RSA added cloud native analytics and machine learning engines to its NetWitness security platform to give the extended detection and response (XDR) an artificial intelligence (AI) threat hunting boost.

NetWitness Detect AI’s machine learning algorithms can detect insider threats, brute force authentication, and machine-operated activities. After analyzing data at scale, the cloud service alerts security analysts on high-priority threats, which helps alleviate alert fatigue and frees us the security team to focus on incident management, said Mike Adler, chief product officer at RSA. This builds on RSA’s existing analytics that are already available for on-premises customers, he added.

“One of the key areas that we really heard from customers is that building analytics engines in hardware is complicated and gives them one more thing to manage, and what they want is one less thing to manage,” Adler said. “Providing this as a SaaS service allows us to provide additional value on a regular basis, and customers don’t have to upgrade it. It simply moves forward as better analytics and as the data models are refined.”

NetWitness Detect AI is globally available now.

XDR combines elements of security information and event management (SIEM), security orchestration, automation and response (SOAR), endpoint detection and response (EDR), and network traffic analysis (NTA) in a software-as-a-service (SaaS) platform to centralize security data and incident response. While XDR is a relatively new security space, RSA’s NetWitness platform, which started out as a U.S. government research project, has been around for a decade.

“We were ahead of the curve when it came to XDR, as we were talking about the evolution of threat protection in regard to our evolved SIEM approach,” Adler said. Several years ago, the vendor merged its original SIEM capabilities with its network forensics to create a threat detection and response platform, and then folded endpoint security into NetWitness, he explained.

In addition to having its own SIEM and SOAR, NetWitness also lets customers integrate with third-party vendors to provide these capabilities. Customers may “want the networking and threat detection capabilities with the response built in,” but they want to keep those separate from their existing SIEM investment, Adler said. “I have my legacy SIEM investment, but maybe I need a more modern platform to deal with these more modern attacks. So we’ve allowed customers to either expand their SIEM installation, or to get this as a layer on top of it to give them additional detection and response capabilities.”

The need for XDR has accelerated over the past year, as the COVID-19 pandemic coupled with remote learning and work has vastly expanded the threat landscape. And according to Enterprise Strategy Group, two-thirds of organizations expect to invest in XDR over the next six to 12 months. Almost half (48%) of those surveyed said they would be willing to replace individual security controls with integrated XDR platforms.

And when it comes to XDR platform, enterprises have plenty of choices as all of the major vendors including Cisco, Palo Alto Networks, VMware, and Microsoft have jumped into XDR. Last week alone both Fortinet and McAfee added AI capabilities to their XDR platforms.

FortiXDR uses AI for threat response and threat investigations, which the vendor claims can fully automate security operations processes from detection to investigation and remediation.

And McAfee’s Mvision XDR platform uses that vendor’s analytics engine, Mvision Insights, to provide proactive security and, thus, prevent attacks from entering an organization’s environment. Mvision Insights pulls telemetry from all of McAfee’s sensors, third-party partners, and global threat intelligence to help companies proactively prioritize threats and mitigate risks.

“The key differentiator for us from an XDR perspective is our network forensics,” Adler said. “We aren’t just looking at netflow. We aren’t looking at logs from firewalls and proxy servers. We are actually using our history from network forensics and our deployments to look at the network packets themselves, and so we are able to actually deconstruct each session down to its individual packet layer to open up those packets.”