Understanding XDR: A Brief Glimpse Through the Lens of Enterprise Data

By Trellix · April 28, 2022
This blog was written by Aparna Rayasam

Data is the lifeblood of your enterprise – and ours, for that matter. I’m amazed at how often this simple truth is obscured in the battle fog of cybersecurity risk management. I’m also passionate about how XDR is a game-changer in data loss prevention (DLP).

If you’re reading this blog, then we speak the same language. You’re an IT leader or a SecOps team member. Somewhere in the first paragraph of your job description (and mine) is a sentence or phrase assigning you responsibility for protecting the rivers of data that sustain nearly every facet of your organization’s operations.

There are currently 21 billion devices connected to the internet at any given time. That could be 21 billion opportunities for a data breach or other incident to happen. With increased attack surfaces and vulnerabilities in the era of work-from-home, a SOC team needs more than just the right tools to do the job. They need to be able to apply imagination to the work with the tools for optimal protection.

Imagination? Absolutely. Einstein considered it even more important than knowledge. And it’s imagination that lies at the heart of Trellix XDR and our data loss prevention suite.

Let’s get the basics out of the way

You and I know that a strong DLP suite is critical to your enterprise. A good DLP solution monitors and discovers threats to protect your assets from malicious intent or inadvertent loss or damage.

This year, specific sensors were added across the Trellix product lines to augment the defensible components based on the adversary’s behaviors and breach patterns used in ransomware campaigns.

According to Gartner, DLP can be defined as tools that inspect content and contextually analyze data in any state. These tools automatically execute responses based on rules and policies set to limit the risks of inadvertent or malicious exposure or leak of data outside its authorized motion channels.

As a member of your organization’s IT, information security or cybersecurity team, you’re charged with protecting data on a network or endpoint in each of its forms: at rest, in use, and in motion. As background for any reader without an IT background:

• Data at rest is data not actively moving from one point to another, but stored in some fashion, such as on a hard drive or cloud storage device. Protecting data at rest requires securing the data stored on a network or on a device.
• Data in use is data that is being actively worked with, such as an open spreadsheet or an email being drafted.
• Data in motion is data that is moving from one location to another, for example, through a private network or across the internet. Protecting data in transit means guarding the data as it travels, which is crucial since data is typically less secure when moving.

The critical value of visibility

Taken together, these three data classifications – at rest, in use, and in motion – call for protection in a DLP suite. Given that every enterprise deals with enormous volumes of data, the biggest challenge your enterprise has is visibility: knowing what to protect, even before establishing that protection. Once your enterprise or SecOps team understands this environment, they can create appropriate rules and policies. You and your team need to be in the “driver’s seat.” That’s a critical tenet for all of us at Trellix and it’s why Trellix solutions include network and endpoint monitoring so that you, as a practitioner or policymaker, can make the best decisions for your enterprise.

Five ways DLP works in an XDR ecosystem

Let’s talk about the Trellix ecosystem – because it checks so many boxes in data protection and allows practitioners to tailor it to their needs. Their imagination is the limit. The Trellix platform includes endpoint security, network security, DLP, and SIEM, all interacting and sharing intelligence in an interlocking ecosystem. DLP is a key component of XDR because it provides intelligence in addition to protecting an enterprise’s data, its most valuable asset. DLP works in several ways.

1. The DLP Capture engine adds value by collecting information regarding sensitive data. DLP Capture conducts two types of searches on captured content: forensic investigation and rule tuning.
   • Forensic investigation is exactly what it sounds like – looking for keywords in files (including file names), emails, message attachments, and headers using either exact or partial matches, and identifying from which users this data is coming. This allows a practitioner to search for and find sensitive data that is out of place.
   • Rule tuning analyzes captured data rather than active data so a practitioner can edit the rule until the capture engine returns the required results, without affecting live data analysis.
   Before rule tuning, searches and captures required trial and error, then deployment. Now practitioners have the capability to quickly and efficiently alter the rules in a capture search to get the information they need in shorter time, with more accurate results.
2. The DLP discover component scans network file systems and databases to identify and protect sensitive files and data. Discover is not limited to keyword searches – it can extract data from picture files for sensitivity according to enterprise rules. It can then remediate these files according to those rules, by encrypting them in situ, moving them to an encrypted storage point, or assigning the file a fingerprint. In the event of a data leak, that fingerprint allows you or your practitioners to identify which files have been moved.
3. Endpoint DLP is device monitoring and control: Think USB drives, USB-C, mobile phones or tablets – really any device connected to laptops, desktops, or servers. Files and removable media protection (FRP) protocols can be integrated with endpoint DLP to protect data. For example, it can enforce a rule that a USB drive with sensitive information could be opened only on an enterprise machine and not a personal one.
4. Database security is customizable and able to be programmed to stay in compliance with applicable laws (e.g., GLBA or GDPR). The database security app automatically checks to be sure that all relevant patches have been installed in a timely manner. It can flag any nodes needing updates and alert the systems administrator. Patches can be completed instantly, without pulling a database offline for three hours in the middle of the night. The database security app monitors transactions in real time and identifies whether all installations are up to date. Those two processes together help identify malicious activity.
5. Finally, DLP can greatly assist in IR (incident response) by providing intelligence to ascertain what data has been compromised. When combined with any applicable anomalous user behavior analysis, this provides a basis for a more efficient IR workflow and makes the response team’s job easier when (not if) your next data breach occurs.

With Trellix and XDR, your data is secure

With 4.7 billion global internet users, and a cyber attack every 40 seconds, it’s critical that your enterprise’s data is protected. A strong DLP suite guards your enterprise’s data and helps IR teams respond to breaches. And that’s vitally important to your bottom line. Our integrated Trellix platform brings artificial intelligence, machine learning, automation, device monitoring, and database security together in one place to protect your data in all its states, wherever and whenever it is at rest, in use, or in motion. And for all these reasons, DLP helps make XDR a transformational game-changer.