Over the years, enterprises were forced to add more and more point solutions that don’t interoperate with each other in their relentless pursuit to secure their environment. However, it has reached a tipping point where instead of helping, the siloing of data has become a severe impediment for an analyst to coherently understand what’s happening across all of these sources. XDR platforms are coming out as a solution to this problem by being a “unified security incident detection and response platform”. (Gartner)
Fusing data and functionality from today’s independent platforms like EDR, NDR, and SIEM, an XDR alleviates the challenges presented to analysts. As they attempt to provide a unified view across all of these data sources, including logs, endpoint and network data, XDR platforms can perform analytics/machine learning on top to combine and correlate weak signals from multiple sources into stronger signals for more effective threat detection.
At Kognos, we went one step ahead to form the industry's first relationship-centric autonomous XDR investigator. We believe it isn’t enough to just analyze all of these events, but it’s imperative to understand the relationships between these events to be able to cumulatively analyze the relationship the attacker is forming with your infrastructure, generating the complete campaign of a given attack.
The Kognos security platform is a relationship-centric XDR platform. Instead of looking at raw events, the Kognos platform looks to forge relationships between events from existing EDR, NDR, SIEM, and other telemetry sources into enterprise-wide relationship graphs.
The Kognos platform then continuously monitors billions of these relationships to hunt for suspicious activities and anomalies. Once detected, we uses an AI powered inquiry engine to ask thousands of forensic questions per second, mining these relationships by going back and forward in time to autonomously track malicious users or external actors throughout the network. All the evidence that is found in this process is fused together by our novel story generation engine to form easily understandable, campaigns and timelines of the entire attack, allowing the analysts to respond in real-time.
The standard XDR uses events to look for suspicious behavior, but most events in isolation are inherently weak signals and will only result in a deluge of alerts if the systems trigger on those. As a result, these systems tend to rely heavily on high strength signals to generate alerts to keep the false positives under control. However, most sophisticated attackers are smart enough to evade some of these detections and are relying on much more subtle techniques that are harder to find.
The only way to bubble up these threats is to use relationships as the foundational data instead of events. This allows the system to evaluate the entire relationship an attacker is forming within the infrastructure, and thereby allowing the system to move back and forward in time to holistically look for suspicious behaviors. Additionally, the system can understand and visualize the entire attacker’s session or campaigns, as opposed to generating alerts that analysts have to investigate in order to piece together the complete story. The power of relationships allows the system to understand the full scope and impact of the attack and easily enumerate the list of compromised devices, suspicious processes, and suspicious external domains, etc
A primary focus of XDR platforms is to unify all the data into a single data lake to do analytics. While this is easy for greenfield deployments, it’s extremely hard for environments that already have SIEM, EDR, NDR, or other solutions deployed, security teams trained on administering them, and a collection of rules and processes in place.
At Kognos, we realized this and instead of pulling all data into a single data lake, we can forge relationships across data from different data sources, autonomously, on the fly. Allowing the data to remain primarily within existing tools, but pulling in subsets of the data for the analysis as needed. This allows customers to protect their existing investments and still get the benefit of a relationship-centric autonomous XDR investigator platform.