Before getting started with Stellar Cyber and its Key Features and Capabilities

Let’s try to understand what an XDR is, its functionalities and capabilities.

XDR

XDR stands for extended Detection response, is a tool that helps businesses protect themselves from cyberattacks by collecting information from different parts of their network (like computers, emails, apps, and cloud services) and putting it all together in one place.

Imagine you have a security system in your house: one alarm on the door, one on the windows, and cameras outside. Each one can catch something, but they might not talk to each other. XDR is like a smart security system that connects all those devices, so if someone breaks in, the system knows exactly where they are and can respond quickly, no matter where the break-in happens.

Key Points About XDR:

1. It looks at everything: It collects and watches over data from computers, networks, cloud services, and emails, all in one place.
2. It spots threats faster: It uses smart technology (like AI) to detect problems quickly, even if the attack is happening across different areas (like an email, a computer, and a network).
3. It responds automatically: When it detects a threat, it can act on its own, like blocking access to prevent further damage.
4. Makes life easier for security teams: Instead of having separate tools for every part of the system, XDR brings everything together, saving time and making the whole security process smoother.

In short:

XDR is a tool that makes cybersecurity easier and more effective by combining data from different places, spotting attacks faster, and reacting quickly to prevent damage.

What is Stellar Cyber?

Stellar Cyber Open XDR is a platform for performing end-to-end threat detection and response, combining multiple capabilities – NG-SIEM, NDR, TIP, IDS, SOAR, and UEBA – into a single user experience.

Stellar Cyber allows security teams to gain full visibility into their IT, OT, and security environments, with turnkey automated detection and response across all data sources. This allows security teams to detect more alerts faster, future-proof their Security Operations, and free up human resources for more proactive security work.

Stellar Cyber is a unified platform for Security Operations, providing a central location to gather and organize security threat information by unifying key data, tools, and alerts for analysis. Stellar Cyber also automates both threat detection (using AI and machine learning) and response (using automated threat hunting). This helps reduce the noise so you aren't overwhelmed by the amount of information and can find and focus on the real threats. You can even teach the machine learning to present only the information that truly interests you.

For a Better Understanding in simple terms:

Think of Stellar Cyber like a super smart security camera system, but for your business’s computers and online activities. It keeps an eye on everything happening on the network—like who’s visiting, what’s being downloaded, and if anything seems fishy. If something bad happens, like a hacker trying to break in or a virus spreading, it quickly alerts the people in charge so they can stop it before it causes damage. It helps businesses stay safe from online dangers without needing to be experts in technology. Basically, it’s like having a high-tech guard to keep your digital stuff safe.

Capabilities:

1. Sensors (includes deep packet inspection, IDS, Malware Sandbox; for NDR)
2. Bi-Directional Integrations
3. Data Lake/Data Modeling
4. AI Engine
5. Threat Intelligence
6. Automated Response

Open System:

Hundreds of integrations with other tools, products, and data sources, including:

1. All top EDRs supported
2. All top Cloud providers supported
3. All top Identity providers supported

Top Use Cases of Stellar

Stellar Cyber Open XDR is a modular platform in the sense that you can choose which features and capabilities to leverage. However, given that the platform is purpose-built for unified SecOps, it is best leveraged when deployed in its entirety. Here are some common use cases for deploying Stellar Cyber to deliver value to SecOps teams:

1. SOC Platform
2. Legacy Siem Replacement
3. Complement SIEM
4. NDR

Stellar Terminologies:

Cold Storage

Cold Storage in Stellar Cyber allows you to store snapshot-based data from your data processor (DP) on another server for later analysis. You can import the stored data to your working DP or to a dedicated forensic DP. Cold Storage is used for long-term data storage and involves moving data to lower-cost archival tiers in storage solutions like AWS S3 and Microsoft Azure.

In simple terms, cold storage in Stellar means keeping your XLM (the cryptocurrency of Stellar) offline, away from the internet, to protect it from hackers. Think of it like keeping your money in a safe that’s locked up in a vault, far away from any possible online thieves. This way, it’s much harder for anyone to steal it since they can’t access it online.

Connectors

Connectors in the context of Stellar Cyber’s data management and storage solutions are methods of collecting information from external data sources and compiling it into Interflow records that are indexed and stored in the Data Lake. These connectors are developed based on the access methods provided for each external data source, typically using an API. They run on the Data Processor (DP) to fetch information actively on a scheduled basis. Connectors can also respond to actions such as blocking a firewall or disabling users. They are configured with IP addresses and authorization credentials to connect to the data sources.

In simpler terms, connectors are like plugs that allow different pieces of a security system to send their information to Stellar Cyber for better monitoring and protection. These connectors help ensure that all parts of a company’s security network are working together and are being properly watched for any signs of cyber threats.

