional network perimeter. This has led to companies where “everything is distributed, everybody is scattered all over and the perimeter is your PC at home, the cloud, login where you can connect from anywhere.”
Secondly, the increasingly aggressive posture of nation state and criminal hacking operations, as seen in incidents like the SolarWinds hack, Hafnium’s campaign exploiting Microsoft Exchange servers and the Colonial Pipeline and JBS ransomware attacks, is creating a greater urgency for real-time threat detection and response capabilities.
That created a need not just for greater visibility over an organization’s endpoints, but the ability to correlate and connect it with other data sources quickly and reliably.
Cybereason currently uses its own algorithm to make those kind of connections, but Div said it simply doesn’t compare to the correlation capabilities offered by empow’s engine. He pointed to two “unique” aspects of empow’s technology: it’s very good at extracting data from different types of logs and it can quickly use data crumbs from one part of a possible attack, mapping it to known past attacks and then searching for other known signatures associated with that malware or the behaviors of the group behind it.
Together, the two acquisitions highlight the ongoing maturity of the XDR market, which seeks to combine the telemetry taken from endpoint devices with other data collected from the network, email and cloud assets to provide more holistic detection of threat activity or behaviors.
While interest in XDR has increased in the past few years, the reality is many executives are still learning what it is and what it does. It is still only a nascent and emerging technology, one that still struggles to find an easy way to process and correlate massive volumes of telemetry data, leverage automation and reduce the burden on SOCs to manage and sift through that data to connect the dots.
According to Enterprise Strategy Group, in 2019 the vast majority of security professionals believe threat detection and response is harder today than it was two years ago, largely because of the sheer volume of threat data they must sift through and a lack of easy automation. That’s ultimately what XDR is designed to do, and what these acquisitions are meant to facilitate.
“Organizations must deal with the volume and sophistication of cyber-threats, an increasing cybersecurity workload, and a growing attack surface,” wrote senior principal analyst John Oltsik last year. “Infosec pros also bemoan the fact that they still rely on manual processes and an army of point tools for threat detection and response.”