Close this search box.

Considering an XDR Purchase? Here Are Our Lessons Learned.

Lessons learned from our search for, and integration of, our XDR

Trusted Internet is now deploying Stellar Cyber XDR –as a SOC-monitored solution or as an Infrastructure as a Service.

The marketing hype around XDR is deafening for those of you considering an XDR. It’s hard to sort through the slick websites and marketing noise to tell what’s actually real. So, I thought I share a few lessons learned –from the viewpoint of the CEO of a self-funded MSSP, I hope this helps in your buying decisions.

For the last four years, we’ve been a died-in-the-wool Fortinet MSSP. We love our Fortinet firewalls, with our people certified through NSE7, working hard to tune the feature-packed high-speed machines to bend to our will. For various reasons, we decided about two years ago to begin the search for a way to accommodate the requests from would-be clients to not have to rip and replace their existing security systems.

As well, SOC, NOC, EDR, MDR, NDR, MSSP. Why would someone not combine them all into one box that understands ALL of their logs and uses a bit of machine learning to train AI to better assist SOC analysts? I have an old friend that used to refer to this as the God Box. It knows all.

XDR is the beginning of the God Box.
Our requirements:

  • It must integrate all those other vendors in a client’s environment without requiring them to rip and replace their existing infrastructure.

    We didn’t want to have an agent deployed to every computer. They already have AV and Anti-Evasion. We didn’t want to load on another endpoint system.

    We want the ability to integrate network flow analysis for anomaly detection but may not want it 100% of the time. Flow produces heavy volumes of data that we wanted to be able to turn on and off as needed based on other indicators.

  • It must accommodate all NIST 800-171 log-collection/analysis requirements.

    While ISO, CIS, HIPAA, or PCI require the aggregation and analysis of all of these logs, NIST 800-171 requires monitored log entries from just about every device for every event –infrastructure, endpoints, and security.

    We need to find a better way to get eyes on these logs and do it in a way our SMB-focused client base can afford. To do that, we need to be able to bring them into one system that understands each of the required logs.

  • It must be multi-tenant.

    At the time, I had no idea how much doubt I would have in AI until after I watched the various XDRs run. Be ready with a smart team.

    We compared one to another, performing A|B testing while using FortiAnalyzer and raw log data in our Lucene stack as baselines

  • Ideally, the XDR must accommodate any vendor, not just those built by the XDR vendor.

    Some XDR vendors we looked at built their own AV, IPS, etc. Others OEM’d someone else’s but wouldn’t discuss it.

    Regardless, I want to know that the tools built into the XDR are mature and tested.

  • If there’s a cloud component, I want proof that their cloud environment is secure.

    All of our clients’ vulnerability data will end up residing there. I don’t want a data breach in our XDR vendor leaking customer vulnerability information. From an espionage perspective, this is an AMAZINGLY rich target. It MUST be safe.

    We evaluate the backend security of all of our vendors. When we did this during our search, one XDR vendor had an amazing product but offered services in a cloud environment had never been security tested!

    Compliance is good, but more importantly? Walk me through how you protect data. Make me feel comfortable that you have taken the measures to protect the data. I was surprised by more than one who couldn’t do this.

  • The price structure must be 100% predictable.Variable costs kill. I wanted to make sure we weren’t going to have any surprises. If an XDR vendor asks you, “How many endpoints do you have?” RUN.The pricing structure must accommodate our ability to build it into our subscription costs, at a reasonable margin.

    In the MSSP world, SOC costs can make us fail faster than anything else. How does an MSSP scale without breaking the bank on increasingly expensive information security labor costs?


Our search for the Cinderella XDR (the one that fits us perfectly!):

We looked at dozens of vendors -you’ve heard their names. after nearly two years of competitive analysis, demos, and trials from nearly a dozen XDR companies, we narrowed our focus to two, both undergoing trials, with Stellar Cyber winning us over.

This was a significant capital investment for us. We wanted to make sure we did this right and were able to recoup our investment in added volume and efficiencies. Rather than going with their cloud version, we purchased the 88-core, 20Tb server. The system is designed to parse and analyze vast amounts of data from dozens of infrastructure devices, endpoint logs, and security systems. We wanted it protected, so we racked it up in our secured facility in Iron Mountain Datacenter and performed our first ‘eat your own dog food’ trial during the early summer of last year.

We have MANY lessons learned. I won’t be able to share them all in one short paper, but I thought it might be good to share a few of the bigger ones.

  • XDR offers a wonderful solution for bringing just about any piece of information that you can imagine into one pane of glass. We found it overwhelming.

  • This is not an entry-level tool. XDR can introduce ambiguity where none should exist. You’ll need a smart team to evaluate every XDR hit before activating SOAR. While the AI learns from the XDR vendor’s larger customer base, it also learns through actions performed by your analysts. They need to be smart.

  • Most XDR solutions want to price by the endpoint. This is a deal killer. If