In an attempt to fashion a resilient protection solution against cybercrimes, security companies have stumbled onto many an approach. The approaches run the gamut from real-time data monitoring to predictive remediation. Of them, one solution stands out in its effectiveness to discover and diffuse threats – it is extended detection and response, also called XDR. A relatively new approach, XDR aims to deliver cohesive security across the tech stack.
To understand XDR better and study it more intimately, we met with Justin Foster, CTO of Forescout, a company that has an XDR solution of its own. Forescout XDR provides actionable information and alerts for security operations centers. Its capabilities include powerful threat detection, alert filtration and continuous compliance.
After their last Tech Field Day presentation in 2019, it was time to get up to speed with their latest innovations.
“We’re helping our current customer base with the threat issue – which is still largely unresolved – whether they’re using SIEMs or ticketing solutions. It’s a very noisy challenge,” said Foster.
A Perfect Storm
The security operations center (SOC) is the nerve center of an organization from where miscellaneous security technologies and processes are coordinated. During a regular workday, specialists manning the center go through alerts coming in from toolchains consisting of heterogenous technologies, and triage threats – an aspect of their job which is as weary as it is complex.
Executives had hoped that adding more alert-centric tools to the stack would make the job easier. Instead, it has put the teams operating them in a pickle. The volume of notifications the analysts receive is amplified to almost infinity by the rich set of SOC tools.
Imagine a system that pushes out notifications every few minutes. Now imagine being in a room full of such systems that are each generating warning messages of equal priority at the same regularity.
The amount of noise heterogenous toolchains create is only rivaled by the complexity they contribute. A Forrester survey states that SOCs get an average of 450 alerts per hour. This is compounded by the fact that ¾ of those alerts are false positives.
Operators not only face an impossible amount of notifications, but they come with an inconceivable amount of analytic work leading to an eventual analysis paralysis.
Not Another Brick in the Wall
Working on the automation side of things, Forescout helps organizations improve their threat identification and response capabilities. It’s XDR platform handles both detection and action, giving companies a way to discover and expel inbound threats using one solution. In the process, Forescout aims to relieve teams from burnouts caused by frequent alerts.
So instead of building an XDR solution that is more of the same, Forescout designed a platform focused on the enablement of SOCs. Its key capability is to cut through the noise enabling operators to hear more clearly.
Forescout XDR whittles down the number of notifications the SOC receives over the course of a day, bringing it down from 450 to one or less high-confidence alert per hour. The goal is to provide an actionable and humanly manageable set of detections, instead of just producing relentless distractions, says Foster.
Foster who is now the Chief Technology Officer of Forescout was the co-founder of a cybersecurity company named Cysiv which Forescout acquired in 2022. Cysiv was a small outfit with 160 employees that offered an advanced SOC as-a-service solution.
Before absorbing the solution into the portfolio, Forescout unlinked the service from the software. Currently, the SOC as-a-service is available as an add-on service under the name of Assist for Forescout XDR that offers 24/7 monitoring and management services. Optionally, for companies interested in doing triage inhouse, Forescout offers the cloud-only, SaaS delivered, XDR platform that comes with built-in threat detection and response capabilities.
High Fidelity Notification
Foster highlights that Forescout is vendor-agnostic and works with a broad ecosystem of vendors and solutions. “We work with all the 13 different EDR (endpoint detection and response) solutions, all firewall vendors, productivity solutions and cloud vendors,” he said.
The multi-vendor approach contributes heavily to its accurate detection capabilities. Crafted with years of knowledge and understanding of threats and attack techniques, the platform works by ingesting data in massive volumes from variegated tools in the environment. It then picks out the datasets most suitable for inspection, and analyzes them yielding accurate detections.
This brings down the manual work and number of alerts to a minimum. It also contributes to Forescout’s low false positives. While studying data from multiple different sources and comparing and correlating them, it only picks the highest fidelity detections to issue notifications. “If you do the data science program, you have much less requirement for the human side of things,” Foster said.
When asked what Forescout does with the data it gathers from the client sources, Foster informed that the company holds rights to use data for product improvements. The information it gets is used to fine-tune the data used to train the ML models working behind the scene. However, Forescout anonymizes all data before using for the safety of private and identifiable information.
Forescout supports a total 180 vendors. Data from each vendor is normalized using a common information model. Foster informs that where most SIEMs do not do rule sharing, Forescout allows using one rule across tools.
Forescout has a set of shared rules in place to apply to the data. “We have 1500 rules across ML, signature, behavioral, threat intelligence correlation, UEBA (user and entity behavior analytics). We cover the gamut with those rules,” he says.
Forescout handles the onboarding for its clients. And anytime a customer reaches out with an unlisted commercial solution, Forescout adds it to the list free of cost. Besides doing the client a favor, this benefits the solution by enhancing the scope of telemetry, its fuel for better detection.
Forescout controls the network layer and can isolate a threat instantly, whether it’s a managed or unmanaged device.
Forescout is in the process of expanding the team that is behind the XDR offering. The company recently merged its data science team with the research department. “The synergies are amazing, and the cool part is, we have 27 people now just focused on data and threats in this area. So we’re adding things like OT vulnerabilities, the latest and greatest attacks, and so on,” said Foster.
As noted, the platform offers compliance in the cloud. The framework for cloud compliance varies greatly from country to country causing anxiety among enterprises. “We’ve SOC2 ISO 27001 compliance, but critically we have regional ingestion, storage and encryption that alleviates a lot of the concerns,” Foster said.
Moreover, Forescout is working towards a FedRamp certification to cater to federal customers.
Security operations face a numbing number of alerts owing to the ongoing tool sprawl. The key to cutting through the noise is to reduce the alert count to a minimum. Forescout XDR helps beat the alert fatigue by filtering out the noise and leaving only actionable notifications for SOC. This cuts down the work of chasing false leads, and at the same time ensures that no threats are missed. The platform’s robust ability to ingest, correlate, refine and respond does the bulk of the work, helping security staff skip the mad dash and improve efficiency.