For years, security operations have relied on monolithic architectures built around centralized collectors, rigid forwarding chains, and a single “system of record” where all data must land before action can be taken. On paper, that design promised simplicity and control. In practice, it delivered brittle systems, runaway ingest costs, and teams stuck maintaining plumbing instead..
The global telecommunications ecosystem has entered its most dangerous cyber era.As 5G, O RAN, cloud workloads, and massive IoT ecosystems expand, telecom networks have become the number one target for nation-state APTs. Attacks like Salt Typhoon, labeled the worst telecom breach in U.S. history, prove one reality: Traditional enterprise security tools cannot defend networks operating
In today’s fast-evolving digital world, organizations increasingly rely on hybrid workforces, cloud-first strategies, and distributed infrastructures to gain agility and scalability. This transformation has expanded the network into a complex ecosystem spanning on-premises, cloud, and remote endpoints, vastly increasing the attack surface. Cyber adversaries exploit this complexity using stealth techniques like encrypted tunnels, credential misuse,
Our colleagues from the AI expertise center recently developed a machine-learning model that detects DLL-hijacking attacks. We then integrated this model into the Kaspersky Unified Monitoring and Analysis Platform SIEM system. In a separate article, our colleagues shared how the model had been created and what success they had achieved in lab environments. Here, we focus on how it operates within Kaspersky SIEM, the preparation steps taken before its release, and some real-world incidents it has already helped us uncover.
How the model works in Kaspersky SIEM
The model’s operation generally boils down to a step-by-step check of all DLL libraries loaded by processes in the system, followed by validation in the Kaspersky Security Network (KSN) cloud. This approach allows local attributes (path, process name, and file hashes) to be combined with a global knowledge base and behavioral indicators, which significantly improves detection quality and reduces the probability of false positives.
The model can run in one of two modes: on a correlator or on a collector. A correlator is a SIEM component that performs event analysis and correlation based on predefined rules or algorithms. If detection is configured on a correlator, the model checks events that have already triggered a rule. This reduces the volume of KSN queries and the model’s response time.
This is how it looks:
A collector is a software or hardware component of a SIEM platform that collects and normalizes events from various sources, and then delivers these events to the platform’s core. If detection is configured on a collector, the model processes all events associated with various processes loading libraries, provided these events meet the following conditions:
The path to the process file is known.
The path to the library is known.
The hashes of the file and the library are available.
This method consumes more resources, and the model’s response takes longer than it does on a correlator. However, it can be useful for retrospective threat hunting because it allows you to check all events logged by Kaspersky SIEM. The model’s workflow on a collector looks like this:
It is important to note that the model is not limited to a binary “malicious/non-malicious” assessment; it ranks its responses by confidence level. This allows it to be used as a flexible tool in SOC practice. Examples of possible verdicts:
0: data is being processed.
1: maliciousness not confirmed. This means the model currently does not consider the library malicious.
2: suspicious library.
3: maliciousness confirmed.
A Kaspersky SIEM rule for detecting DLL hijacking would look like this:
N.KL_AI_DLLHijackingCheckResult > 1
Embedding the model into the Kaspersky SIEM correlator automates the process of finding DLL-hijacking attacks, making it possible to detect them at scale without having to manually analyze hundreds or thousands of loaded libraries. Furthermore, when combined with correlation rules and telemetry sources, the model can be used not just as a standalone module but as part of a comprehensive defense against infrastructure attacks.
Incidents detected during the pilot testing of the model in the MDR service
Before being released, the model (as part of the Kaspersky SIEM platform) was tested in the MDR service, where it was trained to identify attacks on large datasets supplied by our telemetry. This step was necessary to ensure that detection works not only in lab settings but also in real client infrastructures.
During the pilot testing, we verified the model’s resilience to false positives and its ability to correctly classify behavior even in non-typical DLL-loading scenarios. As a result, several real-world incidents were successfully detected where attackers used one type of DLL hijacking — the DLL Sideloading technique — to gain persistence and execute their code in the system.
Let us take a closer look at the three most interesting of these.
Incident 1. ToddyCat trying to launch Cobalt Strike disguised as a system library
In one incident, the attackers successfully leveraged the vulnerability CVE-2021-27076 to exploit a SharePoint service that used IIS as a web server. They ran the following command:
After the exploitation, the IIS process created files that were later used to run malicious code via the DLL sideloading technique (T1574.001 Hijack Execution Flow: DLL):
SystemSettings.dll is the name of a library associated with the Windows Settings application (SystemSettings.exe). The original library contains code and data that the Settings application uses to manage and configure various system parameters. However, the library created by the attackers has malicious functionality and is only pretending to be a system library.
Later, to establish persistence in the system and launch a DLL sideloading attack, a scheduled task was created, disguised as a Microsoft Edge browser update. It launches a SystemSettings.exe file, which is located in the same directory as the malicious library:
When the SystemSettings.exe process is launched, it loads the malicious DLL. As this happened, the process and library data were sent to our model for analysis and detection of a potential attack.
Example of a SystemSettings.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM
The resulting data helped our analysts highlight a suspicious DLL and analyze it in detail. The library was found to be a Cobalt Strike implant. After loading it, the SystemSettings.exe process attempted to connect to the attackers’ command-and-control server.
