Cybersecurity vendors and analysts have touted the benefits of extended detection and response in recent years, even as there’s little agreement on a definition of what XDR encompasses.
Some definitions of XDR focus on a single-vendor suite of products, with the various tools bundled tightly together. Others in the cybersecurity community suggest a single vendor isn’t the best approach; instead, best-of-breed NDR, EDR, SOAR, identity and other tools from top cybersecurity vendors is the best way to achieve XDR-like protection.
While those in the single-vendor camp argue that a tightly bundled package of tools can work well together, a single vendor may not have the best tool for every piece of the XDR puzzle. Through their long-term and expanding partnership, ExtraHop and CrowdStrike give customers award-winning NDR and EDR platforms, two major pieces of XDR, with the tightly integrated functionality touted by the single-vendor crowd.
ExtraHop recently detailed how it will integrate the world-class CrowdStrike FalconⓇ Intelligence service into its Reveal(x) NDR platform as an out-of-the box service for all Reveal(x) customers. At the same time, CrowdStrike announced it is deploying Reveal(x) as part of its Services offering, and making Reveal(x) available in its newly launched CrowdStrike Marketplace, a one-stop destination for top security products.
Previously, ExtraHop integrated CrowdStrike Falcon LogScale, a SIEM and log management tool, with Reveal(x) to allow customers to join their NDR telemetry with their XDR data. This enhanced functionality allows joint customers to send network logs from ExtraHop for long-term storage and analysis in Falcon LogScale and achieve deeper visibility when identifying and responding to threats.
Customers can deploy Reveal(x) and Falcon as seamless and fully integrated platforms for real-time incident detections, instant response, and continuous endpoint and network visibility. The integration of the two platforms include Reveal(x) access to CrowdStrike Falcon Threat Graph, which stores endpoint user activity and data gathered from agents deployed throughout the customer environment.
This marriage of Reveal(x) NDR with the CrowdStrike Falcon EDR, Threat Intelligence service, and LogScale tool gives joint customers a unified cybersecurity platform, forming the foundation for XDR. This combination of cybersecurity tools can give users full coverage of every endpoint, workload, and network activity in hybrid and multi-cloud environments. Falcon and Reveal(x) can be delivered as SaaS to provide immediate value and ease management burdens.
Mapping to MITRE ATT&CK
These three tools, working together, help uncover several attacker tactics described in the MITRE ATT&CK framework, including:
- Setting up command and control attacks;
- Setting up data staging mechanisms;
- Engaging in domain escalation;
- Moving laterally across the network;
- Enumerating targets;
- Executing malware;
- Encrypting on-host data;
- Spawning processes to trigger other processes.
Using ExtraHop and CrowdStrike together simplified the security efforts of one joint customer. Previously, the company had multiple points of security information that lacked context, an IT engineer there said.
“With this partnership, we’re able to unify our network and endpoint data into one single view to swiftly qualify or disqualify a security event, and confidently move forward,” the customer said.