To XDR or Not to XDR – A Fireside Chat

by Carmen Harris on November 17, 2020

Jackie Groark, VP of Security and CISO of Veristor, joined our Chief Customer Officer, Chris Triolo to answer questions for a discussion on the hottest emerging technology trend in cybersecurity, XDR. Here is a recap of that timely discussion.

What is XDR and where will it land in our industry?

Jackie: There is no real standard definition. Everyone agrees that it is collecting data across all the threat vectors (cybersecurity telemetries) and finding threats faster. Greater visibility. Evolution of EDR from the endpoint to extended data and alert sources. It could include a central data lake. The data will be mostly attack-centric as well as more contextual sources. It’s spoken as the end-all, be-all for security operations. It is the land on top of what we already have in our environments that brings us closer to that utopia.

Chris: So, you are saying more tools?

Jackie: You may be able to whittle down on your tools. XDR gives visibility into sensitive data and gives access to analysts to find true positive incidents that need to be deeply investigated.

Sponsorships Available

Chris: As a new category, it is still not defined. We’re defining it as an industry as we go.

Jackie: This poll is not surprising. XDR sits between your SIEM and your SOAR. Many wonder what problem is it trying to solve? You need XDR because a true engine will work out-of-the-box leveraging all your assets – from threat intelligence and asset information to security telemetries — and uses integrated reasoning, Bayesian math, and machine learning models to find real events. It’s like having a group of super analysts that are not only quick but have expertise in all of the core areas like network security or endpoint security and come together to do this knitting together of information and initiate a response. It connects the dots like a detective. It’s better skilled than any tier one analyst you might have in a SOC, and there is no coding or maintenance needed. And it also frees up your resources because they don’t require a long investigative cycle.

Chris: Agreed. With a SIEM, you have to do a lot of work to get it up and running, XDR works out-of-the-box. This may be one of the key differences between it and other technologies a SOC may have used over the years.

The XDR can free up resources by eliminating false positives. What should a SOC do with that extra time?

Jackie: They should do what they are best at – deeper investigations. Security analysts are good at doing specific threat hunting. With XDR, many enterprises will find that they may not need to hire resources as new, larger amounts of data is being brought into the SOC. With XDR a SOC can analyze more data than an analyst alone.

XDR vendors are split into 2 different camps. Including one single vendor that provides all the controls and analytics tools, and vendor-agnostic XDRs that pull from best-of-breed. What do you think about that?

Jackie: Your XDR should have integrations that allow it to work across vendors and platforms so that you can leverage what you have. SOC leaders do not want tools that are biased to a particular company or their partners. If it is truly agnostic, you can choose the best-of-breed.

MSSPs outsource monitoring to “experts.” What do MSSPs do with XDR? Have their own? Leverage XDR themselves?

Jackie: Today, MSSPs are lacking. XDR is new to the market within the last 6-12 months. I think they will be pivoting and adding it to their capabilities, and you will see some buy and others build their own. XDR will cause a shift and if they don’t want to be left behind, they will have to put it on their roadmap.

Chris: I think they are going to love it. I used to work at an MSSP. Their analysts will find more and be able to do more higher-value things for their clients. I imagine they would welcome it, but MSSPs do have a tendency to build these solutions themselves, and it will be interesting to see if they look outside or inside to deliver this to customers.

Chris: Again, this poll is not surprising. When it comes to SOAR, we are not seeing a lot of downstream to automate response because it is so specific to use cases and environments, it’s been hard to apply for most organizations.

Jackie: On the orchestration side, I’m seeing tickets being created, but not taking it to the point of using reasoning, analytics, or the intelligence that an XDR can do.

Chris: It can give you a simple answer to a query, but not tie everything together. It used to be a human being, it’s now an XDR who is doing that.

Is XDR an evolution of EDR or the SIEM?

Chris: I think it is an evolution of the analytics component of the SIEM. EDR is a good component of a security program, but it’s not the silver bullet. It’s a combination of all your security tools and data. EDR is another input into the XDR, but very special as it has great information to share. And can answer a lot of the questions an analyst will ask. If you can harness it in the intelligence of the XDR, it will make it more powerful.

Will it work with SOAR solutions?

Jackie: Yes. There are integrations with most SOAR platforms.

Chris: We’re starting to see customers use SOAR for case management and tracking incidents in their SOAR. XDR can feed the SOAR. In the future, XDR may ask the SOAR questions for better alert enrichment, to help the XDR make better decisions.

The complete fireside chat is available for viewing here on YouTube.This is not the first time Jackie has spoken to us about the changing cybersecurity landscape, check out Jackie and the perspective of other industry leaders in our Innovators Series.