Webinar Recording

Debunking Common Myths about XDR

Log in and watch the full video!

Join security experts from KuppingerCole Analysts and SentinelOne to help you get an understanding of what eXtended Detection & Response (XDR) really is, and why you should consider this emerging technology in your enterprise security stack.

John Tolbert, Director Cybersecurity Research at KuppingerCole and Marko Kirschner, Director of Sales Engineering Central Europe at SentinelOne will define XDR, including which technical components are necessary for distinguishing XDR from Endpoint Detection & Response (EDR), and how XDR differs from Security Orchestration Automation & Response (SOAR).

They will also discuss why XDR is an important useful amalgamation and evolution of security tool sets, the use cases it solves, and where it should fit on organizational security technology roadmaps.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good morning, good afternoon. I'm John Tolbert, lead Analyst here at KuppingerCole. And today our webinar is titled Debunking Common Myths about xdr. And today I am joined by Marco Kirchner, who's director of Sales Engineering at Sentinel One. Welcome, Marco.
Thanks, John. Excited to be here.
Great. So a little bit of logistical information before we get rolling here. We're in control of the audio, so there's no need to mute or unmute yourself. We will be doing a q and a session at the end. So there's a questions blank in the go to webinar control panel. You can type questions into that at any time, and we'll look at those at the end of our sessions. We're gonna do a couple of polls at the end of my section, two questions, and then we'll look at the results right before we start q and a. And then we are recording this, so both the recording and the slides will be available shortly.
So again, I'm John Tolbert here at ER Coal. I'm gonna start off by talking about what is xdr, what can it be used for, and then kinda look at the marketing versus hype. Then I'll turn it over to Marco. So I thought it'd be good to start with, you know, where has XDR come from? So endpoint protection, endpoint detection and response, network detection and response. You'll see there's a bunch of different tools that can be, you know, fall under the rubric of xdr. Looking at the history, you know, way back in the 1990s or even late eighties when viruses first appeared, there needed to be a solution for that. So antivirus, which has, you know, morphed in modern day into endpoint protection platforms. You know, when they started off, they were, you know, doing signatures. You know, the researchers would get, you know, a copy of a bad file, figure out how to, you know, look for that particular virus type and then train there solutions to do the same.
You know, things have gotten a lot more sophisticated in the last 20 or 30 years. And now we use machine learning and a variety of other techniques like memory analysis and behavioral analysis and, you know, exploit prevention as well as, you know, some signature-based detection models as well. But EPP also rolled in other kinds of functionality over the last 30 years, like application patrol, endpoint, firewalls, filtering, and, and many other features that now commonly come in what is called endpoint protection platforms. Later in the nineties, we saw the rise of IDs, i p s, intrusion Detection, intrusion prevention solutions. These were rules-based network attack detection and prevention systems. They, in order to make it work, you know, network analysts would've to see what was good and bad traffic manually, and then write manual rules to look for that and alert on that or block, you know, and that led to a very high positive, high false positive rate.
In, in general, it's a very high maintenance way of, of doing intrusion detection, but really it was the best thing available at the time and, and very necessary. Moving into the two thousands, we saw the advent of EDR endpoint detection and response, which has now been rolled together with E P D R endpoint protection, detection response. And why did this happen? Well, sometimes machines would wind up getting compromised. Maybe they didn't have the latest patches, didn't have the latest endpoint protection. So organizations needed to find out which machines had been compromised. And a p t advanced persistent threat was one of the drivers for the development of edr. These APTs are, you know, when mostly state intelligence agencies are trying to get information, you know, trade secret, other kinds of secret information from different organizations or governments. EDR really requires their detection models to use machine learning algorithms, cuz the, the vast amounts of data that have to be poured through in order to automate it, you know, and in the last decade we've seen, like I said, the EDR sort of merge with epp.
So now the full platforms, you know, contain both the ability to identify malicious code and, and try to prevent it from executing and looking for signs of possible compromise and offering the ability to respond to that. Ndr NDR is sort of the next generation IDs. So rather than being rules based, it's based on machine learning detection algorithms and generally that leads to higher accuracy, a better ability to classify anomalies correctly. These require sensors for on-premise and cloud deployments, and also the ability to look at encrypted traffic, being able to tell what may be malicious simply by looking at the headers. Now that we're into the 2020s, many of these tools are being combined into xdr. The idea being, you know, having an all-in-one detection and response solution for endpoints of all kinds. Network cloud, most of these do tend to be single vendor stack solutions.
So, drilling down a little bit on E P D R, it includes, like I said, you know, the endpoint firewall URL filtering application allow on denial listing, as well as things like system file integrity monitoring, looking for when code may have been trying to change system files to if it's malicious code, you know, so that it relaunches every time a machine boots, plus the pre-execution detection of potential malicious software. EDR drilling down on that a bit, you know, that's looking for indicators of compromise after the fact. The ability to pull in cyber threat intelligence, having a sandbox service is often included. Sandbox would be, if you get a a piece of suspicious code, you wanna know what it is, it gets, you know, diverted to a sandbox where it executes. And then analysts can look at the results of and determine whether or not it was malicious. There are various alerting and reporting mechanisms, including, you know, pretty modern alternatives for using, you know, messaging solutions that people like to use today. And a query interface, you know, for doing forensic investigations well, as well as proactive threat hunting console for admins, analysts, and then both manual and automatic response functions. We'll talk about that more in a minute.