DNS query: connect-microsoft[.]com
DNS query type: AAAA
DNS response: ::ffff:8.219.1[.]155;
8.219.1[.]155:8443
After establishing a connection, the attackers began host reconnaissance to gather various data to develop their attack.
C:\ProgramData\SystemSettings.exe
whoami /priv
hostname
reg query HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid
powershell -c $psversiontable
dotnet --version
systeminfo
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Drivers"
cmdkey /list
REG query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
netsh wlan show profiles
netsh wlan show interfaces
set
net localgroup administrators
net user
net user administrator
ipconfig /all
net config workstation
net view
arp -a
route print
netstat -ano
tasklist
schtasks /query /fo LIST /v
net start
net share
net use
netsh firewall show config
netsh firewall show state
net view /domain
net time /domain
net group "domain admins" /domain
net localgroup administrators /domain
net group "domain controllers" /domain
net accounts /domain
nltest / domain_trusts
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
reg query HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Based on the attackers’ TTPs, such as loading Cobalt Strike as a DLL, using the DLL sideloading technique (1, 2), and exploiting SharePoint, we can say with a high degree of confidence that the ToddyCat APT group was behind the attack. Thanks to the prompt response of our model, we were able to respond in time and block this activity, preventing the attackers from causing damage to the organization.
Incident 2. Infostealer masquerading as a policy manager
Another example was discovered by the model after a client was connected to MDR monitoring: a legitimate system file located in an application folder attempted to load a suspicious library that was stored next to it.
The SettingSyncHost.exe file is a system host process for synchronizing settings between one user’s different devices. Its 32-bit and 64-bit versions are usually located in C:\Windows\System32\ and C:\Windows\SysWOW64\, respectively. In this incident, the file location differed from the normal one.
Example of a policymanager.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM
Analysis of the library file loaded by this process showed that it was malware designed to steal information from browsers.
Graph of policymanager.dll activity in a sandbox
The file directly accesses browser files that contain user data.
C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Local State
The library file is on the list of files used for DLL hijacking, as published in the HijackLibs project. The project contains a list of common processes and libraries employed in DLL-hijacking attacks, which can be used to detect these attacks.
Incident 3. Malicious loader posing as a security solution
Another incident discovered by our model occurred when a user connected a removable USB drive:
Example of a Kaspersky SIEM event where a wsc.dll library was loaded from a USB drive, with a DLL Hijacking module verdict
The connected drive’s directory contained hidden folders with an identically named shortcut for each of them. The shortcuts had icons typically used for folders. Since file extensions were not shown by default on the drive, the user might have mistaken the shortcut for a folder and launched it. In turn, the shortcut opened the corresponding hidden folder and ran an executable file using the following command:
CEFHelper.exe is a legitimate Avast Antivirus executable that, through DLL sideloading, loaded the wsc.dll library, which is a malicious loader.
Code snippet from the malicious file
The loader opens a file named AvastAuth.dat, which contains an encrypted backdoor. The library reads the data from the file into memory, decrypts it, and executes it. After this, the backdoor attempts to connect to a remote command-and-control server.
The library file, which contains the malicious loader, is on the list of known libraries used for DLL sideloading, as presented on the HijackLibs project website.
Conclusion
Integrating the model into the product provided the means of early and accurate detection of DLL-hijacking attempts which previously might have gone unnoticed. Even during the pilot testing, the model proved its effectiveness by identifying several incidents using this technique. Going forward, its accuracy will only increase as data accumulates and algorithms are updated in KSN, making this mechanism a reliable element of proactive protection for corporate systems.
IoC
Legitimate files used for DLL hijacking E0E092D4EFC15F25FD9C0923C52C33D6 loads SystemSettings.dll
09CD396C8F4B4989A83ED7A1F33F5503 loads policymanager.dll
A72036F635CECF0DCB1E9C6F49A8FA5B loads wsc.dll
By Gary Miliefsky, Publisher With more than 80% of breaches involving stolen or misused credentials, identity is the control point that matters most. Koushik Anand helps enterprises secure digital identities...
This morning, SentinelOne entered an agreement to acquire Observo AI—a deal that we believe will prove to be a major accelerator for our strategy and a key step forward in realizing our vision.
Data pipelines are key to any enterprise IT transformation. Data pipelines, On-premise, and cloud-native are the modern-day router for how all information technology runs. This is especially pronounced today with the need to make accessible highly sanitized, critically contextualized data into LLM-based systems, to truly unlock an agentic AI future. At the same time, enterprises need to critically move data from legacy systems, and into scaleable, ideally real-time-enabling technologies. A robust data pipeline that can move data from any source to any destination is a critical need to successfully modernize any IT environment, and on all clouds, including Microsoft Azure, AWS, and GCP, and even move data between them. All in a completely secure way. Modern data pipelines don’t stop at just routing data, they filter it, transform it and enrich it, inline, and in real time—an imperative for data efficiency and cost optimization.
Simply put, moving data freely between systems is a huge technological advantage for any enterprise, especially right now.
This is why we acquired Observo.AI, the market leader in real-time data pipelines. It’s a deal that we believe will have huge benefits for customers and partners alike.
