Category Archives: XDR

The Sky Has Already Fallen (you just haven’t seen the alert yet)

Of course, the much-touted “Cybersecurity Skills Shortage” isn’t news to anyone, or it shouldn’t be. For seven or more years, journalists, industry analysts and practitioners have been opining about it one way or another. Analyses and opinions vary on how we have reached this impasse, my own being that this is a largely self-inflicted crisis caused by proscriptive hiring practices and unreasonable job requirements, but the outcome remains the same. We have too few people doing too much work, with too many tools and too few meaningful resources.

The typical SOC of today is drowning in a volume of alerts. In the financial world for example 60% of banks routinely deal with 100,000+ alerts every day, with 17% of them reporting 300,000+ security alerts, according to research carried out by Ovum, and this pattern is repeated across industry verticals.

There is no way that the typical Security Operations Center is staffed to the levels required to be able to triage these alerts, meaning that a large proportion of them are simply never actioned (read ignored). Of those that do eventually see a pair of eyes, it hardly seems worth the effort. An EMA report all the way back in 2017 found that analysts were spending around half an hour investigating each incident with much of the time being spent either downgrading alerts marked as critical (46%) or otherwise reprioritizing (52%) and identifying false positives (31%).

This deluge of information, coupled with a focus on small, repetitive and often manual tasks are critical components contributing to fatigue, boredom, and a feeling of powerlessness in the workplace. A recent survey carried out by Trend Micro revealed that IT teams are under significant pressure, with some of the challenges cited including prioritizing emerging threats (47%) and keeping track of a fractured security environment (43%). The survey showed that they are feeling the weight of this responsibility, with many (34%) stating that the burden they are under has led their job satisfaction to decrease over the past 12 months. It’s not just the SOC analysts either. In that same survey one third of IT executives told us that they felt completely isolated in their role.

Workplace pressure at these levels is simply not sustainable, fatigue leads to neglect, neglect to mistakes, and mistakes lead to burnout, further reducing the available talent pool and dissuading others from ever entering into the industry, it’s a vicious circle.

This security event flood is exacerbated by the fact that the majority of organizations rely on large numbers of specialized and disconnected tools. Many of the alerts that analysts are dealing with are often different views of the same object, or duplicate notifications from discrete security tools. The Ovum report I mentioned above notes that almost half their respondents (47%) told them that only one in five events is actually related to a unique security event.

In fact, Security Operations Centers are drowning in threat data, all the while thirsting for meaningful threat intelligence.

Water, water everywhere and all the boards did shrink,

Water, water everywhere nor any drop to drink.

A recent blog post by my friend and colleague Greg Young laid out his reasoning on “Why XDR is a big deal and is different from SIEM and Platforms.” And a truly mature XDR technology, with feature rich APIs, collecting, correlating, triaging, reporting and perhaps even remediating (to a certain level) must represent the direction of travel for the SOC of the near future.

We are not going to solve the skills shortage within a decade; arguably, we are not going to solve it at all, particularly if we continue to focus on filling the gap with human brains. The problem is not in the potential recruitment pipeline, it is in the actual data pipeline and that is where technology must play the lead role. An AI driven Tier I SOC platform able to scale with the continually increasing volume of data, automating and accelerating initial analysis, the creation of incident context, chasing down patient zero through an automated root cause analysis. Such a system would present the human Escalation Analysts with aggregated data in a logical attack-centric progression automating the Monitor, Prevent, Detect and Investigate roles and providing the SOC analyst with actionable threat intelligence for real Response and Remediation.

The post The Sky Has Already Fallen (you just haven’t seen the alert yet) appeared first on .

XDR Is The Best Remedy As Attackers Increasingly Seek To Evade EDR

Real enterprises are messy places. One messy reality is that enterprises don’t manage all their endpoints. A smart colleague turned me onto using the % of endpoints and servers managed as a prime security metric.

On one end of the spectrum are places like universities that maybe manage 10% of the endpoints on their network. On the other end are places like some large banking and R&D companies that can manage about 98 or 99%. A financial services company that was spending millions of dollars on getting from 96% to achieving 98%, using the very good reasoning that they were “cutting their biggest security problem in half” rather than “2%, meh.” So even the very best enterprises can have unmanaged endpoints that can be more easily exploited than ones with a security agent deployed on them. A lot of the advanced security we’ve been delivering on the last few years has been focused on this problem.

EDR is an example of how stealthy or evasive attackers can be better uncovered than with traditional endpoint protection. EDR is great for endpoints they are on. Ian Lee of NTUC gives a killer example of uncovering stealthy attacks using EDR and MDR here.

But most of EDR’s capabilities are for endpoints they are on: ones they manage. Sure there’s some herd-immunity with EDR that the greater number of managed endpoints the harder it is for an attacker to move laterally or deeper. But more capable, patient, and stealthy attackers are getting better at being evasive, knowing that EDR may be or is deployed. Mark Nunnikhoven does a great job in this post talking about lateral movement.