So let's contrast that with NDR network detect and response, whereas E P D R or EDR is based on agents. NDR requires, you know, either an appliance, a virtual appliance, or maybe code that runs on a machine that can be plugged into, you know, in line on the network or off span ports, you know, doubling the traffic, seek and see all the traffic that's going by. Or in, in a few cases, there are solutions that merely pick up, you know, log telemetry from network devices. These are designed to look for not only north-south, you know, things coming through the perimeter, you know, potentially malicious code or malicious activities, but also the east, west, you know, that's where the threat actors are doing their lateral movement and reconnaissance, looking to, you know, position and data for exfiltration. Another benefit of many NDR solutions is they understand ot, operational technology and industrial control systems protocols. And these can be very different from the protocols we work with in our offices every day. You know, things that are designed to interact with specific kinds of machines, you know, for power, utilities, manufacturing, warehouse maintenance, hvac. So understanding what's going on on those networks can be very advantageous.
NDR also includes threat hunting tools similar to EP d r, which again, is sort of going out and looking for things that may not have been defined as an IOC indicator of compromise already. Another benefit is, you know, they can find NDR tools might have a chance of finding malicious activity when all the other tools miss it. You know, in some extreme cases there have been attacks on companies, government agencies where they, the attackers take very strong measures to wipe out all traces that they've been there. So, you know, deleting logs, deleting entries and sims covering their tracks as best they can. It's harder to cover the tracks at the network level. So looking for, you know, evidence where other tools might have missed it is a thing that NDR could do. And then also automated responses, you know, in this case it's a little bit different. It's not terminating processes and quarantining files so much as being able to isolate specific nodes or block traffic by, you know, IP or port or domain.
So when I say indicators of compromise, here's a couple of high level of examples of what that might be. Malware generally gets in and will try to change things in the registry or the system files again, so that they can maintain persistence, you know, after a reboot. Unusual use of network ports by applications. Sometimes they try to, you know, disguise themselves as, you know, a common application or run through a common application, but they might use different TCP or UDP ports for that simply contact with known bad ips and URLs. Cyber threat intelligence keeps subscription services keep up to date on what IPS and URLs are being used by various threat actors down at the code level. There's unusual process injections. That's one way, you know, malware tries to keep off the radar of security tools as to inject code into a running process that's normally trusted. Same thing with modification and module load points changing where it points to and adding code that can then be executed and hope to escape detection.
So for responses, what do we mean? Well, these are actions that can be taken either manually or in, in many cases in, in a fully automated way. So running CTI queries, going out, looking for that, you know, bad ip, bad url, you know, applic, hashes, you know, code samples. Those are things that you know, you should be able to get from both E P D R and ndr and XDR automatically collecting forensic information is a great benefit. You know, there's, when an incident happens, there's a number of things that, you know, analysts commonly have to do that can be very repetitive, time consuming and, and maybe even error prone. So being able to automate the collection of forensic information is a big advantage. Same with running scripts to support threat hunting, incident response systems management. Case management is another feature. Most of the, the XDR NDR E P D R solutions have being able to get information about an event or an incident, automatically create a case, assigned tickets and, and manage that from from end-to-end. Plus potentially integrating that with other, its m MIT service management solutions.
Of course, you need to be able to alert the security operations center and Analyst. And then I mentioned, you know, terminating processes for the E P D R side. If you, if it realizes there's a, a malicious process, you know, cut that off, cut off any connections those machines have on the network, automatically updating detection rules. Once you know, a, a new type of malicious event is discovered, you'll wanna look for that across all your assets and across all your networks and, and, and cloud resources. Delete quarantine files, remove those registry entries that are there to enable persistence, isolate nodes or even hold networks if necessary. And, you know, roll back infected endpoints to a known good state. Those are, you know, a good, good summary list of a lot of the things that can be automated or, you know, available kind of at the click of a button within the E P D R, NDR and XDR realms.
So a little high level diagram of where these things go. So if it's E P D R, again, it's gonna require an agent. So the agent, you know, is sort of the red circle here. You need those pretty much on every endpoint. You need that on servers, you know, people who are working in offices, cloud VMs, you know, your infrastructure like email and web gateways. And then they all forward their telemetry to the EPD R console, which then can pass it on to sim. I mean, these agents pass it on to sim, you can conduct CTI queries from there. And then, so sort of rides on top, and we'll talk about this more in a minute, looking at the underlying information in the sim.
