Cortex XDR 3.4: Elevating SecOps with SmartScore & Single Sign-on

Since its inception, Cortex XDR^® has set the bar for security, visibility and ease of use. Features introduced over the past year provide the enterprise-grade management, scale and security efficacy required to protect the most demanding environments in the world. And, with our new Cortex XDR 3.4 and Cortex XDR Agent 7.8 releases, we have raised the bar again.

Key innovations in Cortex XDR 3.4 and Agent 7.8 include:

• SmartScore incident scoring
• Single sign-on integration
• Tagging in alerts and incidents
• Forensics memory collection
• File system scanning for Linux
• Anti-webshell and credential gathering protection

Let’s dive in and take a deeper look at these new capabilities.

SmartScore Incident Scoring Powered by Machine Learning

Every second counts when responding to an incident, but with the average SOC team receiving over 10,000 security alerts each day, many teams don’t know which alert to investigate first. While Cortex XDR groups related alerts into incidents, cutting the number of individual alerts to review by up to 98%, analysts still need clear guidance on which incidents pose the greatest risk.

Eighteen months ago, Cortex XDR added manual incident scoring. Manual incident scoring lets you prioritize incidents based on asset sensitivity or alert attributes.  However, we didn’t stop there. We wanted to develop a scoring engine that applied machine learning and analytics to automatically identify high-risk incidents.

Our new SmartScore scoring engine extracts various attributes from incidents, including the types of alerts in the incident, the combination of alerts, malicious artifacts in alerts such as malware, and whether suspicious activities were blocked. SmartScore’s machine learning algorithms not only examine the artifacts themselves, but also inspect contextual attributes like whether the file is dropped into a temporary directory or executed by an interesting process. It also examines how your organization and your peers resolved similar incidents in the past. Drawing on cross-customer insights and machine learning, incident scoring lets your analysts focus on the threats that matter most for swift triage and response.

Want to learn more? Check out our in-depth analysis of SmartScore incident scoring.

Single Sign-on Integration for Enhanced User Management

You can now use the identity provider of your choice to authenticate to the Cortex XDR management console. While we supported dual-factor authentication prior to Cortex XDR 3.4, we wished to simplify user management, broaden multifactor authentication options, and provide a consistent experience to Cortex XDR users.

Our new single sign-on capability makes it easy for administrators to provision users and enforce authentication policies. Your users can login with their standard corporate credentials and your administrators can centrally manage access rights through your identity provider.

Cortex XDR supports any SAML 2.0-compatible identity provider for single sign-on, including Okta, Azure AD and Ping ID.

Tagging in Alerts and Incidents for Simplified Investigations

Your team can accelerate incident analysis and gain valuable context for investigations with tagging in alerts in incidents. The new tagging feature lets you search, filter and group alerts and incidents based on endpoint, endpoint group, and data source tags.

This capability extends a feature we added in our Cortex XDR 3.3 release which allows you to tag your endpoints and data sources. Now your tags are visible in alerts and incidents views in a new ‘Tag’ column.

The tags can be searched per type and across all types, helping you assess the scope of an attack, find threats targeting assets tagged as sensitive and speed investigations.

Forensics Memory Collection 

Adversaries are crafty, building malware that operates in memory, without writing malicious files or configuration data to disk. During these attacks, adversaries can load malware functionality on the fly over the network. Unfortunately, forensics experts can struggle to piece together attacks without critical details from volatile memory.

In our latest release, Cortex XDR Forensics addresses this challenge with memory image collection. Cortex XDR can gather full memory images, including kernel and user space memory, to expose adversaries’ tactics and techniques in memory-only attacks. Memory data collection supports remote and offline memory imaging.

Anti-Webshell and Credential Gathering Protection

The Cortex XDR Agent 7.8 provides our most complete threat prevention stack ever.

We’ve enhanced our webshell and credential gathering protection with two new behavior-based security modules that augment existing defenses against these pernicious threats.

The anti-webshell module prevents attempts to write webshell files to disk based on the context of the process saving the webshell. Analysis of past web server attacks reveals a set of steps adversaries take to create webshells after exploiting web vulnerabilities. The anti-webshell module cuts the risk of successful webshell installation by analyzing multiple attributes and behaviors of the process attempting to create the webshell.

The credential gathering protection module blocks a broad set of credential-based attacks, including attempts to extract credentials by reading or dumping LSASS memory. The module also blocks Kerberos ticket injection, DCSync attacks, Chrome password and cookie theft, and more, preventing adversaries from increasing their realm of control, moving laterally, and accessing sensitive data.

These new modules are available for Windows, Linux and macOS endpoints. You can enable, disable or set these modules to alert-only mode. You can also create exceptions per module or module rule for fine-grained policy control.

File System Scanning for Linux

WIth Cortex XDR 3.4, you can scan Linux endpoints for dormant malware through both scheduled and on-demand scans. If a system scan detects a malicious file, the Cortex XDR agent can remove the file before it attempts to harm your endpoint. You can select which directories to scan and configure the scan timeout period. File scanning complements our existing defenses that block malware before, during and after file execution on Linux endpoints.

For a complete list of new features, please see the Cortex XDR 3.4 and Cortex XDR Agent 7.8 release notes. Plus, be sure to attend our webinar, “Forward Together: Cortex XDR and Unit 42 MDR” on August 16.