We want to make it clear that we pledge to continue offering Observo’s data pipeline to all enterprises, whether they’re SentinelOne Singularity customers or not. We support complete freedom and control to help all customers to be able to own, secure, and route their data anywhere they want.
For security data specifically, data pipelines are the heart that pumps the blood. Unifying enterprise security data from all possible sources, end products and controls, security event aggregators, data lakes, and any custom source on premise or cloud based. As I mentioned above, the data pipeline juncture is a critical one for the migration of data.
The best security comes from the most visibility.Observo.AI will give SentinelOne the ability to bring data instantly into our real time data lake—allowing for unprecedented outcomes for customers, and marking a huge leap forward towards, unified, real time, AI-driven security, and one step closer to supervised autonomous security operations.
Data pipelines and the state of security operations
Today’s security operations teams don’t suffer from a lack of data. They suffer from a lack of usable data, latency, and relevant content.
The major culprit? Legacy data pipelines that weren’t built for modern, AI-enabled SOCs and today’s ever expanding attack surface. The result is increased cost, complexity, and delay—forcing compromises that reduce visibility, limit protection and slow response.
Enter Observo AI—a modern, AI-native data pipeline platform that gives enterprises full control over their data flows in real time.
With the acquisition of Observo AI, SentinelOne will address customers’ most critical security data challenges head-on.
Observo AI delivers a real-time data pipeline that ingests, enriches, summarizes, and routes data across the enterprise—before it ever reaches a SIEM or data lake. This empowers customers to dramatically reduce costs, improve detection, and act faster across any environment. As a result, we can create significant new customer and partner value by allowing for fast and seamless data routing into our AI SIEM, or any other destination.
It’s an acquisition and decision many months in the making—the result of an exhaustive technical evaluation, deep customer engagement, and a clear conviction grounded in the same disciplined approach we apply to all of our M&A activities. When you are thorough and do the hard work to identify the best possible technology, you can shorten the time to market and improve customer outcomes. And, in this case, the conclusion was clear: Observo AI is the best real time data pipeline platform on the market, by far.
Growing data, growing complexity and growing attack surface
As data volumes grow across endpoints, identity, cloud, GenAI apps, intelligent agents, and infrastructure, the core challenge is no longer about collection. It’s about control. Security teams need to act faster—across an ever expanding attack surface—with greater context and lower overhead. But today’s data pipelines are bottlenecks—built for batch processing, limited in visibility, static, and too rigid for modern environments.
To move security toward real autonomy, we need more than detection and response. We need a streaming data layer that can ingest, optimize, enrich, correlate and route data intelligently and at scale.
By joining forces with Observo AI, SentinelOne can deliver a modern, AI-native data platform that gives enterprises full control over their data flows in real time—allowing for fast and seamless data routing into our SIEM, or any other destination.
It also strengthens the value we’re already delivering with Singularity and introduces a new model for reducing data costs and improving threat detection, across any SIEM or data lake—helping customers lower data overhead, improve signal quality, and extract more value from the data they already have, no matter where it lives.
Legacy data pipelines give way to the next generation
Yesterday’s security data pipelines weren’t designed for autonomous systems and operations. They were built for manual triage, static rules, and post-ingestion filtering. As organizations move toward AI-enabled SOCs, that model breaks down.
Data today is:
Duplicated and noisy
Delayed in enrichment and normalization
Inconsistent across environments
Expensive to ingest and store
Dynamic in nature while solutions are rigid
The result is that too many security operations teams are forced to compromise— compromise for cost, for speed, for complexity, for innovation, and worse of all—compromise on the right visibility at the right time.
Observo AI is defining the next generation of data pipelines that change that by acting as an AI-driven streaming control plane for data. It operates upstream of SIEMs, data lakes, and AI engines—applying real-time enrichment, filtering, routing, summarizing, and masking before the data reaches storage or analysis. All this is achieved utilizing powerful AI models that continuously learn from the data.
It doesn’t just process more data. It delivers better data, faster, and with lower operational overhead.
The result is that teams can now harness the full benefit of all data in the SOC without compromise.
Observo AI’s real-time data pipeline advantage
Observo AI ingests data from any source—on-prem, edge, or cloud—and routes data to any destination, including SIEMs, object stores, analytics engines, and AI systems like Purple AI.
Key capabilities include:
Open integration – Supports industry standards and formats like OCSF, OpenTelemetry, JSON, and Parquet—ensuring compatibility across diverse ecosystems.
ML-based summarization and reduction – Uses machine learning to reduce data volume by up to 80%, without losing critical signal.
Streaming anomaly detection – Detects outliers and abnormal data in flight, not after the fact.
Contextual enrichment – Adds GeoIP, threat intelligence, asset metadata, and scoring in real time.
Field-level optimization – Dynamically identifies and drops redundant or unused fields based on usage patterns.
Automated PII redaction – Detects and masks sensitive data across structured and semi-structured formats while streaming.
Policy-based routing – Supports conditional logic to forward specific subsets of data—such as failures, high-risk activity, or enriched logs—to targeted destinations.
Agentic pipeline interface – Enables teams to generate and modify pipelines through natural language, not just static configuration files.