Now compare that to ndr, which has, you know, a very different kind of deployment model, again, looking kind of at the same infrastructure, but the NDR sensors here in blue need to be put on all the different subnets, you know, where you have users, applications or other kinds of equipment. So, you know, in the case of office networks, you'll need agents on your, your routers and switches there. Same thing for, you know, your infrastructure, you know, firewall, web application firewall, email, web gateways, remote workers, maybe they're coming in through vpn. So being able to have an agent, first of all, you need agents on all the remote workers machines, but then also having a sensor, you know, maybe near the VPN concentrator is useful as well in cloud instances. And then, you know, I mentioned industrial controls, iot and operational technology environments. Sometimes endpoint agents don't work in those kinds of environments or can't be placed on machines within those environments.
So a network layer sensor is, is probably the best solution there. So NDR is, again, you know, generally very useful in OT and ICS use cases similar to E P D R. This rolls up to the NDR console, also goes into a AEM from the NDR console. You can do CTI queries and, and again, hopefully these can be plugged into and orchestrated by a, so if you are maintaining multiple different kinds of tools here. So xdr XDR includes all these things that have been talking about so far, E P D R, endpoint network access to cyber threat intelligence subscriptions, and a SIM like datalink, not necessarily needing to work in conjunction with a sim, but being able to store the same kind of information. Other functions we see in some of the XDR platforms that are out there are cloud workload protection, distributed deception, unified endpoint management, vulnerability management, and user behavioral analysis. And different vendor solutions include different kinds of capabilities here.
So what's needed, okay, I've talked about agents and the need for those on every endpoint on servers, virtual machines, sensors that that work on, on-prem networks, data centers, and in the cloud, a data lake, an enterprise console, and then an Analyst interface. So cover, I mean, in looking for solutions like this, it's important to understand your environment, what kinds of endpoints you have, what kinds of cloud resources you're using, and then also take a good close look at the enterprise console Analyst interface. How easy is it to, you know, for your Analyst to, to get their work done.
So combining, you know, E P D R ndr, you see, in some ways it may look like we're doubling up, but it's just, it's just really putting those agents on all the devices where possible. And then a, you know, putting sensors, network level sensors in every area in which you're operating, whether it be cloud or you know, on-prem. So XTR versus soar, we look at, you know, what does, so platforms supposed to do. So R stands for security orchestration, automation and response. It's designed to, and you'll see this functions can kind of be similar, you know, aggregating security information from, you know, upstream sources. Those often include E P D R and ndr, web application firewalls, vulnerability management systems. All that gets hopefully pushed into a SIM solution. Security, you know, the data lake. This allows you to automate investigations, you know, correlate, duplicate those entries and enrich it. You know, again, CTI subscriptions to be able to do threat hunting from a so console and then to be able to respond. But responding in this case means integrating with the APIs of all those, you know, upstream tools like the E P D R and ndr.
So when we compare, you know, XDR and SOAR have overlapping features in many cases, but I think one of the big differences is, you know, many XDR products are designed to be sort of single vendor stack solutions. Source solutions are probably better for those who have and really intend to keep, you know, a best of breed security architecture. Meaning, you know, you've got lots of different products from lots of different vendors, and you need to be able to orchestrate and respond across all those different kinds of solutions. So, you know, there may be cases where some organizations could go for XDR and maybe not need a separate store. That's a possibility.
So looking at height versus reality, you know, this is still an emerging market and, and it will take time to get there all the way, you know, it has become a popular term. You've probably seen it a lot in, in marketing. But, you know, I don't think all products that are marketed that way have all the functionality that I've described here today. Some vendors are positioning their E P D R products as xdr, so they leverage agents on machines to capture all the network traffic. But I think there are some drawbacks to that approach. First up performance. If you've got every machine on your network or you know, some machines that are trying to read all the traffic that goes by, that's gonna be a performance that it has to be, it requires endpoints that have these E E P D R agents on every single subnet. And, you know, in the, again, in the case of things like ics, ot, iot, you know, you may not be able to put endpoint agents in those places. That leads to possible observability gaps. And then really there are fewer network layer controls that work at the endpoint level. So it may not be, you know, as comprehensive of a solution is one that does include, you know, dedicated network layer sensors, however, full XDR solutions do exist.
So with that, I want to wrap up here with a couple of poll questions. So after all that description, what do you think does your organization have E P D R and NDR in place today? Options here are E P D R only. We have ndr C, we have both, or D we have neither, so we'll give everybody a few seconds to answer that. Okay, great. And the next question, does your organization have or plan to implement XDR in the near future? And our choices here are yes. A, it's planned B, it's deployed, or c not really under consideration at this point. Okay, well great. So just encourage you, if you have questions, again, go to the go-to webinar control panel and feel free to enter those. And we will take those questions at the end after we look at the poll results. And next up Marco from Sentinel one.
