Stronger Together: Why Critical Start MDR for Palo Alto Cortex XDR Makes the Best Better

Extended Detection & Response (XDR) is good. Really good. It’s a technology that automatically stitches together endpoint, network, cloud, and identity data into a single cohesive story — a story that can be read by analysts with the right expertise to understand warning signs of a breach and take direct action to mitigate threats.

But can XDR be made even better? Your organization may be considering a tool such as Palo Alto Networks® Cortex XDR™, or maybe you’re already using it, which makes this a very relevant and interesting question. Considering that tools such as Cortex XDR are highly complex, and the attack surfaces read by the technology are changing constantly, can a business really use it effectively with the internal resources that are on-hand? Can it attract and retain the talent necessary to manage something like Cortex XDR, align it with their other security tools, manage the volume of alerts coming from XDR, collect, correlate and forensically analyze data in real-time, define the right procedures for incident escalation, define the right triage and response actions—and finally—do this all within a reasonable budget?

Fortunately, they don’t have to. What if we told you there is a better way to operationalize Palo Alto Networks Cortex XDR and streamline your approach to detection and response? CRITICALSTART® Managed Detection and Response (MDR) service integration with Cortex XDR delivers a comprehensive combination of highly experienced analysts and operational process that helps your security team to quickly detect, investigate and respond to every alert, stopping the most advanced attacks and reducing risk, alert fatigue and analyst burnout.

Why MDR + XDR is a smart move

Working with the CRITICALSTART team means that incidents detected by Cortex XDR are investigated and acted on much more quickly than what a typical organization could do on its own. This is a team that can read the story that Cortex XDR has to tell. Internal resources, when faced with the overwhelming volume of alerts coming out of XDR, may focus only on critical- or high-priority alerts, putting investigations of medium- or low-priority alerts off for hours or even longer. But it is in that time that an attacker can move laterally in an environment and work toward accomplishing their objectives.

From tedious IOC management to optimized rules
A key feature of the MDR service for Cortex XDR is BIOC management. BIOCs are constantly published and updated. The process of publication and application of additional detections can be hard to manage and a full-time job, so we added this feature in the service for no added cost. The CRITICALSTART Threat Detection Engineering team enhances out- of-the box detection capabilities by developing and adding proprietary BIOCs and behavioral detections from curated threat intelligence, previous SOC investigations and external threat intelligence feeds.

CRITICALSTART can simplify the complexity of these alerts to turn turmoil into tranquility through its own Zero Trust Analytics Platform™ (ZTAP™) and Trusted Behavioral Registry™ (TBR). Working with a customer, good and trusted behavior can be identified and added to the TBR for automatic resolution. By resolving false positives quickly and at scale, our team can focus on untrusted behavior for triage and quick resolution.

Our approach to MDR can also help operationalize Cortex XDR for optimal outcomes. The CRITICALSTART® Cyber Research Unit curates original and third-party research and threat hunting and then uses that threat intelligence to develop and enrich new detections and Behavioral Indicators of Compromise (BIOCs) to provide additional value to Cortex XDR out-of-the-box detections and BIOCs. This team also maps detections to the industry-leading MITRE ATT&CK® framework to ensure our customers are protected against the latest Techniques, Tactics and Procedures (TTPs).  In short, we leverage our expertise to take on the complexity of ensuring sophisticated attacks are detected so you don’t have to.

Through ZTAP, all alerts, tickets, reports and full investigation details are consolidated into one location for complete visibility. With more than 99 percent of security alerts analyzed and resolved, the remaining average of 0.1 percent—the right alerts—remain for human investigation and response.

Speaking of human intervention, our human led investigation and response includes 24x7x365 end-to-end managed detection and response services delivered by highly trained and experienced, Cortex XDR certified analysts. Our analysts complete 300 hours of training during onboarding and another 40-80 hours annually. They would typically be considered L2 and L3 at competitors. Analysts work in a U.S.-based, SOC 2 Type 2 certified Security Operations Center (SOC) to investigate, escalate, contain and respond to threats.

See farther… with simplicity

We take the complex and make it simple through a powerful bi-directional integration between CRITICALSTART ZTAP and Cortex™ XSOAR to centralize your data, providing visibility to you through a “single pane of glass” to fit right into your existing workflows (set up in weeks, not months). Our approach is transparent by design. Unlike other MDR providers, we’ve crafted our ZTAP dashboard to enable you to see exactly what our SOC analysts see. This means you have complete visibility and access to every alert with full investigative details, including every action taken. The information provided is detailed enough for auditing and reporting. Beyond visibility into the service, we help extend your view to include your entire security ecosystem. You can better understand how your security tools are performing and confirm the return on these investments and the value of your MDR service.

Now here’s the best part:

CRITICALSTART’s industry leading MOBILESOC® can put all this visibility into the palm of your hand. This iOS/Android application enables you to communicate directly with analysts right from your mobile device. Utilize in-app responses and full details around investigations including data points collected, incidents resolved or escalated, and access to the playbook. You can triage and contain alerts from anytime and from anywhere. This mobile experience is especially appreciated by security managers and leaders who aren’t often at their desks.

Right on the bottom line

Finally, while MDR can definitively bring topline performance out of a tool such as Cortex XDR, your choice of vendors matters. Many MDR providers will not commit the value of their approach to hard metrics in writing. That’s why we prove the value of ZTAP with contractual SLAs for Time to Detect (TTD) and Median Time to Resolution (MTTR). Our guarantee is that we will triage every alert in minutes, with a 1-hour SLA. With something as important as the security of your business, you should expect nothing less than a partner that’s willing to commit to their performance in writing.


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden

©2020 CRITICALSTART. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: ZTAP™, Zero Trust Analytics Platform™, and Trusted Behavior Registry™. Any unauthorized use is expressly prohibited.