Navigate the DR (Detection & Response) Jungle: EDR, EPDR, XDR, NDR, MDR, ITDR

Thank you, Osman. I see you skipped the introduction for me and don't explain who I am. So probably some people in the room have, have seen me before, even while yesterday evening, have been asked by, by someone. Western's my first time at eic.

Yeah, I I said not, not exactly. So it happens every now and then. I want to give you a very quick talk about ed, dr the detect detection response triangle with all these dr, so to speak.

So, so we have, we have quite, quite a number of these and I, I would, I will put a bit more emphasis on the it d r part. So we are at an identity conference. So the identity threat detection response will be a bit of a major part of what I'm talking about. And so when we look at this entire thing, I, I wanna start with a bit of a bigger picture. And so protect, detect response, so like an E P D R endpoint protection detection response, they are core parts of the security cycle.

So when we look at this, so we have this, and there are different varies from NIST and others where we identify risks, where we prepare for, for, for protecting and, and detecting and responding and what I might personally believe, most importantly, recovering from things that go wrong because at the end of the day, it's realistic. At some point some attacks will succeed. And then we need to be able to recover.

And I think this is something which is sometimes a bit underestimated and we talk more about the three highlighted product detect, respond, and we also need to improve, and this is something which is about preparing and about responding when we take a bit of bigger perspective here, which is powered by a lot of tools. I took some of these, but I'll touch more other tools, the, all the ones with the DR in today. But it's also about processes we have in place. So we need adequate processes. We need to think not just about tools.

We need to think about GRC processes, where we identify where we handle risks, attack surface management, incident response, business continuity management, business impact analysis, something which is always a very interesting thing to do by the way. So, so what is commonly in a manufacturing organization, the, the most critical system, it's the software that controls the high bay rec storage. Because if that fails, you don't find the parts for your production anymore, you're lost and you frequent don't think about it.

And, and you need to involve the people, the management, security, identity, everyone in cybersecurity to enable them. And by the way, we had some interesting discussions around deepfake these days. I I think it's also a part of education, understanding when do you need, so when do you need to be alerted?

Like, like we are alerted by certain types of males. Yeah. If you're in large organization, depending on your top level, it might not be very likely that your CEO calls you. It's not very likely that your CEO sends you an email and saying, Hey, you need to to ensure that this 1 billion financial transaction takes place. So usually it's, it's also a bit of human sense. So look at, let's look at the terminology, the various sort of PDRs here. So we have endpoint, we have endpoint protection, detection response, which is a bit broader approach.

We have network, we have identities, threats, detection, response. It's just probably the newest area here. We have extended detection response. We have managed detection response, at least there might be more around here. And we have, we have things where a bit of p and D and R is in, even while they don't have this, don't carry this name like cloud native application protection platforms, which then include things like cloud security, poster management. I dare to say that this acronym thing is a bit over the top and making a bit too complicated, but that's totally separate discussions.

There's another Analyst firm which creates most of the acronyms. So we are not guilty for most of these at least. And vendors are also very good, specifically the marketing departments of vendors as we know. So what does it mean to zero trusts? So zero trusts is something which encompasses the entire it. So we have identity. So Martin uses a device communicates via network to a system where an APPLIC application runs on that manages data. So a system application could be as a SaaS service and is there's software and we need to protect everything here.

And we have IT tdr, which looks at the identity. We have edr, E P D R for the device, NDR for the network.

Oh, again, a bit of endpoint stuff when it goes more to the servers as endpoints and ITRs when it comes to systems applications, we have a bit of a blank space more when it comes to data and software. So we are not, we could say, okay, there's data security, et cetera, but it's not that much in, in the sense of really a packaged solution for for detection response yet. And same for software. So there are security solutions, et cetera. XDR is in some way the integrating technology across the various DR technologies, but it also shows.

So there are a lot of things, but there's also some white space or whatever we, we probably need to get better. So we are, we haven't cared enough about data and security. And so software, also software security. And we have learned a lot that we have a lot to do over the past years. And MDR is then factually delivering the XDR part, this managed service. So when we want to look at it from that terminology, we could also put it into a even a bit broader context here. And that would be then that be a really great greater, broader picture. And that would be about how does this fit into SOCs?

And all of these graphics have a bit of a tendency to simplify things. But I think this is the concept of these graphics. If I don't build a full big picture with every element, then otherwise it would, it would be hard to understand. And then I would start with manage detection response. So manage detection response is really the service that is built around. It helps us.

And if, if you're realistic, very few organizations can handle cybersecurity without managed services, without support. Some need to do, but usually everyone is suffering a bit from a skills gap. So is to anyone in the room who says, Hey, it's for us. It's so easy to find a required resources we trust and, and we have the right people on board, probably not.

So if, if then raise the hand. I would be really curious about how you do that. So we need services to, to close gaps in order to, to have some, some economies of scale here where, where we can use sort of rare capabilities optimally for where they are best. In that case, this so to speak, caring about our security operation center or CDC C and there are sync and, and this is not, not, not a complete list. So we have the, the SOAR space security or, or security orchestration automation response, which is sim on steroids by adding orchestration automation response.