Well, thanks John for the, for the first part. Now I wanna talk a little bit about the, the XDR view from dissent in one perspective. How do we see it? You know, obviously it plays along very well with the concepts which John has just mentioned, but also we going to talk a little bit about the, the myth, what, you know, sometimes, you know, the misconceptions are when it comes to, to the, the XDR role or the, the XDR functionality. Now the role of cybersecurity is obviously constantly evolving. So we need to meet, you know, the growing list of challenges faced by, you know, everyday organization. Whether we look at small businesses or large businesses, you know, demand based on the security teams that are constantly, you know, growing, export and exponentially. Now also the attack services, they continue to expand. You know, we introduce more potential vulnerabilities for an adversary to exploit from cloud transformation to iot or coverage map has never been more ripe for tech.
Now what we also see is pretty much most organizations have invested in point solutions to address each area of their security stack as a result, you know, adopting multiple best and pre solutions has added complexity. You know, we see this a lot. And also sometimes confusion to the security practitioners requiring sometimes a very steep learning curve with loosely or rather loosely integrated workflows. What else do we hear from our customers? While adversaries continue to automate the operations, and most enterprises struggle to find enough practitioners, we actually see a growing number of threats. There's still not enough, you know, skilled person around to actually, you know, keep up with the influx of new threats there as well. And also, we also continue to delay our early automated detections and responses. You know, adversaries will enjoy a longer 12 time. So they automate, you know, they potentially get an easier or faster, but again, if we don't keep up with the same trend, obviously we actually will, will be a little bit behind when it comes to identifying the, the attackers in the network and again, gives them an upper hand.
Now this particular problem is certainly new on, right? In fact, most organizations have probably already started use by tools to mean to address these very concerns. So why is xtf our perspective and the me talk to customers such a hot topic? What's different today and why should we consider a different approach, right? Some of these tools are working, doing a decent job, at least they appear to a decent job. So why should we or why do we need to adopt, to start? You know, some of the tools which have been deployed, they have not universally been proven to be effective to detect and prevent all adverse behavior. Secondly, the attackers haven't stopped innovating, right? They don't really depend on working or fixed working hours, right? There's not really clocking in, clocking out. So they continuously, you know, sharpening their skills and their tools to put new challenges ahead of the defenders.
Also, cloud transformation, right? Organizations continue to continue their journey on the cloud transformation and that might actually create unexpected blind spots, right? We see it in the news all the time that, you know, some data is being exposed in unsecured locations. That was just the no-fly list as an example, right? Exposed in some airline server. So cloud transformation definitely plays also a big picture in the XDR trending or the reason my XDR trending. Also, with the exponential growth of alert volumes from an ever expanding footprint of network and security solutions, there are simply not enough time. You know, if, you know, I don't wanna use the phrase alert fatigueness, but we hear it a lot, you know, more and more alerts coming in, again, not with enough resources to actually handle them. So we actually see a lot of alerts being, you know, just bulk approved as an example of bulk acknowledged.
And then obviously, as long as you continue to rely on the manual response efforts, attackers are inevitably going to enjoy longer 12 times, right? So we need to automate more things. We need to automate playbooks, we need to automate responses to protect our ground rules in the networks, and well identify attackers easier, faster in the network. Well, this echos to latest Analyst insights on the current complexity of managing effective security operations. Now, recent study here in this case by a SG exposed to today's modern security operations centers or CDCs, will rely upon anywhere between 25 to 49 independent tools from, you know, up to 10 or more different vendors in order to do the hunting to aging or, you know, security operations. This study also concluded that so long as these data are forced to reside in separate disconnected silos, it's going to be hard to identify, you know, all of the connected dots or connecting all of the dots.
And that typically leads to some mis detects as well. I mean, nothing new here. You know, we are trying to break down these silos for a couple of years now. Now, today's sweatland say, or today's threat detection response landscape is quickly evolving to encompass all you know, of the solutions, which John has also mentioned, right? We're talking about E P P E D R or E P D R. We're talking about the, the network detection response and cloud detection response side, and then obviously the whole area around seam and soil solutions, which have been already used. And again, XDR is aiming to become a new cornerstone of connecting these solutions for providing an overall solution for customers, right? To actually connect these different dots, breaking down the silos, but also for years now, right? Security vendors, and obviously I'm working for one, they all have been promising what has been known as a single pane of glass.
So there's one console, there's one area where, where you log in, you have all of the things you need, you just log into that one. And the idea is that this particular console can deliver the, the visibility, the response capabilities, and, you know, access to information stored in all of these different tools. You know, a custom might have deployed. Yet, while this, you know, was at least the dream everybody wanted to go, what sometimes happened was that, say, a single class of pain instead of a, a single pane of cars. So each, you know, of the different security vendors, they typically allow different consults, you know, different methods of providing disability and control. Each platform, you know, usually has some sort of learning curve, right? We expect our people in this CDC to become experts in each of these different tools, you know, getting used to and work on a daily basis with these largely disconnected tools.
