Israel Barak, Chief Information Security Officer, Cybereason, tells Anita Joseph all about XDR that is taking the cybersecurity world by storm.
Why is XDR so important today and how does it fit into the whole cybersecurity paradigm?
I think when we think about XDR, we need to go back to thinking about what is the outcome, because there are new technologies emerging every day. But the question is, what is the outcome, that organisations trying to achieve? The outcome is an impact on a KPI called Mean Time To Respond (MTTR). We know that attackers are targeting enterprise organisations. One of the ways to reduce the risk is to be able to reduce the time that it takes organisations to find and stop these attackers. Now a lot of things play into that Mean Time to Respond — –there’s visibility, there’s detection, there’s response capabilities, there’s talent, there are processes, but that is the key outcome —– how do we reduce the Mean Time to Respond to the incidents? Now, in order to reduce the time to respond, we need to first and foremost see what is happening in our networks and understand when an attack is happening.
In the past, there were two strategies that were built to try to do that, and both didn’t really work that well. Number one, was detection capabilities that were focused on a silo in the architecture. So for example, detection in the identity, that would find compromised identities, stolen accounts and these type of things. There was a detection on the endpoint to find bad things happening on people’s workstations or servers. There was a detection on cloud platforms. These were siloed detection capabilities. The problem with that was that attackers often behave like legitimate users in the network. And if you’re only looking at one silo? The logs coming from the cloud, or the logs coming from the endpoint, it may not be indicative enough — –it may look very, very similar to what an legitimate user is doing, because that’s what attackers are doing. They’re stealing at someone’s account and they’re behaving like an internal administrator or an internal user. And so the siloed detection controls really failed in finding the more advanced threats, those attackers that know how to evade detection very well. So we knew that we need to bring in all that data from all these different silos into one place where we can find those behaviours — –those more complex behaviours that we can use to detect an adversary. And then came in the SIEM, which is essentially a data lake where you would put all the logs from all these different sources and have all that data in one place.
The problem with a SIEM is that it was a data repository. It’s a place to put data in, but it really doesn’t produce anything from that data. It’s a human being that needs to go through all that data to figure something out. And that doesn’t help us get to the outcome of reducing the time to respond because a human isn’t really capable of going through all that data, especially in an enterprise environment.
And so in comes the XDR which is about not only bringing in all that data from all those different places in the enterprise and making sure that we have visibility into everything that is happening across the enterprise, endpoint, cloud, identity and access in one place, but also being able to drive automation — –automation in analysing the data, detecting the threat in as close to real time as possible. And understanding what needs to be done to mitigate the risk and then carry out those response actions. So, XDR is really about breaking the detection silos, so we can see the more advanced attacker behaviours in our networks and automate the process of understanding that data and taking action on that data so we can reduce that Mean Time to Respond.
What are some of the main XDR trends today?
I would say that there are probably three main trends in the XDR market today. First and foremost is the strength of analytics. If we remember what the outcome that we’re trying to achieve is, which is reducing Mean Time to Respond, and we remember the problem that we had with the SIEM, which is the data sitting in a storage, but doesn’t mean anything. Strength of analytics is how much can weis about to what extent we can automate the process of making sense of that data? Understanding what is happening in our environment in an automated way, detecting threats automatically across our different technologies in our architecture, and understanding what is the response that’s needed to reduce the risk or to remove the attacker from the network. And so that’s the strengths of analytics. XDR vendors today, that’s one factor that they can be ranked on. Vendors that are still very much just data repository, versus vendors that automate a very large portion of the process. That’s the strength of analytics and that’s one key trend in XDR.
The second key trend in XDR is the openness of the architecture. In an enterprise environment, there’s a very, very large variety of security and IT technologies — and XDR capabilities, since she needs to take in data from everything that is in the enterprise environment. Cloud technologies on-prem technologies, network technologies, identity technologies, endpoint technologies. And so the more they data your XDR can take in, the more you integrate, the more you’re open to the various components in the enterprise environment, the more capable you are to detect and stop a threat. So there are vendors in the XDR space that are very locked into their own technologies. As opposed to that there are vendors that are very open in their XDR architecture. There’s just you willing to take in data from any vendor in the in the IT and in the XDR market today.
The third key trend, talks about how data is important. We need to see everything that is happening in the enterprise environment. What that means is that we need to be able to take in data from, in an ideal world, from every enterprise technology, every security technology that exists in an enterprise environment. Most vendors are on that journey. Some of them have integrations with 10 different technologies that are in the in a typical enterprise environments while others would have 20 or 50 or 100. But obviously, the more integrations you have, the more visibility you can get into the enterprise environment. And so the breadth of the platform or the breadth of integration is another key trend that XDR vendors are investing in very, very significantly and is a key factor in the value of a solution for an enterprise organisation:how many integrations does it have?
XDR vs MDR: give us more clarity here and tell us more about Cybereason XDR.
XDR & MDR are essentially complimentary. XDR is the technology platform that helps people drive the outcome, which is reduce Mean Time To Respond. But some organisations prefer to have those people outsourced. And MDR is essentially the outsourcing of this detection and response, people-operated capability, to a partner. The MDR partner will then use technologies like a Cybereason XDR or XDR technologies to help their people drive more efficient outcomes.
For example, if an XDR technology is able to collect data, see the attack in the network, alert on that attack and, determine necessary course of action to mitigate that attack, but you want a human in the loop to review that recommended course of action and decide if that is indeed what they want to do, that person can either be in an organisation’s organic SOC or they can be in an outsourced MDR service. So the MDR is essentially the people expertise that a lot of vendors in the space often provide, and a lot of channel partners provide.
Cybereason today offers both a complete XDR solution with a full managed service or an MDR to support our partners and customers in the region. Another interesting aspect I think of an MDR of MDR, that I think XDR helps drive, is Incident Response. In some cases, if an attacker is able to get into the network, enterprises would like to sort of raise a red flag and do something called an incident response which is a deeper analysis of what happened. For–of the threat, the risk, for example, think about a ransomware attack where the attacker was able to impact some of the assets in the network. You’d like to take active action to respond to that to that situation. If you have an effective XDR platform, then the cost of an IR is relatively low because the platform automates the majority of it. If you have traditional technologies, the cost of an IR is fairly high. And so what you see today is how an XDR technology like Cybereason XDR is driving change in the business model of MDR providers, because for example, classical MDR providers that use traditional technologies find an IR project to be extremely expensive. And so enterprise organisations think 10 times before they decide to ask their MDR provider to do an IR, just because it carries a significant expense.
But for a Cybereason MDR partner, as an example, the cost of an IR is very low. And one of the things that we’re seeing now is MDRs using a Cybereason offering called an unlimited IR retainer, which basically means that an enterprise organisation can go into Incident Response mode with the partner as many times as they want for the exact same cost, for a fixed cost. The reason is that the cost of a single IR on a platform that automates the majority of it is relatively very low so they can make that change to their business model and be more competitive.