Behind the XDR Hype. Security Jargon or the Real Deal?
August 2021 by SecurityHQ
There is a shiny new toy in the cyber security domain, and it goes by the abbreviated term of XDR. Extended Detection and Response (XDR) claims to be the latest in detection, investigation and response and, according to HelpNetSecurity ‘can add a great deal of value via multiple use cases, including hunting for threats, investigating security breaches and aggregating data. XDR’s ability to improve visibility, response times and productivity of security teams makes it a truly one-of-a-kind solution, and one that more organizations should look at adopting.’
But with Endpoint Detection and Response (EDR) and Managed Detection & Response (MDR) already providing these features advertised within XDR, what are the differences, if any? The Security Challenge
A lot of organisations do not have a dedicated security team. At most, they might have one or two dedicated individuals. For the majority, IT still runs the show, but these IT teams still don’t understand security. Which means they need to be told what to do. Very few organisations can afford to have two separate teams. A business must be at a certain scale to afford an IT team and a Security team simultaneously.
Most organisations, around 60% in fact, still don’t have a Security Operations Centre (SOC). And even those that claim to have a SOC are not fully functioning, as about 25% only operate during business hours. On top of that, an even smaller percentage are monitored by individuals 24/7, to handle alerts that are coming in. Automation 24/7 is no good if a real-life human cannot respond to the alerts accurately, and in rapid time.
Most businesses have invested in Firewalls, Intrusion Detection Systems, etc, so they have the tools set, but have not configured them, and are continuously going through the process of upgrading and changing them. What’s more, they have no escalation capability. They might have some form of capability to detect but have very limited capability to respond.
‘At best, these businesses identify, mitigate, and fry the machine. That is not cyber. That is like putting a band aid on an open wound, it’s not the surgery needed. Most are now realising that they are out of their depth if an attack were to take place. Every week we deal with around 15 customers to walk them through the process of what they need to do in such an event. And they all want the same thing - 24/7, an SLA, fixed cost etc. Over a year ago we had a lot of questions about our tool set, now businesses don’t care, they just want it dealt with. If you are in a restaurant, you don’t want to go into the kitchen, you just want your food brought to you and to enjoy what’s yours.’ – Feras Tappuni, CEO, SecurityHQ
But this lack of understanding regarding tooling is an issue for businesses looking to invest. There are lots of shiny new toys in the security world, but many are old toys, dressed up as new, for a far greater price. The Real Deal Behind XDR
At SecurityHQ, we get vendors asking about XDR daily, ‘Is it worth it?’ and ‘Why is it being pushed?’, mainly because the definitions of XDR online are so ambiguous. If anything, FOMO is the driving force behind these questions.
There are acronyms over existing acronyms. Blurred definitions and jargon used to push the latest talking point. A year ago, everyone was talking about Endpoint Protection (EPP). This year the focus is on Threat Intelligence, and next year it will be something else. Which means that businesses push their services to align with the latest buzzword.
To create something “new” to differentiate themselves from the competition, XDR was formulated. But what few realise is that what an XDR will be, is what an MDR already provides today. What has happened is that vendors have maybe focused only on the endpoint, and that point of telemetry by itself is not enough, and they recognise that, so they introduce a second telemetry point (maybe network or cloud), and they want to differentiate themselves in the market, so they call themselves an XDR.
The vision of where XDR will be, it will be the MDR platform without the service. But if you already have Managed XDR, that makes no sense, they are just interchanging words and confusing security teams/enterprises. MDR providers are already there. In fact, it has already been shown where MDR providers are saying ‘You know what, I’ve got a couple more sophisticated and robust security teams that are trying to build this on their own, and they just want our platform without the service, I’m thinking about offering that, that is my XDR solution’. And an MDR provider offering that is going to knock it out of the water compared to anyone else on the market because all the different points of telemetry, the automation, the orchestration, are already there. As opposed to an enterprise team trying to build this on their own.
It can be argued that it is far better to have an MDR provider who then, if required, shows the client how to implement MDR themselves and all the automation and orchestration, and hands over the process, then for a business to have an XDR service controlled incorrectly internally from the get-go. Actions Going Forward
One of the positives that has come from remote working is that people are not being completely blinded by all the nonsense and noise generated at grand security events. Everyone claims that they do something different when they don’t. But they look at what’s happening in the booth next to them and they need to compete. And that’s just the way companies out market one another – that is not going to change. So, you need to be wary of that when selecting an MSSP or security service.
‘It’s the same thing, you have vanilla, you have chocolate, you have strawberry flavours, but it is still all ice cream. Don’t get confused because it has sprinkles on it. They are not even real sprinkles, you get those already, but you are going to pay a lot more for the same thing.’ – Feras Tappuni, CEO, SecurityHQ