This level of complexity, which we introduce here, makes it possible for even the most experienced Analyst to respond quickly at scale. Imagine you have to, you know, block into three, four different consoles, you know, to gather the information and again, into two or three different consoles to actually take some action to well react to an incident. I think the most, oh, one of the, the biggest arsenals in the Analyst tools, that is probably the controls control C, control V, where we take information from one console, from one disconnected system, trying to move it in different one to continue our workflows. So xdr, you know, promises, again, to reduce the complexity, right? So we are trying to merge multiple consoles features into a better user experience, which then also increases, you know, the outcomes or, you know, measurable increases the outcomes so that analysts can actually more work with the console and improve the overall efficiency.
Now, luckily, there's also a couple of things on which most vendors, you know, and analysts come to some agreement, and that's what are the value drivers. So, you know, you don't wanna say, oh, yet another security tool, but what is everybody trying to achieve when they actually go onto an XDR journey? And again, could be an XT journey or an XD vendor who's coming from the EDR site, or you know, from the NDR site, all of the different areas, which Sean mentioned as well. But one of the, the key things is using meantime to detect, right? So, or mt. D i, mt, mt, d i t d i r, Mt d d. So meantime, to detect, investigate and response, the goal is to reduce the attack service and improve the detection rates. And again, we want to lower the, the 12 time and attacker is operating undetected in our network.
Second, and it's sometimes, actually the first one as well is producing cost, right? From platform consolidations to consider list over time, XDR should yield in net reduction in cost and improve the ROI on your security spend. So, you know, having everything in one tool, you know, having a measurable roi, and also the, the time and efficient return of investments as well. These are definitely some of the key value propositions of XDR as well. Now also improved performance and scale, right? It's nice that we can actually save money and it's also very nice and very important that we actually use the 12 time, but we also actually wanna improve the scale of our, you know, sometimes limited security teams. The volume of data is only increasing, right? And the value of the data that grows, you know, or the, the data actually grows, which we have to bundle with each additional data source.
Imagine you take all of the logs from, you know, your iPad solution, from your proxy solution, from your NDRs, EDRs, all of these things, XDR should cost effectively allow for growth of these pot data, right? So that is definitely one big thing though, that without and traumatic increase in cost, you know, customers want to actually leverage multiple data sources, increase, you know, the data intake in order to actually improve the detection. And last part, not least, improve security operations efficiency, right? Reducing the number and complexity of security consoles, coupled with a couple of simplified and automated response playbooks. XT xdr, not xt xdr can tragically improve the Analyst productivity. So that's pretty much the, well, the key value propositions, which we see a lot from an XR perspective. And obviously they're also related to the different XDR solutions out to the market. But these are the drivers which we, when we talked to our customers and prospects obviously, which we see coming up most of the time.
But we wanted to talk about debunking some of the myths as well. So we put on a couple of myths and let's just talk about this one. And again, I think that aligns very well with what John mentioned as well, that you actually have to have all of these different areas covered from, you know, the endpoint site and network site VPN as an example. But obviously one of the big things is, you know, as number one myth, you know that you don't need a successful EDR anymore, right? XDR can take care of that one and you know, it wouldn't actually rely or, you know, need an EDR solution. Now, if you look at the relative, when we talk about xdr, and again, you know, we've seen it in the previous slides as well, is you need a solid EDR deployment, right? So you need to have, you know, agents on systems which actually support agents in order to gather the required information.
Modern EDR solutions, right? Continue to be one of the most effective security tools used to provide positive business outcomes when it comes to protecting the enterprise. And a lot of the breaches, I mean, you look at the different numbers, right? 70, 75%, they're still originally on the endpoint, right? Would it be through an exploit, right? Or it actually starts with, you know, some board of identity and then, you know, somebody's logging into an endpoint again and then starting the reconnaissance from that endpoint. So a lot of the time, well most we see 70, 75% of the time it is actually molding in endpoint. So, but with most things in life, not every EDR tool is equal, right? So they all have different, you know, features, functionalities, so do the research. I think MIR provides one of the most comprehensive evaluations, you know, for all of the vendors.
And they also, you know, differentiate what capabilities when it comes to the EDR capabilities. Do these different solutions have detecting different TTPs, different tactics, vendors actually, or not vendors, sorry, attackers utilize. And obviously importance is, you know, the EDR solution should, you know, cover the majority of your endpoints. So if you are Mac heavy shop as an example, or obviously the EDR solution needs to cover the Mac estate as well as, you know, Linux, windows X State, or even let's say the mobile environment. So if we look at the, the amount of events and alerts today, right? So how do we actually find the needle in the needle stack, right? The hay stack would be easy, but we actually wanna actually find needle needs stack. So how do we go from trillions of events? If we look at, you know, all of these different data points, the different solutions which we want to integrate in xcl, how do we go from those trillions of points of telemetry into, you know, 12 down or you know, broken down into a couple of hundreds of suspicions or, you know, potential incidents.
