Cortex XDR 3.3: Redefining SecOps with Global Analytics & Event Forwarding

May 16, 2022
6 minutes
... views

Outpacing adversaries requires constant innovation. If we, as defenders, stand still, we invite threat actors to develop techniques to bypass our defenses. To stay ahead of quickly evolving threats, we must continually update our security with groundbreaking features that simplify operations and stop attacks in new and unexpected ways.

Since our monumental Cortex XDR 3.0 release last August, we have added a wealth of capabilities that take your security operations to the next level. With Cortex XDR 3.1, we expanded your data universe with out-of-the-box data collectors and cloud inventory capabilities. Cortex XDR 3.2 put threats on ice with cold storage.

Our Cortex XDR 7.7 Agent release introduced a much-anticipated user-space agent for Linux - an alternative to our existing Linux kernel-space agent that runs completely in user space. It also extended a powerful Java anti-exploit module to Windows endpoints, fortifying your endpoints and cloud workloads from vulnerabilities such as Log4Shell and SpringShell.

Elevate Detection and Response with Cortex XDR 3.3

The drumbeat of innovation continues with Cortex XDR 3.3. Adding over thirty new features, this release dramatically improves security operations and endpoint agent management. Now, it’s easier than ever to hunt for threats, integrate data from even more sources, and monitor and control your endpoints.

Key features in Cortex XDR 3.3 include:

  • Global Analytics
  • Event Forwarding
  • CIS Benchmarks
  • Expanded Data Collection
  • Enhanced Endpoint and Policy Management

Harness the Power of Cross-Customer Insights with Global Analytics

Stopping supply chain attacks, like the SolarStorm attack, isn’t easy. If adversaries compromise a software vendor, they can insert malicious code into the vendor’s trusted and signed application. Crafty adversaries can bypass defenses by avoiding the use of known indicators of compromise (IoCs) and attack techniques.

With this in mind, how do we detect when good software goes bad? With Global Analytics, we’re applying machine learning and cross-customer insights to tackle this intractable challenge.

Diagram, schematic Description automatically generated

When threat actors execute supply chain attacks, they typically try to stay under the radar. Rather than broadly attacking all clients of a compromised software vendor at once, they will carefully select their victims. With Global Analytics, Cortex XDR can identify these attacks by detecting when the behavior of signed applications deviates from the behavior observed by the same application in peer environments.

How does Global Analytics work? It all starts with the endpoint. The Cortex XDR agent continuously monitors endpoint behavior, collects granular process data, and sends this data to the cloud-based Cortex XDR application. The Cortex XDR application automatically analyzes this data to generate behavioral profiles of signed processes for each customer. Profiles include which domains and IP addresses a process accessed, which protocols and ports it used, which modules it dynamically loaded, and much more.

If Cortex XDR detects aberrant process behavior for a subset of customers, it will automatically generate an alert. For example, if an accounting software application suddenly starts dialing out to a new IP address using an unusual port, and Cortex XDR only observes this behavior for a small percentage of Cortex XDR tenants that have deployed the accounting software, it would automatically trigger an alert of a behavior with a low global prevalence.

Global Analytics can detect supply chain attacks, as well as additional techniques used by attackers, such as DLL side-loading, rootkit-based thread injection, zero-day exploits and more. Global Analytics allows Cortex XDR to detect extremely sophisticated attacks automatically with machine learning, cross-customer intelligence, and insights.

Stream Data to the Storage Solution of Your Choice with Event Forwarding

With Cortex XDR 3.3, you can forward Cortex XDR event logs, including endpoint data, to third-party security or log management solutions. While Cortex XDR has allowed you to forward alerts, audit logs, and management events since its inception, our new Event Forwarding option lets you send raw endpoint event data and parsed network, cloud, and third-party events to external storage platforms.

Whether you want to integrate Cortex XDR telemetry with data stored in your security information and event management (SIEM) platform, or you’d like to analyze event data in your scalable data lake, our new Event Forwarding option has you covered.


Understand Risk Levels and Configuration Weaknesses with CIS Benchmarks

Developed by the Center for Internet Security (CIS), CIS Benchmarks are globally recognized standards for safeguarding systems and data. CIS Benchmarks provide best practices and more than one hundred configuration guidelines for securing systems against attacks.

Cortex XDR now includes CIS Critical Security Controls for Linux, Docker, and Kubernetes platforms. A new Cloud Compliance dashboard displays compliance rates and violation information based on CIS Benchmarks. It also offers detailed context on misconfigurations to help you quickly remediate issues.

A screenshot of a computer screen Description automatically generated with medium confidence

Cortex XDR Cloud Compliance Dashboard

Broaden the Scope of Investigations with Expanded Data Collection

Cortex XDR 3.3 introduces new, out-of-the-box data collectors for Google Workspace, Apache Kafka and Palo Alto Networks IoT Security data that let you extend hunting and investigations to more data sources than ever before. This release also enhances the existing Microsoft Office 365 and Workday data collectors and adds additional log ingestion formats for the Files and Folders Collector and the FTP Collector.

Up-level Endpoint Management with Enhanced Policies and Management Options

To simplify operations, ease management, and improve access controls, Cortex XDR supports an array of new endpoint policy and administration features. With Cortex XDR 3.3, you can:

  • Filter, group, and search for endpoint agents with a new endpoint tagging feature.
  • Easily identify agents with outdated security content and generate tokens on demand when a password token is required to perform an action on the agent.
  • Import and export endpoint policies and profiles to apply consistent policies across multiple tenants.
  • Control which endpoint group policies and profiles your Cortex XDR users can manage with scope-based access control (SBAC)

For a complete list of new capabilities in this feature-packed release, see the Cortex XDR 3.3 release notes.


Hear Best Practices, Insights, and Tales from the Trenches at Symphony 2022

Save your seat now for Symphony, our annual Cortex user conference! During this year's virtual event, SecOps practitioners will share tips to improve threat hunting and investigation skills, and more. Hear from the brightest minds in cybersecurity, including our Chief Product Officer Lee Klarich and special guest speaker Brian Krebs.


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.