What We Learned from Evaluation and Customers
Prior to today’s announcement, we conducted a hands-on technical evaluation of the broader data pipeline landscape. We started with nine vendors and down-selected to four based on architecture, maturity, and extensibility.
To evaluate potential technology OEM partners, we conducted a structured scoring process across 11 technical dimensions, each representing a critical capability for scalable, secure, and high-performance data ingestion and transformation.
The evaluation criteria included:
Scalable data ingestion
On-prem and cloud collection support
Monitoring and UX
Speed of integrationBreadth of pre-built security integrations
OCSF mapping and normalization
Data transformations and enrichment capabilities
Filtering and streaming support
Sensitive data detection (PII)
Anomaly detection
Vendor lock-in mitigation (e.g., open formats, agnostic routing)
Meets Expectations – functionally sufficient, may require optimization or future roadmap improvements
Does Not Meet Expectations – unsupported or significantly limited
Final vendor scores were calculated by normalizing across all 11 categories, enabling a comparative ranking based on technical depth, deployment readiness, and extensibility. Based on this methodology, Observo emerged as the clear front-runner, outperforming all other solutions in performance, UX, protocol support, and time-to-value.
Observo AI emerged as the clear leader—scoring highest across nearly every category. It wasn’t close.
We also conducted dozens of SentinelOne customer interviews across industries—ranging from high-scale technology firms to Fortune 500 enterprises. These organizations often operate at ingest volumes in the tens of terabytes per day, with clear plans to scale past 100+ TB/day.
Across those conversations, one theme was consistent: Observo AI was the best—the only next-generation, highly scalable data pipeline solution that was in serious consideration.
Other solutions were seen as either too rigid, too complex to manage, or lacking in automation and scale. Some were viewed as solid first-generation attempts—good for basic log shipping, but not built for real-time, AI-enabled operations.
Observo AI stood out for its ease of deployment, intuitive interface, rapid time to ROI, and overall maturity across cost optimization, AI support, and customer experience. As Lucas Moody, CISO of Alteryx, put it: “Observo AI solves our data sprawl issue so we can focus our time, attention, energy, and love on things that are going to matter downstream.”
In summary
Legacy data pipelines built for another era are forcing compromises that reduce visibility, limit protection and slow response for security operations teams managing today’s SOC
Observo AI is the defining AI-native, real-time data pipeline that ingests, enriches, summarizes, and routes data across the enterprise—before it ever reaches a SIEM or data lake
With Observo AI we will help customers dramatically reduce costs, improve detection, and act faster across any environment
This will be an accelerant to our AI SIEM strategy and our data solutions—creating significant new customer and partner value and bringing the autonomous SOC one step closer to reality
We’re excited to welcome the Observo AI team to SentinelOne, and even more excited about what this unlocks for our customers—a data pipeline built for the age of AI and autonomous security operations.
For any customer looking to route, ingest or optimize any type of enterprise data, with its vast integration ecosystem, and ML driven pipelines, Observo.AI is the best technology in the market, and the fastest to deploy, to start seeing real outcomes—now.
Organizations around the globe are rapidly adopting AI and embracing accelerated creativity and output, but with this vast opportunity come enormous challenges: visibility, compliance, security, control. From the growth of AI tool usage outside IT and infosec to the emergence of autonomous AI agents and agentic workflows, the undeniable benefits of AI often open the door to novel cyber threats and data privacy concerns, but even more often, to misuse and leakage of sensitive information.
SentinelOne pioneered AI Cybersecurity beginning at the endpoint and this strategy has rapidly evolved to the cloud, AI SIEM, and generative and agentic AI to protect every aspect of enterprise security. Now, we’re taking that strategy a step further, signing a definitive agreement to acquire Prompt Security – a rapidly growing company empowering and enabling organizations to use AI and AI agents securely – today. The immediate visibility and control Prompt Security delivers to all employee use of GenAI applications in the work environment is unparalleled.
Embrace AI without compromising visibility, security, or control
Prompt Security CEO Itamar Golan and his team were early champions of AI as a force for productivity, innovation, and transformation. As a cybersecurity veteran of Orca and Checkpoint, Golan was quick to realize that security risks would be the single biggest blocker to widespread AI adoption. This need is what has driven Prompt Security’s approach from the start – providing companies with the ability to encourage and deploy employee AI usage without compromise.
Prompt Security’s technology helps organizations by integrating across browsers, desktop applications, and API’s. This includes real-time visibility into how AI tools are accessed, what data is being stored, and automated enforcement to prevent prompt injections, sensitive data leakage, and misuse.
This design and approach is highly complementary to SentinelOne’s AI strategy and the Singularity Platform; creating a unique, integrated layer for securing AI in the enterprise – protecting tools where and how they are used, and creating customer value in a way no other solution in the market can match.
The Prompt Security Difference
Prompt Security enables organizations and users to confidently leverage tools like ChatGPT, Gemini, Claude, Cursor, and other custom LLMs by providing IT and security teams visibility, security, and real-time control – even over unmanaged AI use.