And then from there, we actually just derive with a handful of incidents. Obviously the idea here is that we utilize modern technologies, you know, machine learning, ai, all of these things to actually help us on this journey, automate as much as possible. We mentioned it before, right? Nobody wants to actually look at trillions of event blocks. You know, machine can do that in a much better way to actually break the stone, correlate all of the data, the raw data coming in to actually deduct the information and breaking it down to, again, a handful of incidents, which then your security team can actually analyze. Now with number two, right? And that's something which we also hear from the customers, but also the market sometimes is it's just an X Gen Z, right? It just sounds like an evolution of CM with some of the use cases and outcomes of xdr, right?
It may sound a lot like one of some of the Zs or saw platforms and you know, they were actually meant to solve a lot of similar problems. But let's have a look at the difference between those technologies. Now seems, you know, they were born in an era where compliance and governments mandated the collection and storage of event data from a large number of disparate or separated data resources. Again, there's multiple requirements when it comes to ps, example, HIPAA socks and so and so forth, which require the collection and retainment of locks for multiple sources for a given amount of time. So these team solutions have built to ingest the broad spectrum, you know, of network application and security locks so that you can actually use combination rules on them as well to detect some obvious patterns such as pForce login attempts, you know, like how many events in a certain amount of time.
Some of the problems which we have seen coming with the SIM technology is there's sometimes an extremely high barrier of entry, right? You need to actually most of the time write some parcels for the locks, you know, with the normalization of data feeding third party locks into these solutions. So these are some of the, the challenges which we also see from customers when it comes to the seats. And obviously if you look at the other point, you know, the expensive side, so starting of easy, like getting happy meals or to speak, you know, I dunno, one gigabyte per day, but then one, you add multiple data sources and more data, you know, into the multi gigs per day or even terabyte per day, it actually becomes sometimes very cost prohibitive. Now let's look at the, the comparison between Siemens and xdr. Now, if you look at the business focus from a sim site, again, as we mentioned, they originally created or envisioned to address business risk, providing visibility and search across all of the different security data.
Now, from an XDR perspective, it has a more proactive threat-centric approach. You know, it's supposed to help security teams more quickly and effectively detect and respond to advanced threats in near real time, right? Providing a lot of automation or one-click actions to actually start, IM immediately the remediation of an observed attack as an example. Now, the deployment model of each technology, sorry, each technology now again initially seems were traditionally born out of the, the on-premise site and then merged into the cloud and the hybrid approach where again, XDR solutions typically have been created and developed with cloud native approaches in mind for some of the use cases. Again, sea market was bought from the lock management capabilities. We had the primary use case, as we discussed already, was the case of compliance and governance, lock record, lock reporting and lock recording dashboarding, you know, and you know, keeping the data for the prolonged amount of time, whatever was required from the governance or compliance reasons over the years, you know, the vendors actually added the correlation capabilities, you know, and rule-based detections.
So we have seen, again, the, the evolvement there or the evolution there rather. And then also, you know, latest also realtime search capabilities, which can also show up as some features in the current team solutions. Now if you look at the use case from an XDR perspective, all around realtime threat detection, leveraging, you know, sophisticated machine learning and AA capabilities. So complete different area where the Xcr R market sometimes is coming from. Now from a data metal perspective, you know, C vendors, they were forced to adopt some data schema, you know, pretty much focusing and forcing the data into structured data schema, xtr solutions, you know, sometimes, you know, they are designed with, well, an open flexible data structure is pretty much moving the need for indices, for example, for fixed fields so that you actually can ingest any kind of third party telemetry data as an example.
Now, from an analytics perspective, you mentioned that one already. You know, you're talking about rule-based correlation plus machine learning at a later stage for the, for the SIMM site. And from an XT perspective, obviously AI based detection combined with machine learning, and B, by or by O T or B by R, bring your own rules, bring your own certain intelligence, which can be easily combined with the existing native XDR capabilities when it comes for data analytics. And then last part, not least, operational modes. So if you look at the operational modes here, and I'll consume everything that you can afford, obviously from a Zoom perspective, you mentioned that one already built static detection, logic, logic, you know, around the tools. And then from an XDR perspective, in contrast, we're looking at the relevant actionable data, right? In which the investigations, which the data set if possible, you know, draw new conclusions out of the enrichment and then, you know, allow for easy well actions out of the XDR platform. So the one click responses, one click communications as an example.
