How AI-powered XDR can secure the hybrid workforce

Join today’s leading executives online at the Data Summit on March 9th. Register here.

A year ago, NOV Inc. was in the middle of evaluating a new security product to help with securing its globally distributed workforce, spread across more than 60 countries. The oilfield equipment maker was considering deploying an extended detection and response (XDR) solution from SentinelOne — and as part of the evaluation, NOV deployed the XDR platform across a company it had recently acquired.

“Immediately” after deployment, SentinelOne’s Singularity XDR detected and halted a cyberattack in progress against the acquired company, said NOV chief information security officer John McLeod — and then remediated the attack, as well.

“This was all done during the pandemic lockdown, in a country on the other side of the globe, where we didn’t speak the same language,” McLeod said in an email.

Perhaps unsurprisingly, NOV ended up becoming a customer. And the artificial intelligence (AI) and machine learning (ML) capabilities at the heart of the Singularity XDR solution have continued to prove the value of the product for protecting the company and its distributed workers, McLeod said.

How behavioral AI stops threats

SentinelOne’s XDR platform ingests and correlates data from numerous sources, with the help of distributed AI models that run on every endpoint and cloud workload in the customer’s environment, according to chief product officer Raj Rajamani. The platform uses “behavioral AI” technology that monitors and links behaviors — then autonomously shuts down activities that are deemed a threat, Rajamani said. 

The AI/ML capabilities bring a clear advantage for the XDR platform over endpoint protection platform (EPP) and endpoint detection and response (EDR) tools — including by making cybersecurity a more-autonomous operation than it’s been previously, McLeod said. 

“Their behavioral AI/ML approach was far superior to our legacy EPP, and the native integration of XDR allowed us to eliminate a separate EDR agent,” he said. “It’s much more effective to secure a remote workforce with technology requiring very little administrative interaction versus our legacy human-powered solutions with inherent delays.”

Ultimately, “having technology that can act in real time, without human intervention, is a big step forward in cybersecurity,” McLeod said.

While still a relatively nascent category within security, XDR has found its chance to shine during the pandemic — at a time when cyberattacks such as ransomware and data theft have skyrocketed. Ransomware attacks spiked 62% in 2020, then surged 105% in 2021, according to SonicWall. Meanwhile, data leaks related to ransomware jumped 82% last year, CrowdStrike reports.


While capabilities can vary across vendors in XDR, the overall concept is to integrate and correlate data from numerous security tools — and from across varying environments — in order to help customers prioritize the biggest threats. 

In the process, XDR is capable of addressing many of the biggest challenges facing security teams simultaneously: security tool sprawl, alert fatigue and shortage of cybersecurity personnel to make sense of all the data flooding in from their systems.

While this may sound a lot like what security information and event management (SIEM) was supposed to provide, XDR actually delivers in a way that SIEM was never able to, according to Alex Burinskiy, chief product security officer for the Americas at access solutions firm Assa Abloy.

The bottom line, said Burinskiy — a customer of SentinelOne both at his previous company, edtech firm Cengage, and in his current role — is that XDR is “accomplishing what SIEM promised to do.”

One key reason for this, experts told VentureBeat, is the use of advanced AI and ML technologies in XDR platforms.

Many XDR solutions excel at using ML for detection of anomalies that indicate a new, previously unknown threat, said Forrester analyst Allie Mellen. For instance, ML-driven XDR can reveal malicious behavior by correlating a string of actions that aren’t typical for a user, Mellen said.

While SIEM can also use AI/ML, XDR uses the technologies in “more discrete, targeted ways,” she said — such as by correlating data prior to an analyst starting an investigation, or orchestrating response actions.


Importantly, many XDR platforms go beyond EDR by bringing in telemetry from more than just endpoints. And the ability to correlate data across all those areas — including email, applications and cloud environments — is how XDR can provide enhanced visibility into malicious activity, Mellen said.

Which, of course, is exactly what businesses with remote workers are really looking for when it comes to security.

“That’s where things start to get really interesting — because you get a lot more context about what’s happening in the environment than you can get with just the endpoint alone,” Mellen said.

At this point, EDR is now table stakes in cybersecurity. And the complexity of the tools landscape — paired with the challenges of securing a distributed workforce — suggest that it’s worth considering XDR in order to leverage detection and response that can go beyond the endpoint, experts said.

While less than 5% of organizations are using XDR today, that’s expected to climb to 40% by 2027, according to a recent report from Gartner. 

