Republished from Jeffery Stutzman, CEO of Trusted Internet
“Extended detection and response is a platform that integrates, correlates and contextualizes data and alerts from multiple security prevention, detection and response components. XDR is a cloud-delivered technology comprising multiple point solutions and advanced analytics to correlate alerts from multiple sources into incidents from weaker individual signals to create more accurate detections. It aims to reduce product sprawl, alert fatigue, integration challenges and operational expense, and will appeal in particular to security operations teams that have difficulty managing a best-of-breed solutions portfolio or getting value from a SIEM or SOAR solution.” (Gartner)
Gartner also says that by the end of 2023, at least 30% of EDR and SIEM providers will claim to provide XDR, despite them lacking core XDR functionality. This is completely true. In fact, Crowdstrike, SentinalOne, CyberReason and others have classified their endpoint solutions as XDR.
Gartner also made a couple of predictions.
- By year-end 2027, XDR will be used by up to 40% of end-user organizations to reduce the number of security vendors they have in place, up from less than 5% today.
- By year-end 2027, XDR and SASE will be used by up to 50% of end-user organizations to reduce the number of security vendors they have in place, up from less than 5% today.
I believe Gartner got it wrong. I don’t believe Gartner’s predictions will come true. Here’s why.
- XDR can’t rely on an agent, and Security professionals know this. They recognize that XDR is more than protecting just those systems with EDR or an agent installed. XDR goes way beyond that.
- Completeness of EDR as an XDR is lacking: Most MDRs monitor firewalls and endpoints, and flow, authentication, and maybe a couple others. True XDR monitors every possible data point, regardless of whether or not there’s an agent loaded.
Gartner believes that XDR and SASE will REDUCE the number of technologies in an organization, when in fact, I believe it will consolidate and more accurately depict the picture, regardless of the technology or the number of technologies used to gain the most complete and accurate picture. XDR will not reduce the number of vendors, it will incorporate the use of more vendors, each chosen because they are at the top of their game. Gone will be the days of being locked into one security-walled garden.
Five years ago, we (Trusted Internet) selected our tech stack from the Top five NSS Labs list -FortiGate firewalls, FortiClient, and Sophos at the endpoint, and then we chose others based on our own requirements; Minerva’s Armor, Sophos Intercept X, and others to round out our tech stack and delivery model. We had our prescribed infrastructure, but not everyone wanted to remove their brand-new Cisco Firepower firewalls. And what about others who have Palo Alto? For a company with multiple technologies, correlations become almost impossible. Imagine our position as the MSSP. Each company is unique in many ways, and every one of them has its own correlation requirements. As a result, we had to bring them into our own data lake, where we perform Tier 2 and 3 correlation analysis by manual threat hunting. We are forced to attempt to correlate against them all (manually).
Today, we offer several XDR options, Stellar, Sophos, Fortinet, and soon, potentially a second option in OpenXDR. We can now use hundreds of vendor integrations and data points to identify, track, and correlate abnormalities. Instead of pulling and analyzing PCAP for hours, Each allows us to connect hundreds of data points in the enterprise –not just security logs, but any log. Even physical security logs can be plugged into OpenXDR. It can be correlated if it can be brought into the data lake. And it’s all done in one OpenXDR pane of glass. Analysts train the machine for patterns of life for roughly the first month to ensure patterns are taught accurately before AI helps normalize operations.
XDR isn’t going to reduce the number of vendors.
XDR will allow the expanded playing field to as many vendors as you want to connect, all best in breed, performing heavy lift analytics and automated response.