Now, if we look at myth number three, loss of control that sometimes, you know, sometimes we have it one, it's not that prevalent anymore, but some organizations fear that automating response actions takes human out of flu. So the whole Skynet philosophy, right? We may try too much on computer driven, you know, automatic actions and the computer obviously doesn't make any ethical strategic decisions. And you know, it feels also that it might negatively impact the business operation. While automation can certainly improve response velocity, it's important to understand the distinction between action and prescription. Some scenarios might very well lend themselves to automated response action, such as forcing a user to reauthenticate, and we see some suspicious activities, right? Frictionless, you know, it affects probably one user. Other action items might be more intrusive, blocking access to an important resource or forcing administrative action in order to restore a user to an under state.
So xci, again, is aiming here to, you know, find the right path to actually automate what is, what can be automated, but also allowing pretty much the so operator or the so Analyst to actually take action, you know, drive the workflow, drive the, the actual decision, the playbook, they are required. So we know from experience that there still exists the divide between, you know, what machines and humans, you know, can do when it comes to decision making. Now you mentioned just now the machine should, it shouldn't expect the machine to do, you know, intuitive, you know, ethical or strategic decisions. But you know, these are the areas where we actually need the humans and do, this is actually where we actually need to make use of the human capital. We have, you know, and the, so the CDC from a security practitioner in useful, you know, in the right manner.
But we can also, we also need to understand that, you know, human operator will not be as efficient or effective as in certain tasks as the machine, right? When it comes to going through large dataset, looking for anomalies, looking for certain patterns, looking for the IOCs, which John mentioned earlier. So these are obviously tasks where the machine can help a lot, right? Sifting through the data, analyzing the data, correlating doing, you know, some basic decision. But when it comes to the cognitive workloads, obviously we have to more put in the, the human into the loop again, so to speak, to try the, the, the final decisions, you know, where required. And the last myth I wanna talk about is simply having more data will inherently lead to better detections. So it's like, give me more, give me more and then I shall find, you know, the, the needle in the needle stack easier just because I have a bigger needle stack. Now, reality proves sometimes a little bit, otherwise, you know, if the data lake or data lake on their own would be a civil bullet. Now we would actually see a lot more organizations have successfully implemented, you know, this one to solve all of the problems.
Half of the, or little bit more than half of the customers which we surveyed. They report that they have an active service project involving in data lake. The more compelling statistic is overwhelming failure rate rate amongst these efforts, which means, so we actually see a lot of enterprises going for the data lake, but eventually it becomes more like a data swamp, right? So the promise or the hope for results are not as expected here. Now, very important here. Data ingestion sometimes is hard, right? Just throwing the data in there, you know, what do we do with the data mapping? All of these fields. And again, that could be a challenging or topic for data ingestion as well. Now, again, from a singular platform, again, we have been, or the, the department especially one case here, has been designed to actually take on a broad set of these different tools, a broad set of these different blocks from all of the deployed best of feed solutions as an example, to help automatically ingest the data, understand the data, and make it useful for analysis.
So actually taking the relevant data, connecting it with relevant actions to actually drive the detection in our security operations centers. So just to close off here, just looking at the time. So why should we actually think about xdr? You know, just to recap some of the issues which we talked about in beginning speed and scale, right? It's the most important thing for any XDR solution. Compete visibility into all of different data sources correlating across the different stacks. You know, John also mentioned it in different tools which produce locks, integrating with your existing security stack, right? If you have single solutions, VPN solutions, having that single glass of pain or pain of glass, right? We don't wanna have a glass of pain, but a pain of glass. Pretty much helping here, getting a head start on the attacker as well. Automated resolution where applicable, automating as much as possible and therefore also reducing complexity. Complexity is obviously always the challenging part. If you remove complexity, you increase the efficiency. And again, it's all about identifying potential attackers earlier in the network. And with that, I'm handing it back to John. Thank you very much.
Great, thanks Marco. So let's take a look at our polar results. So does your organization have E P D R or NDR in place today? Okay, let's see. 27% say E P D R. And nobody says they have ndr. Only a little more than a third. Have both. A little more than a third have neither. Okay, those are interesting results. Next question
Would be interesting to see if we have a split around the customer size there, right? If it would be more like from a size perspective, you know, does it fit into let's say the s and b market or more the enterprise marketing?
True? So our second question was, does your organization have or plan to implement XDR in the near future? And this is split about a third on each one plan deployed, not yet under consideration with fewer in the deployed category. It's not really surprising given the relative newness of XDR compared to E P D R and NDR and other solutions. What, any thoughts on that Marco?
Yeah, it was very interesting. I agree with you. It's like the plan site, obviously, you know, the marketing hype there for xdr, right? It's kicked off a couple of years ago and I think that's the, I think you mentioned it also in, in your slides, right? The myth, right? And what is the reality? So there was a big push already from XDR for a couple years now, which obviously drove and forward some people, you know, probably had to wait for their renewal cycles. Interesting. But it also, let's say a third is, it's not on on that path yet, but again, it would be nice to correlate it with the size of the, the companies there.
