Written by Yossi Naar, Chief Visionary Officer, and Cofounder, Cybereason

Extended Detection and Response (XDR) is everywhere today, and it seems that every company is rolling out a strategy and products to meet the growing demand. According to the industry analyst firm Gartner, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

Notwithstanding XDR’s tremendous growth in adoption, more than a few misconceptions about XDR remain, so let’s debunk three of those myths here:

Myth 1: XDR is all about Endpoint Security
No, that’s what Endpoint Detection and Response (EDR) does, which is just one aspect of what XDR delivers. EDR solutions focus solely on the endpoint, and they don’t correlate intelligence from the cloud and other parts of an organization’s infrastructure.

In fact, most EDR platforms are not even capable of ingesting all of the relevant endpoint telemetry and are forced to “filter out” intelligence without even knowing if that information is critical to making a detection because the solutions cannot handle the volumes of data generated.

Indeed, there are vendors that simply cannot ingest all available telemetry for EDR, yet they profess to be able to deliver an XDR solution that ingests endpoint data plus an array of telemetry from numerous other sources on the network and in the cloud.

Data filtering negatively impacts the ability to proactively thwart attacks because it omits telemetry that could allow for earlier detection of malicious activity. When broadened to include non-endpoint sources, data filtering can further distort an organization’s visibility into the threats confronting them.

XDR does not suffer from these limitations. It extends continuous threat detection and monitoring as well as an automated response to endpoints, applications, cloud workloads, and the network…all without data filtering. This helps to ensure the high fidelity of a threat detection yielded by XDR.

Myth 2: XDR Should be Augmented by a SIEM
It’s true that XDR delivers some of the same functionality as SIEM (Security Information and Event Management) tools. Chief among their similarities is the ability to aggregate and correlate data from a variety of sources spread across an organization’s infrastructure, thereby providing the required visibility for threat detection, investigation and response.

But there are several key factors that hold SIEMs back: SIEMs are nothing without the data lake structure and cloud analytics they need to centralize security events. Those resources vary in the types and quality of data to which they have access, a reality that affects the value and effectiveness of a SIEM.

There are also the costs, time, and other resources involved with building, tuning, and maintaining a SIEM. Tuning is an especially common pain point with SIEMs. Indeed, these tools frequently generate false positives and an overwhelming volume of alerts.

Such noise contributes to “alert fatigue” in the organization, motivating infosec personnel to overlook the deluge of alerts coming in and miss opportunities to launch investigations at the earliest signs of an incursion. Simultaneously, SIEMs don’t do much to help security teams with executing a response beyond generating a lot of alerts that need to be manually triaged.

XDR, by contrast, doesn’t require any data lake structure. It correlates alerts across disparate network assets to deliver actionable intelligence that works to reduce alert fatigue. What’s more, XDR enables security teams to build automated playbooks using the platform itself, thereby streamlining response.

Myth 3: All XDR Platforms Are Created Equal
No. Consider the fact that there’s hybrid/open vs. native XDR. The latter only offers integrations to other security tools developed by the same vendor. This can lock customers into an agreement with a vendor that might not offer the security capabilities they need to protect their systems and data. It also means existing investments in solutions from other vendors cannot be fully realized.

In contrast, Open (or hybrid) XDR takes a collective approach that leverages multiple security tools, vendors, and telemetry types to meet organizations’ needs from within a single detection and response platform. There’s no vendor lock-in here. Security teams are free to choose the vendors and tools they want, allowing them to get the most out of their XDR platform, and the DevOps and API integrations enable personnel to bring these tools and telemetry sources together.

There’s also an argument to be made about what defines a truly mature XDR offering versus pseudo-XDR solutions that are basically nothing more than an EDR tool with cloud integration. All XDR platforms integrate with threat intelligence to spot known Indicators of Compromise (IOCs), but only an advanced XDR solution can detect them based on Indicators of Behavior (IOBs).

IOBs are the more subtle signs of an attack in progress which include otherwise benign activity one would expect to see occurring on a network. When these “legitimate” behaviors are chained in certain sequences, they produce conditions that are either exceedingly rare or represent a distinct advantage for an attacker.

This is where the context-rich correlations across endpoints, the cloud, application suites, and user identities that a mature XDR solution delivers are critical for detecting malicious activity at the earliest stages of an attack. Take ransomware attacks for example – most security solutions are focused on detecting the exploit and blocking the ransomware payload, or rolling back the encryption after the attack was successful. But the detonation of the ransomware executable is the tail end of what is actually a much longer attack sequence, with weeks or even months of detectable activity from initial ingress, to lateral movement, to credential abuse and privilege escalation, to name a few.

