Search
Close this search box.

Leveraging Active XDR to Change the Game on Your Adversaries

Fidelis’ flagship product and core competency is its strong network detection and response (NDR) capabilities built out over 15 years of research and development in network traffic analysis to detect threats, understand vulnerabilities, and stop data loss in real time. This market-proven capability has been built to run in different implementations to meet our many different customer needs including on-premises, in private clouds, in public cloud deployments, as SaaS, and even in special purpose SOC-in-a-box type shippable units.

Today, Fidelis Security continue to be a market leader in NDR tools, while expanding our capabilities beyond network security. Recognizing that security silos only benefit the adversary, we developed a platform strategy long before Extended detection and response became the term in industry to describe this platform approach to creating an enterprise-wide view of adversarial movements on the network.

After NDR, we, at Fidelis, recognized that the deep visibility Endpoint Detection and Response solutions provide into adversarial actions were an essential piece to constructing the full scope of attack campaigns. We not only acquired a great endpoint detection and response product that is favored by incident investigators, but also integrated the EDR product with our NDR product to be able to correlate what you see on the network with endpoint and vice versa.

While we, at Fidelis Security, believe there is much value to using our native endpoint with our NDR solution, we recognize in many cases the best use case for our customers is to integrate their existing EDR solution into our XDR platform. To that end, we offer native integrations as well as integrations with other EDR vendors – giving our customers the choice of leveraging an existing EDR investment into our XDR platform. The Fidelis Elevate XDR solution was recognized at RSA 2021 with best XDR Award.

Not willing to rest on our laurels, we recently announced the acquisition of CloudPassage. The reasons for adding cloud security to our XDR platform are obvious: most of our customers have cloud assets or are migrating to the cloud, and many of our CISOs lack the visibility into what’s running in the cloud, an understanding of the attack surface of cloud assets, and which threats may be exploiting their cloud workloads.

CloudPassage has built out a platform that provides asset discovery, vulnerability management, GRC, and cloud detection and response. Once we have fully integrated CloudPassage capabilities into our XDR platform, SOC operators will have full visibility of enterprise assets and threats from endpoint to cloud.

To Change the Outcome, You Need to Change the Game.

Better visibility across the enterprise, better understanding of adversarial movements, correlating alerts and mapping them to attack campaigns and automating playbooks are all essential to detecting and responding to attacks before they cause business harm. But reacting to attacks continually means your adversary retains the advantage of when to attack and also possibly to slip by your defenses.

To change this dynamic, you need to change the game. That’s why Fidelis integrated Deception technologies into our XDR platform to give the advantage back to the defender through active defense strategies. Adding deception provides an XDR platform purpose-built for Active Defense – or Active XDR.

Active defense is terminology that came out of the US military and is now being more broadly adopted by commercial firms to articulate how organizations can regain the advantage over the adversary. More formally, active defense is a set of doctrine, strategies, operations, workflows and technologies that focus on engaging the adversary earlier in the attack lifecycle, deceiving them by reshaping the network attack surface, and using deception technologies to lure them away from critical assets to prevent them wreaking havoc on IT assets. Given Fidelis Security’s US DoD heritage, it should be no surprise we are leading the innovation here.

We are not alone. MITRE has launched its Shield initiative to encourage companies to incorporate active defense techniques into their frameworks. Within MITRE Shield, active defense ranges from basic cyber defensive capabilities to cyber deception and adversary engagement operations. The combination of these defenses allows an organization to not only counter current attacks but also to learn more about that adversary and better prepare for new attacks in the future.

Unifying deception in a single platform – Fidelis Elevate XDR – helps organizations change the game to their advantage. Integrated deception technology add cost and complexity to the attacker making it more difficult and more costly to accomplish their mission, while making it easier for our customers to detect, respond and neutralize attacks. Our customers can seamlessly create clones of their network that are populated with fake user accounts, directories, and even lay down breadcrumbs for anyone who is trying to discover the network, while leaving proverbial canaries in the coal mine to warn when an adversary is on the network.

Importantly, Fidelis Elevate platform is aligned with both the MITRE Shield and MITRE ATT&CK frameworks, meaning all alerts are mapped to widely used knowledge bases of cyber adversary tactics, techniques, and procedures (TTPs). This helps security teams understand exactly what stage of attack they are likely experiencing. As a reminder:

MITRE ATT&CK framework presents a map of known attacker tactics and techniques. This framework is developed from the viewpoint of the attacker and outlines the major steps required to accomplish their goal.
MITRE Shield framework lists applicable use cases from the defender’s perspective. It outlines how defenders can take an active defense approach, where the security team becomes more proactive by engaging the attacker early to respond faster.
Our Active XDR approach helps make SOC teams more efficient and effective.

Our Journey to Active XDR

It is important to note that for many organizations, XDR (and Active XDR) is a journey with different entry points.

Some start with an NDR or EDR solution, then tie in a data lake (or SIEM) and analytics to understand what they are seeing. If the solution is aligned with the MITRE frameworks, it can help operationalize threat detection. Similarly, analytics are critical to threat hunting, forensics investigations, alert correlation to classify incidents, and adversarial campaign analysis.

More advanced XDR capabilities combine network and endpoint alerts into a unified screen to help better understand an attack scope and block attacks enterprise wide. Increasingly, that single interface view must include cloud assets as well as endpoint and network because an XDR platform that fails to monitor cloud assets is missing any enterprise assets that have moved to the cloud as part of digital transformation efforts. The single interface makes it easier for your teams to manage enterprise security, just as seamlessly as adversaries find it to move between different silos.

Fidelis CloudPassage Halo offers a single platform from which to discover, interrogate and understand your cloud security posture, as well as monitor servers, containers and micro-services in cloud/multi-cloud environments. When our CloudPassage integration is complete, the Fidelis Elevate XDR platform will provide full visibility across endpoint, network and cloud offerings in a single interface, while reducing the cost and burden of maintaining lots of separate silo’d tools.

With a single XDR solution for endpoint, network and cloud, layering in deception is straight forward and you have now tipped the game in your favor by creating cost and complexity for the adversary while also have full visibility across the enterprise.

About Author

Rami Mizrahi
Rami Mizrahi

Rami Mizrahi is the Vice President of Research and Development for Deception at Fidelis Security. He has been leading the Deception R&D team for over six year, since the inception of TopSpin Security and through the acquisition by Fidelis Security. Prior to that, he led the WAF development team at Breach Security. Rami has over 20 years of experience in software development, specializing in enterprise security.

Share this post

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.