Data Lake (DL)

Data Lake is the repository where Stellar Cyber stores information. The data in the Data Lake is organized into indices, which are categories used to group data, making searching more efficient and effective. A 'raw' index stores information directly from sensors or collectors, while a security index contains enhanced data based on data from one or more raw indices. The Data Lake is a central component that stores data within the Stellar Cyber system, and it can be arranged in a cluster with a master node and worker nodes to increase capacity and provide fault tolerance.

In simple terms, think of a data lake as a giant pool where all the security-related data is dumped, and then it can be sorted, analyzed, and used to spot any potential threats or issues. The key benefit is that it holds everything in one place, making it easier to search through the data and get insights about what’s happening in a network or system.

Data Analyzer (DA)

The Data Analyzer (DA) is one of the main components inside a Stellar Cyber data processor. It is responsible for data ingestion from sensors and connectors, as well as data enrichment. Each installation must have at least one DA, and more can be added for capacity and high availability. The DA instances can be configured using Data Analyzer Profiles, which store configuration parameters in a reusable bundle. The DA is part of a multi-node, multi-cluster architecture that ensures scalability and reliability.

In simple terms, think of a data analyzer as a detective that looks at lots of information to figure out if anything bad is happening. Instead of you having to go through all the data manually, the analyzer does it for you and raises red flags when it finds something concerning.

The update 5.4.0

Stellar Cyber has announced the release of version 5.4.0 of its Open XDR platform on January 27, 2025, introducing a range of enhancements designed to improve threat detection, reporting, and system usability.

Key Highlights of Stellar Cyber 5.4.0:

1. Advanced Reporting and Insights:
2. The platform now features a robust reporting engine that allows users to generate detailed PDF reports.
3. A new scheduler offers granular control over report delivery, enhancing the ability to monitor and communicate security metrics effectively.
4. Expanded Threat Intelligence:
5. Support for file hashes has been added, providing deeper insights into known malicious activities and strengthening the platform's threat detection capabilities.
6. Unified Silent Mode:
7. Consistent silent mode experience is now available across Rule-Based Detections, Machine Learning Detections, and Third-Party Integrations. This allows security teams to fine-tune detection strategies without generating excessive alert noise.
8. Enhanced Email and Cloud Observables:
9. Improved visualizations and data correlation offer a clearer understanding of threat narratives, particularly in email and cloud environments.
10. Refined Domain Controller Correlation:
11. The case correlation logic has been updated to ensure domain controllers are highlighted only when relevant, reducing distractions from routine authentication events.
12. Network-Based Windows Attack Detection:
13. The platform can now analyze SMB traffic to detect suspicious behavior without the need for a Windows Server Sensor, bolstering defenses against Windows-based attacks.
14. Location History Retention and Account Creation Alerts:
15. New features enable tracking of unusual user movements and sudden account creation spikes, aiding in the early detection of emerging risks.
16. Log Forwarding for Workstations:
17. Lightweight log forwarding from workstation-class Windows OS is now supported, facilitating small-footprint deployments via syslog forwarding on Windows Server Sensors.
18. Alert Filters for Tenant Groups:
19. Administrators can create filters to exclude alerts and apply them to multiple tenant groups in bulk, streamlining alert management across the organization.
20. System Action Center Notifications:
21. The platform now supports sending individual System Action Center notifications for each matching event, rather than consolidated summaries, allowing for more precise alerting.
22. New Connectors:
23. Stellar Cyber has expanded its integration capabilities with new connectors for FortiEDR, Juniper Mist, WithSecure Elements, Abnormal Security Email Security, Versa Networks Concerto, AWS Inspector, Trend Micro Email Security, NetFoundry, Fortra Frontline, and Google Cloud Security Command Center.

Actions Required:

Users are advised to switch to the time range configuration on queries that rely on the time boundary feature for improved efficiency. Additionally, to support new processes that enable or disable features and fixes, ensure that the Data Lake (DL) and Data Analyzer (DA) components, as well as user web browsers, can establish HTTPS connections to specific Stellar Cyber domains. Without access to these URLs, the platform will function, but certain features and fixes may not be available.

Behavior Changes:

The correlation logic for domain controllers has been refined to prevent them from being highlighted during routine authentication activities, reducing unnecessary alerts.

For a comprehensive list of updates, including deprecated features, detection and machine learning enhancements, usability improvements, platform updates, sensor and connector additions, parser changes, operational notes, resolved issues, and known issues, users are encouraged to review the full release notes.

Stellar Cyber 5.4.0 represents a significant advancement in the platform's capabilities, offering users enhanced tools and integrations to strengthen their cybersecurity posture.

Reference: Stellar Cyber 5.4.0 Release Notes

Authors: Wafa Haoues, Sneha Bangalore, Emma Vappereau