Extending Security Beyond the Endpoint with Symantec XDR

At Symantec, part of Broadcom Software, we know that if you work as a SOC analyst, you feel as if threat detection and response can be a never-ending race with a myriad of surprises around every corner.

That’s because there are too many alerts to follow and too much noise to cut through the volume. Indeed, a recent survey estimated that the typical SOC sees more than 11,000 alerts per day. Even more challenging, most of these threats must be manually processed by the SOC analysts.

With the recent need for employees to work from anywhere, SOC analysts need better visibility across their entire environment, from cloud applications, to the network, to the endpoint and beyond. At the same time, they need a way to understand today’s sophisticated threats, which too often unfold across different controls in the environment.

Ironically, detection often is complicated by the growing number of threat detection tools at the SOC’s disposal. There now are many sources for the SOC to track, and multiple consoles for the team to handle. Consequently, response time to any threat alert can become delayed, and the early and critical steps to preventing or containing a breach can be hampered. As a result, SOC analysts face significant challenges. When SOC analysts receive an alert from one product, they are forced to refer to consoles of multiple other control point security products to assess the alert’s validity.

Today, analysts have no other choice but to piece together alerts from multiple tools manually. To engineer more effective security, response times must be faster. Time is always of the essence. To buy that time, enterprises need a solution that extends visibility and correlates data from all the relevant sources – cloud and endpoint – that contain data about a cyber attack or ransomware threat.

The XDR solution

A new Symantec Endpoint Security (SES) Complete technology, Extended Detection and Response, or XDR, is the solution SOC analysts need. Although there is no single industry definition regarding XDR, Symantec Endpoint Security XDR correlates security data across control points and provides visibility and context into an incident from a single console.

Today, our SES Complete XDR ingests and analyzes threat data from Symantec’s CASB, CloudSOC, as well as Data Loss Prevention (DLP) and Secure Web Gateway (SWG) solutions. With these integrations, our XDR provides insight into data exfiltration, identity, network activity, unmanaged endpoints and user behavior analytics (UEBA). This functionality allows SOC analysts to see the connecting points between threats and investigate those that appear suspicious. It significantly helps analysts to cut through the noise and focus on the threats that could seriously impact the enterprise. In the future, our XDR will automatically prioritize alerts and extend automated response activities to other control points.

Extending the visibility SOC analysts need

Symantec XDR extends visibility into user activity on more than 40,000 cloud services.  This visibility goes beyond EDR and covers user activities from managed and unmanaged endpoints and services – a capability that is critical to effective security in a post-Covid and work-from-home world.

Symantec XDR integrates EDR with multiple solutions across control points. Within a single console, telemetry from workstations, servers, mobile phones, tablets, email, web, network, and cloud is gathered, and analysts can view correlations and analysis of that data to gain deep insight.

CloudSOC, Symantec’s cloud access security broker (CASB), enables SOC teams to see all sorts of activities they could not view before, such as:

• Someone failed to log in to Office 365.
• A user trying to login from an unfamiliar country.
• A user attempting to download lots of sensitive data.

Also, Symantec’s XDR integration with its DLP solution gives SOC analysts the information to see if data exfiltration is part of the attack, and it provides insight into what is happening in real time.

It’s important to know that XDR is an evolving technology that is available for free to current Broadcom customers who already have SES Complete and CloudSOC. Customers with additional Symantec products, such as DLP and SWG will realize even more visibility. Stay tuned for new versions that will be arriving in the next few months, including a major announcement at the June RSA Conference.

It's past time to extend the visibility, and cut down on complex manual processes, and free our SOC analysts to do their jobs more effectively and efficiently. XDR provides the help they need.