XM Cyber Attack Path Management and Microsoft Defender for Endpoint

Add context to reduce investigation time, protect critical assets and lower cyber risk

Integrating XM Cyber with Microsoft Defender for Endpoint (MDE) gives customers detailed information on potential attack paths that might result from a compromised system. By clearly identifying critical assets, the platform assists customers in fully understanding the potential impact of a breach and exactly what steps are required for remediation.

The combined capability improves visibility and lowers risk, helping customers prioritize security resources and focus on protecting their most critical assets.

The XM Cyber Attack Path Management platform continuously identifies new exposures and attack vectors, prioritizes the cyber risks that affect business-sensitive systems and provides context-sensitive remediation options. And it allows the security and IT operation teams to achieve higher security posture and operational efficiency by focusing and remediating the cyber risks allowing attackers to breach critical assets.

Working together, XM Cyber’s Attack Path Management with Microsoft Defender for Endpoint (MDE) gives customers the ability to rapidly respond threats as a result of having a deeper understanding of the risks to critical business systems, laser-focused prioritization of exposures, and contextsensitive, least-effort remediation reporting.

Give Your Teams the Information They Need When They Need it

Security and IT teams can often be overwhelmed with alerts and vulnerability reports. The question is where do they start? What activities will have the greatest impact on improving security? Which assets are at risk because of an incident?

XM Cyber in combination with MDE helps solve these key 7 challenges:

1. Analysts need more information about assets where MDE has identified an issue. When MDE alerts that a specific asset is at high risk, your security analyst can rely on XM Cyber’s Attack Path Management to provide additional information on criticality of that asset, what impact its compromise has on other assets in the network, as well as how to efficiently fix it.
2. Prioritization of remedial actions is difficult due to the quantity of potential alerts. XM Cyber helps analysts understand the criticality of alerts based on tagging within the XM Cyber Attack Path Management platform and the assets position relative to other attack paths.
3. Identifying the impact of lateral movement across the network is difficult. Using the attackers perspective, the XM Cyber Attack Path Management platform shows all possible steps to compromise that can be taken from a particular asset identified through an alert in MDE.
4. No ability to identify choke points. XM Cyber clearly identifies assets that can affect multiple other assets, essentially creating a choke point. By eliminating the vulnerability of just one asset, the risk to the entire network can be greatly reduced.
5. It’s difficult to understand the risk and impact of any one particular asset that has an alert on it from MDE. Analysts can easily create an attack scenario in XM Cyber Attack Path Mangement platform to simulate what would happen if that particular asset is breached.
6. Tagging is not generally used by customers of MDE. Since identifying and tagging assets is used by XM Cyber’s Attack Path Management platform, security teams can use that information to identify the risk associated with any MDE alert.
7. Threat hunting using MDE is difficult without context. XM Cyber helps consolidate and put context into MDE to aid in investigations. By modeling an attack, the XM Cyber Attack Path Management platform shows what would happen if an attacker had access to any particular asset. Analysts can be much more efficient in their threat hunting activities with prioritized risk.

Key Benefits of XM Cyber Attack Path Management and MDE

Breach points and critical assets are easily identified

The XM Cyber Attack Path Management platform also helps users of Microsoft Defender for Endpoint to identify and tag their most critical assets. With this additional information, customers have a clear understanding of risk associated with alerts coming from Microsoft Defender for Endpoint. Combining efforts with threat and vulnerability management, the machine tagging is used to incorporate the risk appetite of an individual asset into the exposure score calculation. Therefore, machines marked as “high value” will receive more weight in the exposure score calculation.

Choke point identification

Save analyst time by cutting off attack paths at key junctures a.k.a. choke points, with a least cost, maximum impact approach.

Remediation Support

Rich, contextual information XM Cyber adds to the process of remediation prioritization indicates to customers whether or not they need to investigate deeper or give higher attention and priority when it comes to reducing risk. The combined capability improves visibility and lowers risk as more CISOs focus on applying security resources against their most critical assets.

Improved investigative process

Once suspicious activity is discovered with Microsoft Defender for Endpoint, the XM Cyber Platform explores and identifies the potential impact. By clearly identifying critical assets, the XM Cyber Platform assists customers in fully understanding how from a particular breach point the adversary might move laterally, reach other systems, or compromise critical assets.

Weighted Scoring based on asset criticality

Combining efforts with threat and vulnerability management, the machine tagging is used to incorporate the risk appetite of an individual asset into the exposure score calculation. Therefore, machines marked as “high value” will receive more weight in the exposure score calculation.

Attack Simulation from any breach point

XM Cyber runs attack simulations automatically starting from the identified breach point showing you where an attack could go to compromise a critical asset.

Validate the importance of MDE high, medium, and low alerts

Run attack scenarios using specific assets identified by MDE to evaluate the risk and potential impact a breach might have on the entire network.

Better Together – XM Cyber and MDE

XM Cyber provides better context for incident investigation and threat hunting via advanced attack simulation capabilities, allowing security teams to reduce investigation times and focus on improving security for systems and potential choke points that offer a clear attack path to critical assets.

With both solutions working together, customers can not only review suspicious or high-risk device alerts, but also reduce risk from ancillary paths that could lead to business-critical assets, further enhancing the security team’s ability to respond quickly.

“The rich, contextual information XM Cyber adds to the process of remediation prioritization indicates to customers whether or not they need to investigate deeper or give higher attention and priority when it comes to reducing risk. The combined capability improves visibility and lowers risk as more CISOs focus on applying security resources against their most critical assets.” Tomer Teller, principal security program manager, Microsoft 365 Security.