Texture Top Right Grey 01

What is XDR Security and
Why do I need It?

XDR – What, why, where, and how extended detection and response improves SecOps efficiency. Find answers to frequently asked questions here!

What does XDR mean? What does it do?

Extended Detection and Response (XDR) solutions integrate a set of products unifying control points, security data, analytics and operations into a single enterprise solution. XDRs should pull in multiple cybersecurity telemetries, such as endpoint, network, and cloud sensors, and correlate across to aid in finding attacks.

XDR promises to provide technology integration between data sources and security operations to accelerate detection and response, while reducing engineering headaches.

What is XDR at FireEye Mandiant?

XDR is not one-size-fits-all – At FireEye Mandiant, we empower security teams of all sizes to utilize the most relevant breach intelligence and expertise in a scalable and consistent manner so they can prioritize security focus, operate an effective and efficient detection and response function, and measure and improve the cost and posture of their IT security.

Our customers can build an XDR leveraging the integrated FireEye product suite or build an XDR solution with their choice of security controls and data repositories.

What is Mandiant Advantage?

Mandiant Advantage is a SaaS platform that offers a control-agnostic suite of products to help organizations understand their external and internal risks and provides the automation to operationalize it effectively and efficiently.

The Mandiant Advantage Platform uniquely shifts the value of Extended Detection and Response (XDR) from capabilities derived through single-vendor security controls to what matters – relevant intelligence and expertise delivered in a scalable, easy to access way such that teams of all sizes can better defend their enterprise.

What is Mandiant Automated Defense?

Mandiant Automated Defense is the software-based analytics engine within the Mandiant Advantage Platform that combines human reasoning with machine power to make complex decisions consistently. It is an XDR engine that provides analytics and automated decision-making for a greater XDR ecosystem that includes security controls and data repositories, and threat intelligence. Automated Defense includes:

  • Built-In security expertise collected from Mandiant incident responders
  • Mandiant’s latest and client-specific threat intelligence
  • The ability to process millions of alerts in real-time
  • Enterprise-scale at machine speed
  • 100% consistency without human bias or fatigue
  • Continuous learning and adaptability

Automated Defense automatically monitors your cybersecurity alerts 24x7 and analyzes, reasons, and makes decisions about whether alerts are malicious and actionable. Scalable to any environment, Automated Defense applies consistent, in-depth analysis (often reviewing 60+ facts) without bias or fatigue when making decisions on escalating incidents for remediation.

How is Automated Defense different from other security solutions?

Automated Defense is different from other security operations products in three primary ways:

Intelligent Icon

Takes Mandiant's threat intelligence delivered through the Mandiant Intel Grid and applies data science models to find real incidents at machine speed. In addition, it retains tribal knowledge to make better decisions going forward while learning collectively across our entire customer base.

Simple Icon

Deploys in hours in a highly scalable cloud environment while constantly learning without tuning, coding, or content writing. Plus, you have access to FireEye incident responders when you need it (or if you're resource-constrained, upgrade in the near future to Managed Defense and let Mandiant experts manage detection and response for you).

Open Icon

Utilizes best-of-breed, vendor agnostic security controls, data repositories, and threat intelligence to escalate malicious and actionable incidents. Many XDR solutions require you to purchase tools from a single vendor, which means you may be locked into solutions that are not optimized to your environment. Automated Defense gives you the freedom of choice and future proofs your solution without requiring a rip and replace upon purchase.

How is Automated Defense different from a SIEM?

SIEMs use rules to reduce the number of security events that security teams analyze – in other words, reducing the volume of data to a capacity that a team can manage. Automated Defense analyzes all available data to make better security decisions faster. Automated Defense uses pre-built decision models, ready to work on day one – no training or rule writing required.

Output from SIEMs can be unreliable and inconsistent. One reason for this is because SIEM rules are based on boolean, deterministic rule logic that are too simplistic to isolate and analyze real attacks to determine true (vs. false) positive. Additionally, SIEM rules can vary in terms of quality resulting in an inaccurate or incomplete analysis. Automated Defense collects and analyzes data directly from security sensors, without additional rule logic with built-in intelligence and data science models to find incidents for complex threats and attacks.

We have implemented SOAR – how does Mandiant Automated Defense fit?

Security engineering teams can program SOAR platforms to automate analyst tasks, i.e., data collection, correlation, enrichment, and assisting in responding to low-level, repetitive security events. Automated Defense is pre-built software that automates the analysis, investigation, and triage 'at the front line' of security decision-making, vetting all events before the SOAR needs to take action. Automated Defense is ready to work on day one, with no programming required, and elevates security teams to remediation and response activity. Automated Defense integrates with the leading SOAR systems sending incidents and supporting evidence to the SOAR for automated remediation.

What’s the difference between a security "event" and an "investigation"?

In our terminology, a security event is a single occurrence that theoretically indicates suspicious activity. Sensors like firewalls, web proxy monitors, endpoint detection and response, and endpoint protection solutions generate thousands to millions of individual events daily that may or may not be an indication of a threat. Automated Defense considers all available security events – analyzing, investigating, and correlating them into security investigations that are scoped and prioritized for security teams to take action. Automated Defense only escalates vetted security investigations and updates the scoped escalation as additional related security data becomes available.

We use an MSSP for frontline monitoring and triage. How is Mandiant Automated Defense different?

MSSPs are challenged with the same ‘people in front of console’ approach as any internal SOC. MSSPs are narrowing down the data their teams analyze using rules and sensor filters – in a 2021 survey, IDC found that 45% of security data is not analyzed due to sensor tuning. Furthermore, MSSPs escalate individual events that seem suspicious. Using Automated Defense with the same number of team members you have today, you improve your coverage and capacity and only spend time on vetted security incidents that have the data to back them up.

Where does Automated Defense fit in a SOC architecture?

Automated Defense is a SaaS offering and delivered via cloud-based infrastructure. Automated Defense reviews streaming data from network, endpoint and web filtering sensors to determine if events and alerts are an element of a broader security incident. The alert and event information is correlated with company context data and passed through data science models hosted in the cloud, with the added context of the latest and relevant Mandiant threat intelligence. Over time, the incident is scoped with any new events that are significant and passed to your security analyst who can provide feedback. If the organization is using a SIEM or SOAR solution, the incident can be passed to it and presented there for remediation.

For more information, download the Mandiant Automated Defense Architecture Paper. If you’d like to see how Automated Defense will fit into your SOC, reach out to schedule a demo.

Ready to get started?

Our security experts are standing by to help you with an incident or answer questions about our consulting and managed detection and response services.

+1 888-227-2721 +61 281034308 +32 28962867 +1 877-347-3393 +971 45501444 +358 942451151 +33 170612726 +49 35185034500 +852 3975-1882 +91 80 6671 1566 +353 (0)216019160 +39 0294750535 +81 3 4577 4401 +03 77248276 +52 5585268207 +31 207941289 +64 32880234 +48 223072296 +7 4954658084 +65 31585101 +27 105008408 +82 7076860238 +34 932203202 +94 788155851 +46 853520870 +886 2-5551-1268 +27873392 +44 2036087538 +842444581914