Real-Time AI Visibility
Prompt Security’s lightweight agent and browser extensions automatically discover both sanctioned GenAI apps and unsanctioned Shadow AI wherever employees work. This includes browsers, desktop IDEs, terminal-based assistants, APIs, and custom workflows. The platform maintains a live inventory of usage across thousands of AI tools and assistants. Every prompt and response is captured with full context, giving security teams searchable logs for audit and compliance. This is a great complement to our existing presence on the endpoint, and will enable us to accelerate our GenAI DLP capabilities.
Policy-Based Controls
Granular, policy-driven rules let teams redact or tokenize sensitive data on the fly, block high-risk prompts, and deliver inline coaching that helps users learn safe AI practices without losing productivity.
AI Attack Prevention
The platform inspects every interaction in real time to stop prompt injection, jailbreak attempts, malicious output manipulation, and prompt leaks. It is designed to maintain low latency so users experience no disruption.
Model Agnostic Coverage
Safeguards apply uniformly across all major LLM providers including OpenAI, Anthropic, and Google, as well as self-hosted or on-prem models. The fully provider-independent architecture fits into any stack, whether SaaS or self-hosted.
MCP Gateway Security
Prompt Security’s MCP Gateway sits between AI applications and more than 13,000 known MCP servers, intercepting every call, prompt template, and response. Each server receives a dynamic risk score, and the system enforces allow, block, filter, or redact actions.
The Future of AI Security
AI is the most transformative force in the world today, but without security, it becomes a liability. SentinelOne has long set the standard on how AI can transform cybersecurity. This acquisition unlocks a new frontier of platform expansion for SentinelOne and represents a step forward in our AI strategy – from AI for security to security for AI. It cements SentinelOne’s leadership in securing the modern AI-powered enterprise, and it also puts in the center the main thing that acquisitions are about- solving real customer problems, improving security, and creating tangible value for security teams- allowing them to lead their business safely and responsibly to the AI age.
Protecting the usage of AI tools without compromising safety or inhibiting productivity is critical to their continued adoption and together, SentinelOne and Prompt Security provide the tools and confidence to make that a reality.
The ink may still be drying but the next chapter of SentinelOne’s growth story has officially begun. On behalf of all Sentinels, our partners, and our customers, I couldn’t be happier to welcome the Prompt Security team to SentinelOne!
Forward Looking Statements
This blog post contains forward-looking statements. The achievement or success of the matters covered by such forward-looking statements involve risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if any of the assumptions prove incorrect, our results could differ materially from the results expressed or implied by the forward-looking statements. Please refer to the documents we file from time to time with the U.S. Securities and Exchange Commission, in particular, our Annual Report on Form 10-K and our Quarterly Reports on Form 10-Q. These documents contain and identify important risk factors and other information that may cause our actual results to differ materially from those contained in our forward-looking statements. Any unreleased products, services or solutions referenced in this or other press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase SentinelOne products, services and solutions should make their purchase decisions based upon offerings that are currently available.
In der Cybersicherheitsbranche gibt es eine Fülle von Jargon, Abkürzungen und Akronymen. Da immer mehr ausgeklügelte Angriffsvektoren zur Verfügung stehen, von Endpunkten über Netzwerke bis hin zur Cloud, wenden sich viele Unternehmen einem neuen Ansatz zu, um fortschrittlichen Bedrohungen zu begegnen: Extended Detection and Response (Erweitertes Erkennen und Reagieren), was zu einem weiteren Akronym führt: XDR. Und obwohl XDR in diesem Jahr von Branchenführern und Analysten viel Aufmerksamkeit erhalten hat, handelt es sich dabei immer noch um ein sich entwickelndes Konzept, und als solches herrscht Verwirrung rund um das Thema.
Was ist XDR?
Wie unterscheidet sich XDR von EDR?
Ist es dasselbe wie SIEM & SOAR?
Als führendes Unternehmen auf dem EDR-Markt und Pionier derder aufkommenden XDR-Technologie , werden wir oft gefragt, was diese Technologie bedeutet und wie sie letztendlich zu besseren Kundenergebnissen beitragen kann. Dieser Post soll einige häufig auftretenden Fragen rund um XDR und die Unterschiede zu EDR, SIEM und SOAR klären.
Was ist EDR?
EDR bietet einem Unternehmen die Möglichkeit, Endpunkte auf verdächtiges Verhalten zu überwachen und jede einzelne Aktivität und jedes Ereignis aufzuzeichnen. Dann setzt es Informationen in Beziehung, um wichtigen Kontext für die Erkennung von hochentwickelten Bedrohungen zu liefern. Schließlich führt es automatisierte Reaktionsmaßnahmen durch, wie die Isolierung eines infizierten Endpunkts vom Netzwerk in nahezu Echtzeit.
Was ist XDR?
XDR ist die Weiterwentwicklung von EDR, Endpoint Detection and Response. Anders als EDR, das Aktivitäten über mehrere Endpunkte hinweg sammelt und korreliert, erweitert XDR den Erkennungsbereich über die Endpunkte hinaus und bietet Erkennung, Analyse und Reaktion über Endpunkte, Netzwerke, Server, Cloud-Workloads, SIEM und vieles mehr.