EDR can only go so far on its own to help spot attacks that are exceptionally low and slow, and/or using unmanaged endpoints. Endpoint security needs to step outside the endpoint silo to keep step with advanced attackers. An attack using many hops could see movement between managed endpoints, IoT, email, network components, containers and cloud-based servers over the course of many months. The delivery and reconnaissance could involve multiple protocols, emails, payloads, files, and credentials. Pulling together the tenuous and ephemeral threads of such an intentional attack needs more modern tools, rather than hoping we stumble on a supply of highly advanced threat hunters.

Pulling together deep security information from across your enterprise is what is needed to face off against such advanced and intentionally evasive attacks. XDR is intended to be that security data lake of deeper enterprise infrastructure and security information than we’ve previously gathered in a single addressable pool and designed to be useful for threat hunters and analysts. In these posts here and here we talk about what XDR is and how it brings in more sources, such as network data.

In the game of measure-countermeasure that is cybersecurity today and tomorrow, XDR is the next evolutionary step in dealing with more evasive threats.

The post XDR Is The Best Remedy As Attackers Increasingly Seek To Evade EDR appeared first on .

Cyberattack Lateral Movement Explained

[Lightly edited transcript of the video above]

Hi there, Mark Nunnikhoven from Trend Micro Research, I want to talk to you about the concept of lateral movement.

And the reason why I want to tackle this today is because I’ve had some conversations in the last few days that have really kind of hit that idea bulb that people don’t truly understand how cybercriminals get away with their crimes in the organization. Specifically how they launch their attacks.

Now don’t get me wrong, this isn’t to blame on defenders. This isn’t to blame of the general public. I’m going to go with Hollywood’s to blame a little bit here, because we’re watching movies in Hollywood inevitably…you know the hackers in their dark hat and with no lighting, underground, Lord knows where they find these places to hack from and they are attacking directly through.

You see a bunch of text go across the screen and they penetrate through the first firewall, through the second firewall in into the data. That’s not how it works at all.

That’s ridiculous. It’s absurd.


It makes for interesting cinema, just like the red code/green code in CSI Cyber, but it’s not a reflection of reality and that’s a real challenge. Because a lot of people don’t have the experience of working with cybersecurity, working in cybersecurity, so their only perception is what they see either through media—you know TV, movies, books—or if they happen to run into somebody at in the industry. So there is an overwhelming amount of sort of information or misinformation.

Not even misinformation, just storytelling that tries to make it far more dramatic than it is. The reality is that cybercriminals are out for profit.

We know this time and time again—yes a bunch of nation-state stuff does happen but the vast majority of you are unaffected by it same with there’s

a massive amount of script-kiddie just sort of scanning random people with random tools that are just seeing what they can get away with that and

if you have solid, automated defenses that doesn’t really impact you.

What does impact you is the vast majority of organized cybercriminals who are out to make a profit. Trend Micro had a great  series and continues to have a great series on the Underground, the Digital Underground that shows just how deep these profit motivations go.

This is very much a dark industry. And with that in mind we come back to the concept of lateral movement.


If an attacker breaches into your systems, whether they come in like a fourth of all attacks do via email whether they come in directly through a server compromise, which is about half of all breaches according to the Verizon data breach investigation report or one of the other methods that is commonly used…then they start to move around within your network.

That’s lateral movement.

We talk about north/south traffic with the network, which is basically inside the network to outside of the network, so out to the the internet and back. East/west is within the network itself. Most defenses, traditional defenses worry about that north/south traffic.

Not enough worry about the east/west and it’s breaking down finally. We are getting rid of this hard perimeter. “It’s mine, I defend everything inside” …and realizing that this is actually how cybercriminals work. Once they’re inside they move around. So we need to defend in-depth and have really great monitoring and protection tools within our networks because of this challenge of lateral movement.


Let me give you a little easier to digest analogy. Most of us in a home have a grocery list and maybe once a week—maybe twice–we head to the grocery store and we try to get everything we want off the list and then we come back. That just makes sense.

That’s how we do it. Right? You would never think of going, “Okay. Number one of the list is ketchup. I’m going to drive to the store to get ketchup. I’m going to buy it and I’m going to come back home.

I’m going to look at item number two. I need a loaf of bread. I’m going to drive back to the store. I’m going to buy a loaf of bread and I’m going to come back and we can go to item 3, and I’m going to go and I’m going to come back. I’m going to…” That’s just ridiculous, right? That’s absolutely absurd and cybercrimals agree.

Once they’ve driven to the store. They’re going to buy everything that they need and everything that they see as an opportunity, right? They are really susceptible to those end caps and impulse buys… and then they’re going to leave.

This is how they attack our organizations.

We know that, because of the average time to detect a breach is around 197 days right now and that stat has fluctuated maybe plus or minus 15 days for the last decade.

We also know that it takes almost three…it takes two and a half to three months actually contain a breach once you discover it and the reason for all of this is lateral movement.

Once you’re in as a cybercriminal, once you’ve made headway, once you gained a beachhead or a foothold within that network you’re going to do everything you can to expand it because it’s going to make you the most amount of money.


What do you think? Let us know in the comments below, hit us up on social @TrendMicro or you can reach me directly @marknca.

How are you handling lateral movement? How are you trying to reduce it? How are you looking for visibility across all of your systems?

Let’s continue this conversation because when we talk we all get better and more secure online.

The post Cyberattack Lateral Movement Explained appeared first on .