An AI-driven XDR solution can make the necessary correlations to detect that activity long before the ransomware payload is delivered, reducing a potentially devastating attack to the level of an intrusion attempt or similar. Additionally, the ability to leverage AI/ML to correlate telemetry from across an organization’s infrastructure is a key aspect of a mature XDR solution. The application of AI/ML allows Defenders to move from a detect and respond mode to a more proactive “predictive response” posture where the next steps an attack can and would take are instantly anticipated and blocked, eliminating the opportunity to progress the attack to the next stage.

This predictive capability is the key to the future of security, enabling organizations to “defend forward” by understanding attacks from an operation-centric approach, where analysts are freed from chasing alerts that point to individual elements of an attack in favor of a holistic view of the entire attack story from root cause to every affected device, system and user. And only an AI-driven XDR solution can deliver this “predictive response” capability that will shorten detection and remediation periods from days or weeks down to minutes.

The AI-Driven XDR Advantage
An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility organizations require to be confident in their security posture across all network assets, and the automated responses to halt attack progressions at the earliest stages. This approach also provides defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces, and more.

Written by Sundaram Lakshmanan, CTO of SASE products at Lookout

There’s a great scene in the 1997 film “Contact” where the protagonist Dr. Eleanor Arroway, played by Jodie Foster, is informed that her lab’s funding has just been revoked. Arroway’s lab partner explained that the government lost faith in the project due to concerns about her engaging in questionable activities, such as watching static on TV for hours. To this, she responds angrily: “I was looking for patterns in the chaos, come on!”

This is a great analogy to what User and Entity Behaviour Analytics (UEBA) does automatically for you, so you don’t have to. While Arroway may have been looking for signs of life on different planets, spotting abnormal or malicious patterns in user and entity behaviour can be just as difficult with the bare eye.

On any given day, your employees will log into the cloud or on-premises applications, download, and upload files and respond to authentication requests. Tracking these behaviours can be data-intensive, especially when considering all the different devices and apps your employees use to stay productive, what their location is and what times they typically interact with apps.

This is where UEBA comes in. Instead of relying on static security checks or staring continuously at the static, you can use automated security to look at user behaviours to detect both insider and external threats, and prevent data leakage or ransomware attacks.

How UEBA works
To put it simply, UEBA is a cybersecurity process that monitors normal user behaviour and flags deviations from established patterns. While a perpetrator can easily steal an employee’s username and password, it’s much harder to imitate that person’s normal behaviour on the network connecting to apps and data. UEBA also helps detect unintentional or intentional insider threats, where an authorized user does something that is harmful to your organization.

In many ways, UEBA is like a credit card fraud detection engine. UEBA uses machine learning and data analytics to determine when there is anomalous behaviour that could result in a potential security threat. For example, if I normally only download megabytes of files every day but suddenly download gigabytes of files, a UEBA system would detect this anomaly and alert the enterprise security team to respond.

Geo-anomalies are also tell-tale signs for anomalous or malicious behaviour: if someone signs into a work account from Dubai, but minutes later an account login is observed across the world in the San Francisco, the UEBA system would automatically detect this anomaly and enable an automated response to protect data available to the account.

I remember an incident with one of our customers where UEBA ended up detecting and halting a ransomware attack. This customer gave their partners access to their Box cloud content management system. Having UEBA in place, their security team received an automated detection of a large volume of files that were deleted and replaced by encrypted files, which were quickly uploaded and renamed. Due to early detection, the security team was able to quarantine the account and restore the files.

UEBA vs. Security Information and Event Management (SIEM)
SIEMs enable security teams to aggregate large volumes of disparate data sets, security alerts and events from multiple sources into a single console for processing and analysis. They have workflows and rule engines that make sense from the processed datasets that further enable administrators to prioritize and manage incidents and alerts better.

With powerful searches, queries, dashboards and rule-based engines, most SIEMs give a full 360° view of the enterprise systems and enable admins to manage incidents in a timely manner. In some cases, they also do spot trends and create correlation rules to trigger appropriate mitigation steps.

Although at first glance, UEBA and SIEM may appear to do the same thing, there are a few key differences. Unlike a SIEM, UEBA does not track security events or monitor devices. Instead, UEBA tracks the behaviours of users and entities within your environment — such as devices, applications and data — for anomalies that may indicate a threat. While UEBA also analyzes a lot of data, it uses machine intelligence to automate and scale its analysis of patterns instead of just relying on human intelligence.

