Hello, everyone. Welcome to our webinar today. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole, and today our topic is on Extended Detection and Response. We're going to look at not only the field, but show some results from our recent leadership compass on that. So a little bit of logistics info before we begin. Everybody's muted. There's no need to mute or unmute yourself. We will take questions, and you can type the questions into the panel for questions here in the browser.
We're also going to do a couple of poll questions about halfway through, and then we'll look at the results of that at the end before the Q&A. And then lastly, this is being recorded, so both the recording and slides will be available in a few days.
So, yeah, I'm going to start off by talking about what is XDR, what are the trends we see, what's innovative, what's new features. Then we'll look at the leadership compass process methodology, and then the results, and then we'll do the poll results and the Q&A. So to set the scene, as you're all probably aware, the cyber threat landscape continues to get worse. It gets a lot more complicated. There are account takeovers of every kind, especially trying to get credentials of enterprise users, and not just credentials.
Sometimes things like session tokens or cookies, anything that enables an attacker to get control of some enterprise asset. So, you know, almost all of these attacks either leverage tokens, cookies, credentials. We've seen a rise in the amount of InfoStealer malware again.
Of course, ransomware is really, really prevalent, but InfoStealer malware is used to get information or credentials that can be used in later attacks. And, you know, it's like a little market system. There are bad actors out there that are stealing credentials and then selling them on the dark web. So the person that steals the credentials might not be the same person that uses them in an attack. And why are they doing this?
Well, sometimes you have ransom attacks or extortion events that don't even use ransomware, you know, malware anymore. They are using credentials that they've gotten either themselves or off the dark web, breaking in, exfiltrating information, and then threatening to release that information unless the company pays a ransom, all without actual malware being deployed. So what's XDR and how does this come into play?
Well, you know, for many years we've been hearing about things that are next-gen this and next-gen that. It's a next-gen security tool that aims to combine endpoint, network, cloud with some elements of identity management and identity security, particularly user behavioral analysis. So you roll all these things up and you get XDR. That's a very, very short explanation of it. We'll go into more detail here. What are its main goals?
Well, to make organizations better at detecting and responding. That's no surprise, which will help them increase their overall security posture. And this can be done because it can help provide that comprehensive view of all those different kinds of assets, you know, whether they're endpoint devices, servers, actual networks, networks in the cloud, you know, containers, workloads, all those sorts of different things that make up a modern enterprise.
And if they're aiming to make you better at detection and response, the key metrics that people look at there are reducing the mean time to detect and the mean time to respond. It can also help you reduce the number of security tools that you've got in your environment. And a lot of CISOs are interested in those, CIOs too, because that's fewer contracts that you have to manage, potentially less expenditure, and easier to administer from a contract side.
It's also theoretically easier to administer from the SOC side, you know, your security operations center, if you can have all those different kinds of functionality wrapped into a single administrative interface for your SOC analysts and your forensic analysts to use. So, during the course of this research, we learned a lot of interesting things. I think one of the most interesting things was, well, who's buying it?
You know, it's really increasing in popularity for what we call mid-market enterprises, not necessarily SMBs, not the small businesses, but also not really on the enterprise side so much. I'll go into that in a bit more detail in a few minutes. They can simplify the architecture.
I mean, that's apparent that it can help with that by reducing the number of tools that you've got. You may be able to get away without having a separate SIM or SOAR, but most XDR solutions retain interoperability with at least some of them. Some of them will come with specific connectors, and they often support the most relevant standards for communications with other security and IT tools. Another one is data storage costs.
You know, collecting all the information, keeping it in a SIM can be kind of expensive if you're doing it in the cloud. You know, there's the egress costs for getting information from one cloud instance out to another place, but it's also potentially expensive because you're trying to host it all yourself on site or something.
So, you know, XDR attempts to reduce data storage costs. But, you know, it may not be an alternative to SIM or SOAR in all cases, and this is because, at least right now, XDR is really focused on security, the detection and response part. Most of them don't have a whole lot of detailed features that allow for, like, compliance reporting. So I would guess that's one reason why enterprises have to retain a SIM, because, you know, they're, in most cases, you know, very advantageous for helping with, you know, doing compliance reporting.
We'll talk about OpenXDR in a minute, but, you know, I think the most effective XDR solutions are those that have a lot of security. Those solutions are those that have network sensing capabilities directly within their own platform, and they're not trying to rely on endpoint agents. I won't say that's common, but that's one approach that we see with companies that are approaching XDR from an endpoint perspective.
They try to leverage endpoints on networks to collect telemetry and then analyze that, but, you know, for that to be really effective, you need an endpoint with an XDR agent on every subnet that you've got. So, you know, that can leave some visibility gaps. There's also a method where they will maybe just collect telemetry from network devices.
