Cortex XDR and MDR: The right balance of applied machine learning and the humans that aid it.

By Chris Yates

When I was young, and learning to appreciate classic cars, I learned something very important about 1950’s Chevrolet vehicles. There are features that distinguish the year models from one another, that can help you very quickly determine whether a particular car is a 55, 56, or 57 model. My dad pointed out to me these differences, that to others would be minor features. But if you want to figure out which year model Chevy you’re looking at, these features become very important. I had to learn which fender flair, or lack thereof, was a 55, which sloping body trim made it a 57, and became adept at determining which year model I was looking at within a few seconds. 

This learning process became instrumental for me when I began to work through how machine learning (ML) works, especially in the realm of cybersecurity. Machine learning in the realm of End Point Protection (EPP) was a new questionable technology just a few short years ago but has now become widely accepted as the standard for protecting our computers from computer viruses.  

If we want to be able to ask the machine “Is this file good or bad”, we must first train the machine with a significant amount of training data upon which we already know the answer to the question, and let the machine figure out the features that make a file good or bad. This can take some time, and needs to be updated with new models continually, but the end result is a machine that is trained to look at files that have not been observed before and render a verdict very quickly based on the learning algorithms. 

What do we do with this?  

What many organizations, like our partner Palo Alto Networks, have done is to find ways to begin to combine End Point Protection tools, the best of which are currently ML-based, with other mechanisms such as Endpoint Detection and Response (EDR) tools, data from Next Generation Firewalls (NGFW), and other sources of security event information with the end goal of being able to feed all of this data into a data lake that ML analytics algorithms are running against to determine if something malicious is going on. There has been significant success in this effort with many providers offering this toolset as XDR or Extended Detection and Response. 

XDR marks a major shift as traditional security technologies (EPP, EDR, NGFW, etc) are no longer considered effective without analytics and automation above and beyond what can be provided by human operators. Traditional technologies still perform their primary functions, but with the addition of ML they also provide valuable input as sensors, feeding data into the larger data lake that analytics run against to provide better context and protections. Palo Alto Networks calls this solution Cortex XDR^TM. 

Even with increased automation and analytics, there are still cybersecurity problems that require human intervention and analysis, and most of the technologies that use machine learning currently have very specific tasks requiring humans to provide the seed for the analytics and algorithms to function properly. 

We need people focused on the problems that require people to solve, leaving machines to do the heavy blocking and tackling of event handling and automation. This allows companies to move security analysts away from pouring through logs and into higher modes of working and thinking that provide strategic business value and outcomes. 
 
Companies can ensure that their employees are not overwhelmed by alerts from their tools by working with a Managed Detection and Response (MDR) provider, which helps provide alert resolution and the first level of human capability beyond XDR to make a comprehensive security program effective, scalable, and affordable. CRITICALSTART provides seamless integration with Cortex XDR^TM backed by deep Palo Alto Networks experience and expertise. Our MDR service eliminates false positives at scale by resolving known-good behaviors. Driven by 24x7x365 human-led, end-to-end monitoring, investigation and remediation of alerts, our on-the-go threat detection and response capabilities are enabled via a fully interactive MOBILESOC.