Dies ermöglicht eine einheitliche Sicht über mehrere Tools und Angriffsvektoren hinweg. Diese verbesserte Sichtbarkeit bietet eine Kontextualisierung dieser Bedrohungen, um die Triage, Untersuchung und schnelle Abhilfemaßnahmen zu unterstützen.
XDR sammelt und verknüpft automatisch Daten über mehrere Sicherheitsvektoren hinweg und ermöglicht so eine schnellere Erkennung von Bedrohungen. Somit können Sicherheitsanalysten schnell reagieren, bevor sich die Bedrohung ausweitet. Sofort einsatzbereite Integrationen und vordefinierte Erkennungsmechanismen für verschiedene Produkte und Plattformen verbessern die Produktivität, Bedrohungserkennung und Forensik.
Kurz gesagt, XDR erweitert über den Endpunkt hinaus, um Entscheidungen auf der Grundlage von Daten aus mehreren Produkten zu treffen, und kann Maßnahmen in ihrem gesamten Stack ergreifen, indem es auf E-Mail, Netzwerk, Identität und darüber hinaus reagiert.
Wie unterscheidet sich XDR von SIEM?
Wenn wir von XDR sprechen, denken manche Anwender, dass wir ein SIEM-Tool (Security Information & Event Management) auf eine andere Art und Weise beschreiben. Aber XDR und SIEM sind zwei verschiedene Dinge.
SIEM sammelt, aggregiert, analysiert und speichert große Mengen von Protokolldaten aus dem gesamten Unternehmen. SIEM begann seine Entwicklung mit einem sehr breit gefächerten Ansatz: dem Sammeln von verfügbaren Protokoll- und Ereignisdaten aus nahezu jeder Quelle im Unternehmen, um sie für verschiedene Anwendungsfälle zu speichern. Dazu gehören Governance und Compliance, regelbasierter Musterabgleich, heuristische/verhaltensbasierte Bedrohungserkennung wie UEBA und die Suche nach IOCs oder atomaren Indikatoren in Telemetriequellen.
SIEM-Tools erfordern jedoch viel Feinabstimmung und Aufwand bei der Implementierung. Sicherheitsteams können auch von der schieren Anzahl der Warnmeldungen, die von einem SIEM kommen, überfordert werden, was dazu führt, dass das SOC kritische Warnmeldungen ignoriert. Darüber hinaus ist ein SIEM, auch wenn es Daten aus Dutzenden von Quellen und Sensoren erfasst, immer noch ein passives Analysetool, das Warnmeldungen ausgibt.
Die XDR-Plattform zielt darauf ab, die Herausforderungen des SIEM-Tools für eine effektive Erkennung und Reaktion auf gezielte Angriffe zu lösen und umfasst Verhaltensanalyse, Bedrohungsdaten, Verhaltensanalysen und Analysen.
Wie unterscheidet sich XDR von SOAR?
SOAR-Plattformen (Security Orchestration & Automated Response) werden von ausgereiften Sicherheitsteams verwendet, um mehrstufige Playbooks zu erstellen und auszuführen, die Aktionen über ein API-verbundenes Ökosystem von Sicherheitslösungen automatisieren. Im Gegensatz dazu wird XDR die Integration von Ökosystemen überMarketplace ermöglichen und Mechanismen zur Automatisierung einfacher Aktionen gegen Sicherheitskontrollen von Drittanbietern bereitstellen.
SOAR ist komplex, kostspielig und erfordert ein sehr ausgereiftes SOC zur Implementierung und Pflege von Partnerintegrationen und Playbooks. XDR ist als „SOAR-lite“ gedacht: eine einfache, intuitive Zero-Code-Lösung, die von der XDR-Plattform aus mit angeschlossenen Sicherheitstools agieren kann.
Was ist MXDR?
Managed Extended Detection and Response (MXDR) erweitert die MDR-Dienste auf das gesamte Unternehmen, um eine vollständig verwaltete Lösung zu erhalten, die Sicherheitsanalysen und -abläufe, fortschrittliche Bedrohungssuche, Erkennung und schnelle Reaktion in Endpunkt-, Netzwerk- und Cloud-Umgebungen umfasst.
Ein MXDR-Dienst erweitert die XDR-Funktionen des Kunden um MDR-Dienste für zusätzliche Überwachungs-, Untersuchungs-, Bedrohungsjagd- und Reaktionsmöglichkeiten.
Warum gewinnt XDR an Attraktivität und sorgt für Aufsehen?
XDR ersetzt isolierte Sicherheitslösungen und hilft Unternehmen, die Herausforderungen der Cybersicherheit von einem einheitlichen Standpunkt aus anzugehen. Mit einem einzigen Pool von Rohdaten, der Informationen aus dem gesamten Ökosystem umfasst, ermöglicht XDR eine schnellere, tiefgreifendere und effektivere Erkennung von und Reaktion auf Bedrohungen als EDR, da Daten aus einer größeren Anzahl von Quellen gesammelt und zusammengestellt werden.
XDR sorgt für mehr Transparenz und Kontext bei Bedrohungen. Vorfälle, die sonst nicht erkannt worden wären, tauchen auf einer höheren Bewusstseinsebene auf, so dass Sicherheitsteams Abhilfemaßnahmen ergreifen und weitere Auswirkungen reduzieren sowie das Ausmaß des Angriffs minimieren können.