I think having an actual sensor on, you know, each network segment provides a lot more direct control, because those that do this log telemetry collection and then trying to take action through another program, of course, that depends on compatibility with those programs, API connectivity. Again, I just think it's more effective if network capabilities are really built into it. Just like EPDR, you know, Endpoint Protection Detection and Response, and Network Detection and Response, the response piece is really important.
So you've got to have a lot of options for manual responses, firstly, and then a lot of things should be able to be automated for those that choose to use that. But, as you know, most organizations are probably going to want a human in the loop so that if you, let's say, discover malware on a machine, you might want to contain that, isolate it, but before you initiate, let's say, a full rollback to a last known good state, a human should be able to make a decision whether or not that's the thing that you really want to do.
Lastly, here on this slide, single vendor solutions are more tightly integrated, but OpenXDR solutions tend to be a little bit more interoperable with other parts of your current existing infrastructure, so we'll talk about OpenXDR in a minute. So this sounds big and complex. It's because it is, but, you know, vendors are trying to package this in a way that makes it easy for their customers to install and manage, but, of course, you've got to have, you know, lots of different components.
Like here we see Endpoint Agents, so you'll need an Endpoint Agent for every operating system type that you've got in your enterprise. You know, thinking about not just Windows, but Linux, Mac, mobile is nice, but not a lot of them cover mobile devices. The network sensors I was talking about a minute ago, agents or APIs for cloud instances, you know, for your containers, workloads, and whatnot. The Data Lake. The Data Lake is what sort of allows XDR to get away from having to have a dedicated SIEM.
You're collecting all the information from all the different endpoints, network agents, and all that, and keeping it in the Data Lake, but it's not as exposed as, or doesn't actually function in exactly the same way a SIEM would. Then other functions, of course, you need analytics, the ability to automate some things, a management console for, you know, not only doing dashboards and reports, but also a console that would allow forensic investigations, and then integrations for various third-party tools.
So, I've mentioned EPDR and NDR already. How is XDR different from that?
Well, it doesn't strictly require the SIEM, but like I said, you may need it for other reasons. You probably would not need a SOAR if you choose the right XDR that can integrate with your existing tools very well. Full-stack XDR, that's one that includes, you know, the network endpoint and cloud pieces. Those can be a single vendor product, and that would be the thing that allows you to, say, streamline the number of tools that you've got and the number of contracts you manage.
But then there's this open XDR, which kind of allows for various plug-and-play things, but that requires integration and APIs. And if you're going to go the route of having separate EPDR, NDR, and cloud security tools, some are calling their cloud security tools CDR, cloud detection and response, because we do like our consistency and our acronyms in this business, then you're going to probably need a larger internal support team. I would imagine in an enterprise, you've probably got product managers for each one of these different products.
So you need an internal product manager for your EPDR, NDR, and various cloud security tools. And you may be able to reduce the number of people you have managing that if you simplify your tool structure there. Then XDR can be a stepping stone to full MDR, managed detection and response. And I think there are probably two ways that this can happen.
You can maybe decide to go with XDR on the way to, say, co-managing relationships with MDR providers, or maybe you've decided, I'm going to go with MDR, and your MDR provider more or less says you need to install this XDR and deprecate some of the other products that you have. So either way, it could be a stop on the way to managed detection and response. So what do we mean by open XDR?
Well, this means buying a product that sort of complements what you already have on your security infrastructure. Maybe you're really happy with your endpoint security product, but you've got some gaps in network detection. You might want to look for an open XDR product that is really, really strong on the network side, but yet can work with your EPDR. And conversely, you may have NDR already, but maybe you're not happy with your EPDR, and you're looking to keep one but augment the other. So there's various different reasons, I think, why organizations are looking at open XDR products.
And one of them, again, is on the enterprise side. If you need to keep us in, then having compatibility with that is probably a paramount concern. So I would say, if you're considering open XDR, look specifically at the integrations that they have.
Now, of course, they'll usually all say that we support REST APIs, and we can make it so that you can connect to any tool that you've got. But really, it's ideal if a vendor that you're looking at has a pre-built connector, because that can really simplify the integration. So I alluded to this a bit earlier. Who's buying XDR?
Well, SMBs are, if they're doing it as a service that's using XDR already. Those mid-market companies, you know, the ones that maybe they have a SOC, but maybe it's not staffed 24 by 7, so maybe you want to go into some sort of co-management relationship with an M-XDR provider. That might be a reason. We have seen, over the last few years, lots and lots of ransomware attacks, especially against state, local, provincial government agencies. I understand that they are looking quite a bit at XDR and moving that way.
There could be organizations without well-developed or fully staffed SOCs, like I said. And then just, you know, it can be hard to find enough people with the right skill sets to run all of these different tools. So if you can consolidate some of the tools, it might alleviate some of the staffing burdens that you have for managing all of them. So there's a lot of growth in XDR. Why would that be?
You know, increase in frequency and severity of cyberattacks, especially ransomware. There's far more usage of cloud, cloud services.
