Part 3: The First Pillar of XDR: Causal

Abhijit Ghosh

In part 2, we explained “The Six Pillars of XDR for Cloud Workloads”. It’s time to explore the first pillar, Causal, in greater depth.

Modern cyberthreats are multi-staged attacks that span across multiple assets and get executed over long periods. Today’s attackers know that the best way to reach their goal is by blending in among normal activities, slowly inching towards a target. The fact that we are seeing a rapid adoption of the MITRE ATT&CK framework to identify the kill chain confirms how security programs globally are scrambling to update/upgrade their defenses.

The ‘Cyber Kill Chain’ is a well understood concept and the tactics and techniques defined by the MITRE framework capture the essence of attacker activities. The most challenging (and often overlooked) piece? The sequence of such activities, and the random nature of such sequences. The entire security industry is banking on tools and human resources to piece together the jigsaw puzzle of sequencing attackers movements by merely identifying the techniques used, and correlating data from all possible sources. But the fact remains that the attackers are ahead in this cat-and-mouse game, and that the current set of tools and methods are inadequate to track the movements of an attacker through the kill chain, across the infrastructure, and over extended periods.

This is where ‘causality’ comes into play. If we take a step back to think about lateral movements of an attacker over time, we will soon conclude  that there must be a cause and effect relationship between activity across infrastructure. We just haven’t built  security visibility from the events in our infrastructure to reflect movements (connects, accepts, handoffs, etc.) in a deterministic and meaningful way. Instead, we search for the needle in a haystack, relying on  correlation engines to piece together a disconnected set of activities. Causality is of paramount importance, when it comes to understanding the full attack context, i.e., the sequence, and an  XDR must be able to continuously and causally sequence all events to precisely understand attack activity progressions, in real-time. This is the only way we eliminate guesswork and put defenders in pole position. Correlation gives attackers a significant advantage keeping them ahead.

An XDR built on ‘Causality’ as its foundation not only allows for tracking activities (good, bad, and ugly), but also brings an advantage that eliminates the issue of ‘false positives’, which every security program/team suffers from. No matter how comprehensive the detection capabilities of a tool is, there will always be the weak ones, amongst the strong ones, even with behavioral and ML based (signature-less) rules. It’s the weak ones that become noisy, and often turn into false positives. But if the activities are always causally connected, then what matters is the overall sequence, no matter how many weak detections encountered along the way.

Additionally, the causal sequencing provides an unprecedented advantage with the ability to track bad activities without time boundaries. You don’t want the data retention constraints impact your ability to track and understand long lasting attack campaigns. With causal sequencing, you can continuously track the malicious sequences, forever, starting from their origin, and keep discarding the activities that are benign. A classic example, where small data retention periods was a huge bottleneck towards identifying a long standing campaign, is the Marriott Data Breach, which lasted for years, according to the forensic reports.

Finally, an XDR built with ‘Causation’ moves us into the direction of self-directed security intelligence (truly autonomous) since it does not rely on an a priori knowledge of attack scenarios (often created as playbooks), instead builds up the campaign narratives as the attack progresses through and environment, irrespective of the kind of techniques and tactics used, or the order in which they get executed.

If you would like to see an XDR for Cloud Workloads built with ‘Causation’ in action, sign up for our demo.

Our next blog will focus on the second pillar of the XDR, i.e. Panoramic.