Ein typischer Ransomware-Angriff durchquert das Netzwerk, landet in einem E-Mail-Posteingang und greift dann den Endpunkt an. Wenn man die einzelnen Sicherheitsaspekte unabhängig voneinander betrachtet, sind die Unternehmen im Nachteil. XDR integriert unterschiedliche Sicherheitskontrollen, um automatisierte oder Ein-Klick-Reaktionsmaßnahmen im gesamten Sicherheitsbereich des Unternehmens zu ermöglichen, wie z. B. die Sperrung des Benutzerzugriffs, die Erzwingung der Multi-Faktor-Authentifizierung bei vermuteter Kontokompromittierung, die Sperrung eingehender Domänen und Datei-Hashes und vieles mehr – alles übervom Benutzer geschriebene Regeln oder über die in die Prescriptive Response Engine integrierte Logik.
Mit einem einzigen Pool von Rohdaten, der Informationen aus dem gesamten Ökosystem umfasst, ermöglicht XDR eine schnellere, tiefgreifendere und effektivere Erkennung von und Reaktion auf Bedrohungen als EDR, da Daten aus einer größeren Anzahl von Quellen gesammelt und zusammengestellt werden.
Diese umfassende Sichtbarkeit bringt mehrere Vorteile mit sich, darunter:
Verkürzung der Mean Time to Detect (MTTD) durch Korrelation zwischen verschiedenen Datenquellen.
Verkürzung der mittleren Untersuchungszeit (MTTI) durch Beschleunigung der Triage und Verkürzung der Zeit für die Untersuchung und den Umfang.
Verkürzung der mittleren Reaktionszeit (MTTR) durch einfache, schnelle und relevante Automatisierung.
Verbesserung der Transparenz im gesamten Sicherheitsbereich.
Darüber hinaus trägt XDR dank KI und Automatisierung dazu bei, den manuellen Arbeitsaufwand von Sicherheitsanalysten zu verringern. Eine XDR-Lösung kann proaktiv und schnell hochentwickelte Bedrohungen aufspüren, die Produktivität des Sicherheits- oder SOC-Teams erhöhen und dem Unternehmen einen massiven ROI-Schub verschaffen.
SentinelOne Singularity XDR
Erfahren Sie, wie SentinelOne XDR eine durchgängige Unternehmenstransparenz, leistungsstarke Analysen und automatisierte Reaktionen über Ihr gesamtes Technologiepaket hinweg bietet.
Für viele Unternehmen ist es eine Herausforderung, sich in der Anbieterlandschaft zurechtzufinden, insbesondere wenn es um Erkennungs- und Reaktionslösungen geht. Oft besteht die größte Hürde darin zu verstehen, was die einzelnen Lösungen bieten, vor allem, wenn die Terminologie von Anbieter zu Anbieter unterschiedlich ist und verschiedene Dinge bedeuten kann.
Wie bei jeder neuen Technologie, die auf den Markt kommt, gibt es eine Menge Hype, und Käufer müssen vorsichtig sein. Tatsache ist, dass nicht alle XDR-Lösungen gleich sind. SentinelOne Singularity XDR vereinheitlicht und erweitert die Erkennungs- und Reaktionsfähigkeit über mehrere Sicherheitsebenen hinweg und bietet Sicherheitsteams eine zentralisierte End-to-End-Unternehmenstransparenz, leistungsstarke Analysen und automatisierte Reaktionen über den gesamten Technologiebereich hinweg.
With more than 15 years of experience in cyber security, Manuel Rodriguez is currently the Security Engineering Manager for the North of Latin America at Check Point Software Technologies, where he leads a team of high-level professionals whose objective is to help organizations and businesses meet their cyber security needs. Manuel joined Check Point in 2015 and initially worked as a Security Engineer, covering Central America, where he participated in the development of important projects for multiple clients in the region. He had previously served in leadership roles for various cyber security solution providers in Colombia.
In this insightful Cyber Talk interview, Check Point expert Manuel Rodriguez discusses “Platformization”, why cyber security consolidation matters, how platformization advances your security architecture and more. Don’t miss this!
The word “platformization” has been thrown around a lotrecently. Can you define the term for our readers?
Initially, a similar term was used in the Fintech industry. Ron Shevlin defined it as a plug and play business model that allows multiple participants to connect to it, interact with each other and exchange value.
Now, this model aligns with the needs of organizations in terms of having a cyber security platform that can offer the most comprehensive protection, with a consolidated operation and easy enablement of collaboration between different security controls in a plug and play model.
In summary, platformization can be defined as the moving from a product-based approach to a platform-based approach in cyber security.
How does platformization differ from the traditional way in which tech companies develop and sell products and services?
In 2001, in a Defense in Depth SANS whitepaper, Todd McGuiness said, “No single security measure can adequately protect a network; there are simply too many methods available to an attacker for this to work.”
This is still true and demonstrates the need to have multiple security solutions for proper protection of different attack vectors.
The problem with this approach is that companies ended up with several technologies from different vendors, all of which work in silos. Although it might seem that these protections are aligned with the security strategy of the company, it generates a very complex environment. It’s very difficult to operate and monitor when lacking collaboration and automation between the different controls.
