Making Sure Your XDR Platform Outlasts Your Adversaries + The very essence of an XDR platform is facilitating detection and response to persistent threats by collecting and analyzing data from different sources, with endpoints being the most dominant points of origin.
Collecting all the correct data, however, is only one part of the equation. Just as important is: how long will your data be available? Put another way, how important is it to be able to go back in time? And, indeed, how far back can you go?
While having a rich data supply is obviously a necessary condition for any effective XDR platform, the platform is only as good as the longevity of its data. Threat actors are patient adversaries, and your XDR platform needs to be able to out-wait your attackers. So, when it comes to data retention, just how long is long enough?
The Need for Data Retention
Here’s a typical statement from a Security Researcher about an incident he handled:
“I was working for a large multinational corporation at the time when we found we had Winnti in our network for over a year. We only found it because of a report that was released by a security vendor at the time, with IOCs.We only kept logs for three months, and we had no idea when the attack began. Finally, we found VPN login/location logs that were retained long enough that showed us a user was in the Middle East and logged out at the end of his workweek and that same night logged into the network from Africa.
After this incident, we purchased a SIEM and began planning for data retention. As often happens with SIEM projects, I left before that project was complete, and I’m not sure that even today they have more than a year worth of retention, as that company has 100Ks of end-point, which means A LOT of data.”
This is just one case, but it does hint that security teams often discover how much data retention they need only when they come face-to-face with threats that linger in their environments for long periods. For many of them, it’s a case of hindsight being 20/20.
Also, even large and resourceful corporations often choose not to invest in making sure they have the data they need for as long as they will need it.
The anonymous story above may remind readers of a recent chain of events around one of the most concerning campaigns of recent years: SUNBURST. After the attack was found, the related DNS calls published by CloudFlare showed that infections began as early as April 2020 and took eight months to discover.
More here.
Firma zum Thema
Fachartikel
Studien
Studie Cloud-Strategien: Von kleinen Schäfchenwolken zum Cumulus
IDC-Studie: 82 Prozent der deutschen Unternehmen nutzen die Cloud – umfassende Automatisierung der Workloads ist aber noch Zukunftsmusik
Studie zeigt 193 Millionen Malware-Angriffe auf Mobilgeräte von Verbrauchern im EMEA-Raum
2023 State of the Cloud Report
Trotz angespannter Wirtschaftslage: die Security-Budgets steigen, doch der IT-Fachkräftemangel bleibt größte Hürde bei Erreichung von Security-Zielen
Whitepaper
WatchGuard Internet Security Report: Enormer Anstieg von Endpoint-Ransomware, dafür weniger Netzwerk-Malware
5 Tipps für die SAP- und OT-Sicherheit: So haben Hacker keine Chance
Neuer Forrester-Report: Varonis als führender Anbieter von Datensicherheits-Plattformen ausgezeichnet
Arctic Wolf Labs Threat Report: Deutlicher Anstieg der erfolgreichen Fälle von Business-E-Mail-Compromise
Aufkommende Trends in der externen Cyberabwehr
Unter4Ohren
Die aktuelle Bedrohungsentwicklung und warum XDR immer wichtiger wird
Optimierung der Cloud-Ressourcen und Kosteneinsparungen in AWS
DDoS – der stille Killer
Continuous Adaptive Trust – mehr Sicherheit und gleichzeitig weniger mühsame Interaktionen
