Will XDR Help the Future of Modern SOC?
We’re all seeing the market buzz
Extended Detection and Response(XDR) is getting a lot of attention these days. Given two, leading endpoint detection and response (EDR) vendors, SentinelOne and Crowdstrike, recently announced acquisitions of Scaylr and Humio, respectively, it seems more vendors are making the daily pivot to enter the XDR market.
It is perplexing, however, that there isn’t a clear rhyme or reason in these pivots or in the capabilities offered by all these “XDR” vendors. I suspect most industry practitioners are struggling to keep tabs on what is happening and what it could mean for the future of security operations. There is no shortage in the number of opinions on the topic, but I’ll provide mine here in hopes to help clarify what I’m seeing.
While the term XDR is evolving from the success of EDR that focuses on the endpoint and bringing both detection and response capabilities together in one platform, the need for XDR largely stems from challenges with security information and event management (SIEM) and security analytics to support security operations. SIEM was the original correlation point for disparate data sources; however, the SIEM rules and analytics capabilities quickly led to an overwhelming number of alerts. This, in turn, led to a tremendous amount of false positives.
Is XDR poised to mirror the history we’ve seen with SIEM?
In pursuit of better analytics, innovations started to sprout up with more focus on individual components of an enterprise, such as the user with user and entity behavior analytics (UEBA); the network with network traffic analysis (NTA), now known as network detection and response (NDR); and, of course, the endpoint with new machine learning-based approaches to create higher fidelity alerts than legacy signatures- and rules-based approaches. Many of these capabilities proved quite successful and became staples in most enterprise security programs and budgets, but they ultimately created data silos, which further impeded the overall security investigation process.
Some of these vendors looking to break down the silos started to position themselves as a SIEM by bolting on their own generic data store capabilities and pushing customers to send them data for centralization (sounds a bit familiar to the acquisitions mentioned above).
Still, this approach fell into the same pitfalls that have long challenged attempts to centralize data: the complexities with collection, data classification, normalization, and retention periods not to mention, dumping everything into a single platform proves quite voluminous and expensive. For companies this means, more often than not, only a subset of data from these tools is centralized, which equates only to meta information and forces the analysts to continue pivoting back to the source of truth to complete investigations. On top of these challenges, this equates to a lot of money and effort spent duplicating data from one system to the next.
Going back to the initial concept of XDR. To truly realize a fully functional, fully integrated platform that has all of these out-of-the-box capabilities would require a large vendor that can offer all of these solutions and is incentivized to ensure they tightly integrate.
Can one vendor meet all the XDR intended capabilities?
Gartner was the first industry analyst to formally define XDR. Their definition is rather strict and defines XDR as a capability that must come from a single vendor with the capability to provide detection and response across capabilities, which have, generally today, become disparate functions, including EDR, NDR, and UEBA. XDR must look across these silos with the ability to correlate activity between them to give a more inclusive picture of what is happening across the organization’s environment. The ultimate goal is to increase the confidence in outcomes and minimize the high volume of false positives that security teams are currently dealing with.
By that definition, the majority of vendors claiming to provide XDR would be disqualified. They typically only support a portion of functional areas, and they rely on other vendors to fill in some of these capabilities. That raises the question: is that a bad thing?
One of the initial challenges I saw when learning of XDR and the Gartner definition, is that there are very few enterprises that have not already invested in many of these point solutions, often opting for “best of breed” players in each of these functional areas. There is no question CISO’s are actively seeking areas for consolidation; however, is it realistic to require CISO’s to rip and replace all of their existing capabilities and throw away the significant sweat equity of deploying them to start all over with a single vendor? My opinion…that is highly unlikely.
Which approach is more viable: a single vendor or open XDR model?
Other, more flexible XDR definitions have started to arise, focusing more on the concept of the primary capability instead of having it provided in an all inclusive package. This has been called Open XDR or Hybrid XDR. There is a new study recently released by Forester (I’ve not gotten a chance to read it myself), which I understand aligns more to this flexible definition.
There are challenges with both approaches, some of which I’ve covered like mass rip and replace not being viable, as well as additional issues beyond that.
Starting with the initial definition, everything from one vendor. Well, that may not be possible. No single vendor has purview and a solution across today’s modern enterprises. The days of a single, on-premise infrastructure are long gone. Today the world is decentralized data, and capabilities are spread across any number of on-prem, cloud providers, and SaaS solutions. What is a CISO to do? Buy multiple XDRs? Who and how would they be integrated? And doesn’t this defeat the intended purpose?
How about buying point capabilities from various hybrid, open XDR players? I concede that this approach would probably best align with the mass market that already has significant investments in many of the relevant security technologies, but it still begs the question: who and how will all of these disparate technologies be integrated? Is it realistic to believe individual vendors will seamlessly integrate with each other and remove that burden from customers? Will realizing XDR require purchasing capabilities through managed detection and response (MDR) players who will do the heavy lifting for customers? Without this integration layer, it sounds like XDR, while a very promising concept, will probably also fail to deliver on the intended outcomes and will likely repeat the history we’ve seen with SIEM: millions spent, years of implementation effort wasted, and the same dismal results.
Enabling the XDR outcomes with a connectivity layer
So let’s summarize. At least conceptually, XDR is about the desire to break down silos, integrate disparate data stores, understand the relationships of data and activity between sources (correlation), and enable high confidence investigation outcomes with integrated response capabilities to support remediation.
How can companies truly realize XDR? Will it be from single vendor solutions, MDR players, or a combination of open/hybrid XDR tools? Time will tell. One certain truth to all of this is that realizing XDR capabilities relies on access to enterprise data in a very distributed and decentralized world across any number of supporting technologies.
That said, and where my opinion may become biased , if you are interested in XDR and realizing this capability in any of the mentioned approaches, you’ll need a connectivity layer that facilitates this access to data, helps you understand the relationships, and enables the desired response actions. That is exactly what the Query.AI platform provides: access, investigations, and response (AIR), which are the key capabilities of our security investigations control plane. We are not XDR, but we can help you bring your XDR concept to life.
If you want to learn more, give us a look: www.query.ai