True. Okay, so let's look at our questions here. Can existing data or processes be converted to xdr? The, that's a, that's an interesting question in itself. I don't think about the, the data side so much as, you know, what's required to deploy it. So if you've got, you know, existing E P D R or ndr, I think that, you know, starting by looking at what that solution offers, it's not like it's hugely or you know, qualitatively different. It's just, you know, where, where the telemetry sources are from and then how the solution deals with those different telemetry sources. Much of the underlying information will be very similar, I believe any, what, what are you thinking about that, Marco?
Yeah, I agree. I mean ideally if you already have some data, right? Xdr, XDR solution should be able to just, you know, use that data, right? And then, you know, maybe if you wanna switch at one point, right? See if the data, you know, sources can be just, you know, flipped over to an xdr. But the agree, I mean the ideal part is you don't wanna duplicate data, right? It's never a good idea from a cost perspective and complexity, but just use the data, which is already in the zoom, you know, on the journey to XDR as an example.
Next question. How does one get started with xdr? Well, I guess there are, are multiple answers for that. If, if you're, let's say in a brand new company and you don't have, you know, security solutions, that might be the perfect time to say, look, we're gonna go for the most modern thing that we can and look for xdr that covers, you know, our endpoints, our networks, our clouds and everything else. If you are established and you, you know, have different EPD R or types of solutions or other security architecture components, then I think, well anytime you, you begin an analysis such as this, I think you really have to take stock of what you already have in your security architecture inventory so to speak. Look for gaps in coverage. Not only you know, the observability gaps, but what are the kinds of capabilities that you feel like you're missing and, and you might want to augment That would probably be two, two ideas for where to start there. What are your thoughts Marco?
Yeah, completely agree. Like doing the gap analysis, right? Looking at your maturity level, right? Looking at your exposure level, seeing what's currently possible in in the environment and see, okay, we need to either respond faster or you know, look at different silos. How can you be, be more efficient? That's I think a good starting point. Unfortunately not many of us actually have the, the ability to start with a greenfield, right? Saying okay, design it from scratch, right? That's unfortunately not often the case. So there will be always some legacy systems and you know, seeing, okay, how can we improve these legacy systems? How can we improve the correlation between the systems? Yeah, that's typically a good starting point
In our last question. May have been inspired by your discussion about data amounts that can be ingested. So how much data can be ingested daily? Always like to,
That's definitely a good question. I mean that's depending obviously on how much data will be produced, right? If we could take everything we coming back to, you know, is it useful data? Is it, you know, useful for our use case, right? You know, operational locks for example. They probably can generate easily terabyte a day. Question is would they be relevant for a security use case, right? But obviously, you know, modern solutions from a xmen XDR spectrum, you know, they typically handle gigabytes both of data a day. So it shouldn't be, let's say the limiting factor for planning that one, but rather the limiting factor or the idea should be, okay, what data is relevant for my security use cases? And then typically modern solutions, you know, don't struggle with that event load.
Great. Let's see, we have one more. Do you think XDR is a fit for D F I R? Well,
So, well I think from my perspective, I think from a hunting perspective, right? But when it comes to the response site, right, we need to see what capabilities the platforms have and you know, fetching the forensic happy meal, right? If you collect all of the things which you would need from a dvar perspective, memory dumps shall that, you know, all of these things Prefetch, most of these XDR solutions can actually do that one. But you know, from analyzing it, right, that's sometimes, you know, there are probably more granular tools available to actually do the deep dive forensics into the forensic evidence, which evidence could be collected by xdr, but analysis probably requires some specialized tools in my opinion.
Sure. Okay. Well that's all the time we have today. So again, I wanted to thank everyone for attending and thanks Marco for your contribution here. Good information.
It was a pleasure. Thanks very much to,
And again, the, the recording and slides should be available shortly. So thanks everyone and hope you'll join us for our next webinar. Have a good rest of your day.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Making Passwordless Authentication a Reality: The Hitchhiker’s Guide

In this webinar, Bojan Simic, founder and CEO at HYPR, and Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, share their insights and experience on what to consider when moving towards passwordless authentication, and making this a reality. They talk about solutions, but…

Webinar Recording

Cybersecurity-Teams mit Managed Detection Response stärken

Organisationen, die die Digitalisierung ihrer Businessprozesse versäumen, werden es in naher Zukunft schwer haben, wettbewerbsfähig zu bleiben. Mit zunehmender Digitalisierung steigen aber auch die Cyberrisiken, weil die Verlagerung von Dienstleistungen in die Cloud und die…

Webinar Recording

Effective Threat Detection for Enterprises Using SAP Applications

Determined cyber attackers will nearly always find a way into company systems and networks using tried and trusted techniques. It is therefore essential to assume breach and have the capability to identify, analyze, and neutralize cyber-attacks before they can do any serious…

Analyst Chat

Analyst Chat #130: Leadership Compass Endpoint Protection, Detection and Response (EPDR)

The previously distinct but now converged fields and product lines of Endpoint Protection (EPP) and Endpoint Detection & Response (EDR) are covered in the brand new KuppingerCole Analysts Leadership Compass on EPDR (Endpoint Protection Detection & Response). Lead Analyst John…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00