XDR – A Game Changer for Cybersecurity

BrandPost By Wei Huang
Apr 06, 2022
CyberattacksIT LeadershipSecurity

As businesses flock to the cloud, a new approach to security is needed to combat emerging threats.

Credit: Anomali

In the last decade, we’ve seen a proliferation of threat detection and response tools, each trying to keep ahead of constantly evolving cyber threats. With business functions being moved to the cloud and the remote workforce on the rise, detection and response are not trivial tasks.

Organizations have taken a multi-layered approach with solutions and services that span Next-Generation Firewall (NGFW), Endpoint Detection and Response (EDR), Secure Email Gateways, SIEM, and Threat Intelligence, just to name a few. Unfortunately, while these control points provide a degree of detection and response, they still fall short.

  • As siloed solutions, their data contains only a portion of the context needed to understand the threat landscape, leading to high-risk blind spots.
  • The detection and response are reactive. Simply put, the solution is alerting you to look for the compromised host, but you’ve already been breached.

For an effective, holistic security posture, you need a solution that can aggregate telemetry from all these control points, analyze it, and report and automatically respond to identified threats. This is called Extended Detection and Response (XDR).

XDR expands visibility into security alerts and raw data across all security telemetry then applies analytics, automation, and machine learning to detect, analyze, hunt, and stop threats and breaches.

The following factors set Anomali’s XDR solution apart.

Agentless collection at unlimited volumes

With burgeoning hosts and devices across an organization, an agentless approach is key to effective telemetry collection. By collecting events from all control points, XDR can eliminate the need for locally installed agents. Agentless alternatives not only allow telemetry to be quickly and seamlessly integrated into XDR platforms, but they also eliminate limits on the volume of telemetry that can be ingested.

With the ability to ingest telemetries from hundreds of control points, millions of endpoints and public cloud, Anomali XDR covers the largest extended telemetry spectrum of any security solution on the market.

High-performance analytics and insights

Anomali XDR correlates telemetry at warp speed against the largest threat intelligence repository, using machine-learning algorithms for predictive analysis and assigning a risk score to form a verdict and report a detection.

It can correlate telemetry with malicious threat indicators at 190 trillion correlated events per second, which makes it possible to correlate raw telemetry instead of being constrained to  legacy security solution’s limits. In addition, examining raw telemetry against ThreatStream allows Anomali XDR to identify threats that may be missed by other security solutions. Once a match is found, the analyst can get insights into the threat and affected hosts through Anomali XDR’s forensics tools.

Automated response

Similar to an immune system response, Anomali XDR can generate automatic response actions. Once a threat is detected and confirmed, XDR automatically forwards the machine-readable threat intelligence (MRTI) to the organization’s control points that can take actions to block, quarantine, apply patches, and so on.

Incident management

Anomali XDR is designed for collaborative and collective incident management through intuitive tools and dashboards. It provides tools such as Investigations, which allows the analyst to record the initial findings, add supporting data, and assign the investigation to a group of security personnel who can take care of the compromised host(s) and secure the perimeter.

Proactive threat detection and response

Anomali XDR is not only about reactive response. We’ve identified cases where telemetries showed ransomware that were not yet known to many feed vendors and thus not part of the generally available threat intelligence. However, with ThreatStream’s machine-learning models and attack pattern recognition algorithms, our threat behavior engines derived these threats and flagged them.

With the Anomali Platform, we capture high levels of strategic threat intel models, actors, campaigns, TTPs, and attack patterns. Based on known attack patterns and current threat detection, the Anomali Platform predicts and prevents future attacks, completing the full circle of threat detection and response.  Learn how to prevent ransomware threats using the Anomali Platform here.

Wei Huang


Chief Technology Officer, Wei Huang has over 20 years of experience building enterprise software in the security and data analytics industries. Wei was the architect of ArcSight Logger, one of the most successful security products created at ArcSight. He was instrumental in designing and building the ArcSight CORR-Engine: the big data platform with 10-to-1 data compression and 5X faster query performance than Oracle RDBMS. After the acquisition of ArcSight by HP, Wei took on additional responsibilities as Chief Technologist and led the technical direction and architecture for the ArcSight product line within the HP Enterprise Security portfolio.