Stellar Cyber Universal EDR optimizes event and alert data across different EDR products

Stellar Cyber announced Universal EDR – an open, heterogeneous Endpoint Detection and Response (EDR) technology that optimizes and augments event and alert data from any single or combination of EDRs from any vendor.

Using the Stellar Cyber Open XDR platform, data from different EDRs is appropriately interpreted to deliver cohesive, low-noise findings regardless of EDR source. The result is high-fidelity detection of real attack activity that is operationalized for fast, efficient response.

Universal EDR thus maintains the Stellar Cyber platform’s openness while incorporating third-party EDR or multiple EDRs’ data as if they were built directly into the platform. At the same time, companies can change their EDRs or use multiple ones, and Universal EDR will automatically calibrate the data for overall precise attack detection.

Through a tight, bidirectional data flow, optimized data pathways and integrated resource assessment—such as monitoring for container builds and changes, Kubernetes execution and server activities interacting with endpoints—the Stellar Cyber platform preserves investments in EDRs and enables organizations to find attack activity early to prevent or minimize damage. In addition to optimizing individual EDRs’ data for faster, earlier detection of attacks, Universal EDR adds precision to an EDR’s own alerts.

“With this announcement, Stellar Cyber can enable enterprises and MSSPs to retain investments in and increase the value of any existing EDR tool within an XDR environment,” said Jon Oltsik, Senior Principal Analyst and ESG Fellow. “Users can now enhance their favorite EDR tools with full integration into an XDR platform, combining their EDR data with telemetry from other security tools and obtaining greater visibility.”

Stellar Cyber’s Universal EDR delivers ready-to-consume EDR integration and data optimization without requiring the customer to complete manual integration, significantly speeding time to value. At the same time, Stellar Cyber enriches existing EDR security tools, allowing SOC teams to act more quickly on findings from existing EDRs or enhancing that data with other critical alert data from other key systems (SIEM/NDR, etc.).

Universal EDR incorporates four key advancements:

• It collects complete data sets from any EDR tool and creates bidirectional communication to and from the Open XDR platform through APIs, enabling flexible and preferred response via the customer’s existing tools and workflow.
• It incorporates EDR-specific alert processing pathways to standardize data output and ensure high-fidelity detections by removing the noise of these alerts.
• It automatically processes and correlates data from all tools in the security stack, including EDR, to provide better context for accurate diagnosis and timely response.
• It dynamically discovers asset information from EDR data and combines it with asset information from a variety of other data sources to provide comprehensive asset management and UEBA analytics.

“Some XDR vendors can do one-way or even two-way integrations between their core platform and third-party EDR products, but that’s not really enough to ensure accurate detection and response – it requires careful study and treatment of EDR alert and event data with critical enrichment to evolve from simply alerting to truly informing. In addition, as environments change and evolve, a company may need more EDR integrations,” said Sam Jones, VP of Product Management at Stellar Cyber. “With Universal EDR, our platform performs automated integration, customized data processing, and event correlation to deliver the best detections and faster responses regardless of which EDR product is being used.”

Custom alert pathways precisely match each EDR

Stellar Cyber’s real-time EDR data processing uses three different types of alert pathway to closely align with the way each EDR operates and the level of noise it produces:

• Passthrough enrichment — all alerts are passed directly from the EDR after normalization and enrichment to the Open XDR Platform and mapped to MITRE ATT&CK context and identification as needed to aid investigations.
• Deduplication — Machine Learning (ML) is used to identify source EDR alerts that are related and part of the same activity, and to generate a single alert within the Open XDR platform to improve prioritization and response speed. Some EDRs produce a number of alerts for the same event, causing extreme alert fatigue and reducing precision and efficiency.
• Machine learning alerts — EDR events and alerts are processed via different ML models that generate high-fidelity alerts within the Open XDR platform through automated data correlation and weak signal escalation to enable faster responses.

The Stellar Cyber Open XDR Platform automatically applies these pathways for each EDR tool. For example, EDR 1 might have 10% Passthrough Enrichment, 50% Deduplication, and 40% Machine Learning Alerts, while for EDR 2 those ratios could be 0%, 80%, and 20% respectively.

“For a company that doesn’t build an in-house EDR, we find ourselves at the leading edge of endpoint-based security research,” said Aimei Wei, Founder and CTO at Stellar Cyber. “This gives our customers full confidence that they can integrate their EDR of choice and get outstanding results through the Stellar Cyber Open XDR platform.”