UEBA works best when paired with a holistic platform
While I hope this article has given you a good understanding of UEBA and why it’s important, I want to stress that this is just one piece of a modern cybersecurity architecture. There are two other major elements to consider: continuously monitoring the risk posture of endpoint devices and the sensitivity of the apps and data accessed by users and endpoints.

Whether you realize it or not, every one of your employees is using some form of personal devices to work from anywhere. This means you need to track the fluctuating risk posture of both the managed and unmanaged devices to protect your data at all times. By enforcing policies based on user behaviour, endpoint risk posture as well as data sensitivity, you can protect your data without hindering productivity.

With an ever growing number of smartphone users, the development of mobile applications has become a booming industry. Today there are millions of apps, helping users with almost every c of their everyday life – from entertainment to banking and billing. With this in mind, cybercriminals are working hard to develop their own apps and benefit from unsuspecting users.

Kaspersky researchers have observed fraudsters actively spreading Trojans, which secretly subscribe users to paid services, disguised as various different mobile apps, including popular games, healthcare apps and photo editors. Most of these Trojans request access to the user’s notifications and messages, so that the fraudsters can then intercept messages containing confirmation codes.

Users aren’t knowingly subscribing to these services but are, rather, falling victim to carelessness. For instance, a user fails to read the fine print and, before they know it, they’re paying for a horoscope app. These victims often don’t realize these subscriptions exist until their mobile phone account runs dry earlier than expected.

According to Kaspersky researchers, the most widely spread Trojans that sign users up to unwanted subscriptions are:

Jocker
Trojans from the Trojan.AndroidOS.Jocker family can intercept codes sent in text messages and bypass anti-fraud solutions. They’re usually spread on Google Play, where scammers download a legitimate app from the store, add malicious code to it and then re-upload it under a different name. In most cases, these trojanized apps fulfill their purpose and the user never suspects that they’re a source of threat.

So far in 2022, Jocker has most frequently attacked users in Saudi Arabia (21.20%), Poland, (8.98%) and Germany (6.01%).

MobOk
MobOk is considered the most active of the subscription Trojans with more than 70% of mobile users encountering these threats. MobOk Trojan is particularly notable for an additional capability that, in addition to reading the codes from messages, enables it to bypass CAPTCHA. MobOK does this by automatically sending the image to a service designed to decipher the code shown .

Since the beginning of the year, MobOk Trojan has most frequently attacked users in Russia (31.01%), India (11.17%) and Indonesia (11.02%).

Vesub
Vesub Trojan is spread through unofficial sources and imitates popular games and apps, such as GameBeyond, Tubemate, Minecraft, GTA5 and Vidmate. This malware opens an invisible window, requests a subscription and then enters the code it intercepts from the victim’s received text messages. After that the user is subscribed to a service without their knowledge or consent.

Most of these apps lack any legitimate functionality. They subscribe users as soon as they are launched while victims just see a loading window. However, there are some examples, such as a fake GameBeyond app, where the detected malware is actually accompanied by a random set of functional games.

Two out of five users who encountered Vesub were in Egypt (40.27%). This Trojan family has also been active in Thailand (25.88%) and Malaysia (15.85%).

GriftHorse.l
Unlike the Trojans mentioned above, this one does not subscribe victims to a third-party service – instead it uses its own. Users end up subscribing to one of these services by simply not reading the user agreement carefully. For example, there are apps that have recently spread intensively on Google Play, offering to tailor personal weight-loss plans for a token fee. Such apps contain small print mentioning a subscription fee with automatic billing. This means money will be deducted from the user’s bank account on a regular basis without needing any further confirmation from the user.

“Apps can help us stay connected, fit, entertained and generally make our lives easier. There are multiple mobile apps appearing every day, for every taste and purpose – unfortunately, cybercriminals are using this to their advantage. Some of the apps are designed to steal money by subscribing users to unwanted services. These threats are preventable, which is why it’s important to be aware of the signs that give away Trojanized apps. Even if you trust an app, you should avoid granting it too many permissions. Only allow access to notifications for apps that need it to perform their intended purposes, for example, to transfer notifications to wearable devices. Apps for something like themed wallpapers or photo editing don’t need access to your notifications,” explains Igor Golovin, security expert at Kaspersky.

Here’s what you need to do, to stay protected:

• Keeping your guard up when installing apps from Google Play. Read the reviews, research the developer, terms of use and payment details. For messaging, choose a well-known app with positive reviews.
• Checking the permissions of the apps you’re using and thinking carefully before granting additional permissions.
• Using a reliable security solution to help detect malicious apps and adware before they achieve their goals.
• Updating your operating system and any important apps as and when updates become available. Many safety issues can be solved by installing the updated versions of software.