SIEM and similar products arrived to try to solve the problem of centralized visibility, but in most cases, added a new operative burden because they needed a lot of configurations and lacked automation and intelligence.
The solution to this is a unified platform, where users can add different capabilities, controls and even services, according to their specific needs, making it easy to implement, operate and monitor in a consolidated and collaborative way and in a way that leverages intelligence and automation.
My prediction is that organizations will start to change from a best-of-breed approach to a platform approach, where the selection factors will be more focused on the consolidation, collaboration, and automation aspects of security controls, rather than the specific characteristics of each of the individual controls.
From a B2B consumer perspective, what are the potential benefits of platformization (ex. Easier integration, access to a wider range of services…)?
For consumers, the main benefits of a cyber security platform will be a higher security posture and reduced TCO for cyber security. By reducing complexity and adding automation and collaboration, organizations will increase their abilities to prevent, detect, contain, and respond to cyber security incidents.
The platform also gives flexibility by allowing admins to easily add new security protections that are automatically integrated in the environment.
Are there any potential drawbacks for B2B consumers when companies move towards platform models?
I have heard concerns from some CISOs about putting all or most of their trust in a single security vendor. They have in-mind the recent critical vulnerabilities that affected some of the important players in the industry.
This is why platforms should also be capable of integration through open APIs, permitting organizations to be flexible in their journey to consolidation.
How might platformization change the way that B2B consumers interact with tech companies and their products (ex. Self-service options, subscription models)? What will the impact be like?
Organizations are also looking for new consumption models that are simple and predictable and that will deliver cost-savings. They are looking to be able to pay for what they use and for flexibility if they need to include or change products/services according to specific needs.
What are some of main features of a cyber security platform?
Some of the main features are consolidation, being able to integrate security monitoring and management into a single central solution; automation based on APIs, playbooks and scripts according to best practices; threat prevention, being able to identify and block or automatically contain attacks before they pose a significant risk for an organization…
A key component of consolidation is the use of AI and machine learning, which can process the data, identify the threats and generate the appropriate responses.
In terms of collaboration, the platform should facilitate collaboration between different elements; for example sharing threat intelligence or triggering automatic responses in the different regions of the platform.
In looking at platformization from a cyber security perspective, how can Check Point’s Infinity Platform benefit B2B consumers through platformization principles (ex. Easier integration with existing tools, all tools under one umbrella…etc)?
The Check Point Infinity platform is a comprehensive, consolidated, and collaborative cyber security platform that provides enterprise-grade security across several vectors as data centers, networks, clouds, branch offices, and remote users with unified management.
It is AI-powered, offering a 99.8% catch rate for zero day attacks. It offers consolidated security operations; this means lowering the TCO and increasing security operational efficiency. It offers collaborative security that automatically responds to threats using AI-powered engines, real-time threat intelligence, anomaly detection, automated response and orchestration, and API-based third-party integration. Further, it permits organizations to scale cyber security according to their needs anywhere across hybrid networks, workforces, and clouds.
Consolidation will also improve the security posture through a consistent policy that’s aligned with zero trust principles. Finally, there is also a flexible and predictable ELA model that can simplify the procurement process.
How does the Check Point Infinity Platform integrate with existing security tools and platforms that CISOs might already be using?
Check Point offers a variety of APIs that make it easy to integrate in any orchestration and automation ecosystem. There are also several native integrations with different security products. For example, the XDR/XPR component can integrate with different products, such as firewalls or endpoint solutions from other vendors.
To what extent can CISOs customize and configure the Check Point Infinity Platform to meet their organization’s specific security posture and compliance requirements?
Given the modular plug and play model, CISOs can define what products and services make sense for their specific requirements. If these requirements change over time, then different products can easily be included. The ELA consumption model gives even more flexibility to CISOs, as they can add or remove products and services as needed.
How can platformization (whether through Infinity or other platforms) help businesses achieve long-term goals? Does it provide a competitive advantage in terms of agility, innovation and cost-efficiency?
A proper cyber security platform will improve the security posture of the business, increasing the ability to prevent, detect, contain and respond to cyber security incidents in an effective manner. This means lower TCO with increased protection. It will also allow businesses to quickly adapt to new needs, giving them agility to develop and release new products and services.
Is there anything else that you would like to share with Check Point’s thought leadership audience?
Collaboration between security products and proper intelligence sharing and analysis are fundamental in responding to cyber threats. We’ve seen several security integration projects through platforms, such as SIEMs or SOARs, fail because of the added complexity of generating and configuring the different use cases.
A security platform should solve this complexity problem. It is also important to note that a security platform does not mean buying all products from a single vendor. If it is not solving the consolidation, collaboration problem, it will generate the same siloed effect as previously described.
In one company my boss asked me: “hey, is it possible to check whether we are well protected against ransomware, and whether we are able to detect infected devices, so that we can isolate them from the network fairly quickly?”
When a manager asks you a question like that, you know the next month is going to be tough.
Login
Exceeds Expectations – mature, production-grade capability
Meets Expectations – functionally sufficient, may require optimization or future roadmap improvements
Does Not Meet Expectations – unsupported or significantly limited