“When you look at your cybersecurity strategy, you need to protect the applications, network, data, email, endpoints, identities — including identities of devices — and of course the cloud,” said Patrick Hevesi, a vice president and analyst at Gartner. “And so XDR — as it plugs into more and more of these different types of assets as part of delivering that detection and response — is going to definitely help any cybersecurity strategy.”

AI engine

And AI/ML algorithms are pivotal to how XDR platforms make it all happen. Ultimately, XDR is powered by AI/ML as its “engine” and core technology, said Aimei Wei, founder and CTO at Stellar Cyber. 

The company’s XDR platform uses AI/ML throughout the threat detection process, from normalizing and correlating data that it ingests from different security tools, to analyzing time series and peer groups (using unsupervised ML), to pinpointing attack patterns with supervised ML. The Stellar Cyber XDR platform also uses advanced Graph ML to generate context for security teams around the highest-priority threats.

“If we can automatically add context and piece things together for the security analyst, it makes their work much more efficient,” Wei said. And this is even more essential when many workers are remote, she said.

“What we can do is achieve full [security] coverage, regardless of what the customer’s environment is,” Wei said. “It covers the whole attack surface.”

One customer that has come to rely on XDR as part of its remote workforce security strategy is EBSCO Industries, a provider of discovery services and databases to libraries. The shift of workers into the home meant the company needed to change the way it looked at external access and devise a better method for securing its devices, said Ryan Loy, chief information officer at EBSCO.

“We suspected we had blind spots and areas of our environment where we did not have complete visibility,” Loy said in an email. 

Native vs. open XDR

EBSCO ended up selecting Stellar Cyber as its XDR vendor, in part because the company offers an “open” XDR platform that can ingest data feeds from other vendors’ security tools. 

Open XDR — sometimes referred to as “hybrid” XDR — is one of the two major varieties of extended detection and response available today. The other is “native” XDR, which relies solely on data feeds from an XDR vendor’s own tools and capabilities.

With open XDR, businesses that already use a significant number of cybersecurity tools in their environment can leverage many or all of those. For EBSCO, using Stellar Cyber’s “open” XDR meant the platform “worked with our existing investments,” Loy said. “We did not want to disrupt our toolsets just to do something new.”

Customers can then use an open XDR platform to ingest and correlate all of their security data, and prioritize the threats that are uncovered across their current toolset. XDR serves to provide a view of the big picture in terms of security, Loy said. 

“Each tool’s output is like looking at an individual tree in the forest. But by combining inputs from all of our tools with XDR, we see the entire forest,” he said. 

When it comes to the artificial intelligence capabilities of Stellar Cyber’s XDR platform, “their AI/ML is baked into the user interface. And my team is presented with ‘look here’ types of correlated indications when something is awry,” Loy said. “That is how AI should work.”

While EBSCO’s security team still has to perform some analysis on the correlated information, he said, “alert-chasing” and manual correlation tasks “are now history.”

AI-powered analysis

XDR approaches vary by vendor, not only in terms of whether they are open/hybrid or native, but also when it comes to who they partner with to augment their data analysis. At Cybereason, for instance, the company’s XDR platform is “powered” by the Google Chronicle cloud security analytics service. Among the advantages is that, “unlike other solutions,” the XDR platform is cloud-native, said Eric Sun, director of product marketing at Cybereason.

This means that the XDR platform “is built to support diverse, cloud-first remote workforces” and can integrate with key collaboration and identity management solutions such as Microsoft 365, Google Workspace and Okta, Sun said in an email. 

Key AI/ML capabilities include Cybereason’s MalOp detection engine, which identifies malicious behaviors using conditional probability tables and Markov chain algorithms, in order to predict potential cause-and-effect cyberattack relationships and “stitch together logs that match these predictions,” Sun said.

Other AI-driven approaches to XDR include CrowdStrike’s ExPRT.AI model, used in the company’s Falcon XDR platform. ExPRT.AI identifies vulnerabilities that pose the highest risk to an organization and prioritizes them for remediation, said Amol Kulkarni, chief product and engineering officer at CrowdStrike, in an email.

Crucially, analyzes the evolving threat landscape and produces a daily risk rating for each vulnerability — Critical, High, Medium or Low, Kulkarni said.

The platform’s AI/ML models are trained on massive datasets that enable the CrowdStrike Falcon XDR to “identify attack trends that a human couldn’t unearth,” he said. “This level of comprehensive insight is essential with today’s rapidly evolving remote work environment — as attackers are continually advancing their attack methodologies.”

Originally appeared on: TheSpuzz