Making XDR Agnostic and Autonomous

When you decide to become a security industry analyst, someone should warn you about the acronyms. Just when I thought I’d decoded what an EDR was, along came NDR, and then along came ADR. So, I guess I wasn’t surprised when Palo Alto Networks, McAfee, and other commercial vendors just said the-hell-with-it, grabbed a wildcard, and started marketing XDR. I’m glad they did, because it saves valuable time for us busy analysts.

Kidding aside – this emphasis on XDR represents the reasonable view that detection and response are in fact the primary objectives whenever security analysts spend hours poring through terabytes of data searching for evidence of evil offensive campaigns. When you’ve sitting there in the SOC worrying that hackers might have rotated the tires on your IT infrastructure, the last word in your vocabulary is prevention. So, I get it.

That said, the TAG Cyber team caught up this week with some old friends – a group of experienced security engineers we’ve known from RSA (Silver Tail), Juniper, and Intel – who now lead a start-up called Kognos. Led by Rakesh Nair and advised by our friend Paul McGowan, the Kognos team is developing their own version of XDR – and I have to say that what they are doing looks quite reasonable. Let me share what I learned:

“We have developed an autonomous XDR investigator,” explained Nair during our virtual conversation. “The platform provides analysts with an end-to-end view that provides deeper visibility into the paths taken by attackers. The goal is to eliminate the fatigue associated with so many alerts being processed by security teams. We are focused on doing the investigatory work of identifying and tracing an attack.”

Nair explained the Kognos platform in the context of relationships. He referenced these as the basic analytic primitives that allow for deeper and more effective parsing and interpretation of the reams of data collected in a typical SOC. After some discussion, it became clear that relationships enable Kognos to connect alerts and other data into a model of the overall attack campaign – also referred to by Kognos as a storyline.

We asked Kognos about their autonomous XDR and the answer focused on automation. “We’ve seen SOC analysts and hunters having trouble managing the enormous volumes of data, so our Kognos XDR Investigator was designed to generate leads automatically or consume alerts from other sources and investigate autonomously. Humans just cannot compete with machines when it comes to data mining, and we take advantage of this fact.”

We also asked Kognos about their connection to endpoint security, since Palo Alto Network, McAfee, and others have tended to focus on optimizing to their own endpoint solutions. “We can support many different endpoint security solutions, so we are basically agnostic. But we are especially proud of our recent integration with VMWare Carbon Black. Their customers will find the Kognos platform to be comfortably pre-integrated.”

As analysts, we see many enterprise security solution offerings with this emerging XDR designation, so we are cautious before blogging about any one platform. But we were quite impressed with Nair’s lucid explanation of how Kognos is approaching this important aspect of SOC analysis and threat hunting. Combine that with the executive team’s experience and expertise, and we suspect this will be a successful offering.

If you work in the areas of security operations for an enterprise or government agency, or if you list threat hunter as your occupation, then it would make sense for you to contact Kognos and request a briefing and demo. The trend of automating security analysis is a good one, and the decision to make life simpler and easier in the SOC is sensible. As always, please share with us your experiences after you learn more about Kognos.

Stay safe and healthy.