And then we have the XDR part where the different specific DRS go in maybe in the future more than these. And we have the peoples and processes and monitors methods like incident management, et cetera. So how do we deal when with the situation, when something goes wrong, how do we handle all these things? And we have more tools in the, so like attack service management. If you want to know anything about attack service management, ask Osman here. He's working a lot on this subject. So he's a person to talk with.

And so this is another perspective on, on how to look at how do these things fit together and, and where do they find their place. And at the end, we need a variety of tools because as I've shown previously with this sort of zero trust alignment across this flow of what HAP is happening, there's a place for different types of tools. And at the end, for for strong security posture, we need to cover a lot of areas.

And this is also, and one of the key areas is identity then, because if you look at real estate, at cyber threats, and there are different numbers between 50 and 80% of the attacks are related in some way related to identity. So ransomware usually starts with phishing business email compromise is about impersonation. So phishing goes into credentials. This is something which has to do a lot of identities, attacks on critical infrastructure, a mix of methods, malicious insiders, use of privileges, entitlement and exercise and so on.

So identity and access, the related things play a very central role in cyber attacks. And this will, so, so cybersecurity will remain a major drive for, IM investments specifically for emerging areas such as I identity, threat detection response. We need to get better here to understand where are the things happening and okay, you could argue and say, hey, why, why do we need this?

We have a same tool in place and we were smart enough to configure all the rules for the same tools couple of years ago already, which helps us to deal with all the signals and figure out when there are any animals around access, et cetera. Yeah, reality is most likely we are, we are not as good on that. We probably, depending, when you're from Germany and from a larger organization, you, you, you may got stuck with the workers council latest here because they say, oh, this sounds like you're supervising the workers even while it's totally legal.

Workers councils sometimes are, are a bit brown here for things like uba, so user behavior analytics, et cetera. So what we, but we need to do that and we have the technology, we can do it good enough. And maybe I TDR also is a new name, helps us a bit to do it better because I tdr sounds way less problematic than user behavior analytics if you're honest. So user behavior, if I were a work as council member, my alarm bills probably would ring when I hear user behavior, you're lost at that point after behavior.

You, you have lost that game. Yeah, it's, it's, it's, it's just a matter of wording.

I, identity, threat, threat. Oh, that's dangerous. We need to do something. Yeah. Psychologically, very different thing. Sometimes it's also really naming the things the right way. Yeah. And and what is it about, it's about monitoring. So what is happening? Gathering signals. And we see a lot of interesting things happening around shared signals. Finally, I remember at eic number one, I, I gathered a couple of people and said, shouldn't we look to create a standard that helps us sharing signals about who uses what, what does it mean from a audit and threat perspective?

I probably was 15 years to to to early with that. Right Now we see finally standards developing in the space. It's detecting it.

So, so baselining normal activities, bringing in ml, et cetera, and identifying the, the outliers, the anomalies respond on that. So first authentication, lower entitlements, whatever you can do disable accounts depending on what is happening, maybe even do deception.

So, so if there's something obvious is lure them to another system, analyze the risk, enforce appropriate identity assurance levels and, and add all the device stuff around it because this is the, or in the broader sense, all the context stuff. Because context, this is what is really essentially here. So we have these things and we must make use of this.

We see a very rapidly emerging market here with a lot of vendors entering this because at the end of the, that it d r, so we see vendors entering from two, two areas or three, some are new startups, some are sort of UBA with a psychologically more attractive name. And the third ones are vendors that come really more from the threat detection space, which are experienced in, in analyzing a huge number of signals. And if you apply it to the right use case and that get us identities related threats, collect the right signals, you're there.

So this is what is happening and I believe it's a very important area to look at, at the really at the, I would say at the center of identity security, because this is exactly in the middle between these two words. Thank you for listening to me. We can have a question, we could maybe have a question. We still have like a minute or something.

Alright, one second. Usual suspects. Sorry. Oh no Thanks Martin.

Just, just a short one on, on the upcoming and never in quality increasing deep fake things in impersonation. What's, what's your take on that? What in what amount the risk will increase looking at these things? Oh yeah, you know, not, not, not because of the question.

I, I think this is going, it's a bit headless chicken mode currently. So a lot of people are panicking by that. But you know, we had fishing at the beginning, we had no idea what to do, that we had a ton of other types of attacks. They came and yes, there was a peak and then we came up with technology that helped us to reduce this to small amount, which we can handle with a reasonable amount of risk for deep fakes. My perspective is, so the usual saying in cybersecurity is our problem is an attacker needs one working attack vector.

We need to defend against all, which is an uneven play for deep fakes. It's also in some sense an uneven play, but the other way around because creating a deep fake takes a lot of compute power if it's good and you need to be perfect to defend against deep fakes, you just need to spot one mistake in that.

And we, I'm convinced in relatively short time, we will have in all the relevant tools in the video conferencing systems, in the platforms where you see a lot of videos, et cetera, we will have integrated, like we have email security, we will have, so to speak, deep fake security integrated. This is easier to do than creating a good deep fake.

So yes, we will have a peak and we, there will be always a residual part of the problem, but I, I think we, we, we, we, we must not be in total panic mode now regarding this. So I'm a bit more on the positive end here. I'll be right on the, oh, I, yeah, I hope so as well, honestly. Okay. Thank you.

Yeah, thank you Martin. Yeah.