Anton and The Great XDR Debate, Part 3
TLDR: no, this post still does not contain the Ultimate Answer for XDR, Life and Everything Question. Moreover, I don’t think anything ever will. While we discuss XDR, the market forces change the definitions, vendors pivot away, analysts ponder, customers cry… well, the cyber-usual.
To start, I’ve had many conversations about XDR recently. Some were the ones where I sought answers, while others were where I sought questions and some were where people sought answers from me.
Now, I am well aware that this debate does not really touch the needs of many real security practitioners. Somebody asked me on social media why I am so obsessed with XDR. To me, the answer is I need clarity in technologies that we deploy. The clarity is essential to match products to requirements, to compare tools, and to cover the gaps in detection and response posture (and in security in general).
As you remember from my excellent Part 1 and from my — yeah, I know — mediocre Part 2, XDR remains a mystery to a whole lot of people. So, philosophically, I don’t want things to be confusing in an area where people are supposed to spend real money and to reduce real risks to their organizations.
So in recent days, my journey to XDR clarity has led me back to SIEM, SOAR and EDR. Specifically, one vision of XDR is that of consolidation married to simplification. Or, as I said in one private conversation, XDR as an integrated platform of minimized components.
First, a humorous take on this:
(source)
Now, XDR is NOT SIEM + SOAR + EDR. That would just be mad. However…. XDR may in fact be about
“SIEM -”
+
“SOAR -”
+
“EDR -”
What do the minus signs stand for? In my mind, they stand for reduced complexity, narrower (more focused) functionality and minimized frictions.
This vision of XDR seems more sane to me than “XDR as an improved EDR.” The slogan of “consolidate while slicing complexity” will probably have a lot more fans then “extend the endpoint technology to, well, not endpoint” …
This view of XDR is not my invention, even though the framing probably is. Reading what my former colleagues wrote recently (and this too), for example: “Extended detection and response is a platform that integrates, correlates and contextualizes data and alerts from multiple security prevention, detection and response components. XDR is a cloud-delivered technology comprising multiple point solutions and advanced analytics to correlate alerts from multiple sources into incidents from weaker individual signals to create more accurate detections. “ and “Use use-case analysis to improve security operations center (SOC) productivity and accuracy, or for risk reduction to help justify the addition of an XDR solution.”
In the above, they didn’t explicitly call the simplification or minimization of components, but they do mention narrower mission (e.g. SIEM is supposed to handle threat detection and compliance, while XDR has nothing to do with rules and regulations or insider threats for that matter).
To remind, the word “integrated” has a bad history in our industry. So far, everybody who promised an integrated security platform essentially failed or was found to be a bad liar. This has been the case since the 1990s, as I recall. Now people may want a more integrated experience (such as around their SIEM), but promising “all in ones” and “single pane of glasses” generally has an abysmal track record [well, the promising was fine, it is the delivery that was problematic :-)]
So, XDR is NOT an integrated platform of the stuff you already have. However, that XDR may be an integrated platform of several key pieces that were simplified, minimized, focused and then integrated. So, X may mean “eXcised”, not “eXtended” or “eXpanded”…
Now, the details are up to the vendors, but a log manager or a simple SIEM married to some endpoint visibility and canned detections coupled with workable response playbooks may be a valuable bundle. Simple and focused on a narrow mission and without any scope creep! We can even call it XDR and I can see people willing to buy that….
What do you think?
So, frankly, I don’t know what XDR is today. I know many people who think they do — and most of them don’t agree with each other. Review the technology presented to you and match it to your use cases and threats, don’t obsess about the buzzwords. Get a good cloud SIEM 🙂
End of the story?
Related:
Anton and The Great XDR Debate, Part 3 was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/anton-and-the-great-xdr-debate-part-3-912dd36a2009?source=rss-11065c9e943e------2