You know, it's very hard for a lot of companies to even keep on top of that. I mean, we see the rise of what we've been calling shadow IT for years, and that's still just sort of spiraling out of control for many organizations. Like I said, the desire to reduce the numbers of vendors that you have to work with, or contracts and the tools, staff shortages.
And then, you know, the shift to remote or hybrid work has made it a bit more complex to manage a total security environment today, too. So where's XDR going? So where's XDR going?
You know, there are several large vendors in the field. There have been several acquisitions of, you know, point solutions by large security stack vendors. And of course, I mean, this is the way it always goes in cybersecurity and IT in general. I'm sure we'll see more of those. I think open XDR providers will add missing features like, excuse me, if they're weak on network or something, they will add network functionality. Either to the core product, or they will focus on bringing in that functionality through partnerships.
Even the full stack XDR vendors will add integrations and start to look more like open XDR. And I think that's to enable them to capture more customers. Excuse me. And then cloud security expansion. As you'll see in the report, there are a few vendors that have, you know, a couple of challenges on the cloud security side. And I think they will try to address those functionality gaps in the near future.
You know, looking at things that are innovative in XDR, there's only a couple of vendors that offer this. But, you know, this is an interesting set of features based on distributed deception platform technology, which I wrote about a few years ago. And this is a distributed deception platform allows you to create and manage fake assets.
And, you know, they can take a lot of different forms. It can be user accounts, admin accounts, service accounts.
Now, why is this interesting? It's because if you create these accounts, for example, and any of these other types of assets you see listed here, and they're more or less hidden from the rest of your network and the rest of your enterprise, then, you know, if somebody starts using that, it's almost guaranteed that it's going to be, you know, a bad actor. So a couple of these XDR providers have some deception capabilities built into them today. And if you're running a high security environment and you want this kind of feature, I would, you know, closely check what capabilities they have.
Because, you know, I think there's definitely some value in deception as an actual detection and response technique. You know, you can create not only these different kinds of accounts, but, you know, scripts, RDP sessions, certificates.
And, again, if you find that the XDR system says that these are being used, then it's almost guaranteed to be an attack or at least some sort of reconnaissance going on in your organization. So I mentioned the MDR and managed XDR. What's the difference?
Well, they're kind of the same. MDR and MSSP companies are now using XDR in many cases as sort of the basis of their product offerings.
Plus, you've got vendors in the XDR space that are offering managed services. So there are, we've seen, you know, a tremendous rise in the amount of managed service offerings that are out there. And in order to, if you're starting off as a small MDR provider, you've got to have COTS products. COTS products that you're using. So I think, you know, initially, I mean, before the advent of XDR, of course, they were probably running things like EPDR and MDR separately. But I think to make it easier on themselves, these MDR providers are moving to XDR platforms.
So let's stop and take a couple of poll questions. I'm really curious, do any of you have XDR solutions in place today? So our choices are yes, no, or yeah, we're thinking about it. And we will leave this open. And I do encourage you to please answer the question just to satisfy all our curiosity. And the next one is, okay, if you've done that, or if you're thinking about that, why are you doing that?
The reasons that, you know, we came up in our research with were, you know, to consolidate the security solutions, be, integrate more network, because I think, you know, a lot of, you know, practically everybody's got some sort of endpoint solution out there. But, you know, network is where there have been some gaps.
Likewise, C, you know, there have been gaps in cloud security coverage. That's why we see a proliferation of different kinds of cloud security tools. And maybe you're looking at XDR as a way to integrate and consolidate all your cloud security tools.
D, just looking for better detection and response capabilities, you know, reducing that MTTD and MTTR. Or, lastly, E, you know, trying to reduce the storage cost, because it can be very expensive. So we'll move on and talk about the leadership compass process, the methodologies and standard categories. Our process is, you know, once we identify a field like XDR, we will look for all the relevant vendors in the field. We create a giant technical questionnaire, which is probably a pain for people to fill out hundreds and hundreds of questions.
We ask as much detail as we possibly can to figure out how products work. We get briefings, demos, talk to references.
You know, then we, once we get all this information, we use that to rate them in our charts, which I'll show you a couple of examples of in a minute. And then write up the individual vendor sections. Once we do that, since it can take a while to get through all of that, we send it out for fact check to make sure nothing's changed on the vendor side since we last spoke to them. And once we all agree on the content, we publish that. So we have nine standard categories that we rate against. I'll just quickly walk through those. Security. This is about internal product security.
Like, do they have to use MFA? Does it have good RBAC or attribute-based access controls inside the product? Does it require encryption? So it's about internal product security. It's not about how much security does this add to my environment. Functionality. Does it have everything that we think it should have to be cost-effective? Everything that we think it should have to be called an XDR product?
You know, deployment. Is it easy to deploy? Where can it be deployed? Is it an integrated offering or do you have to buy a bunch of different pieces with different SKU numbers, for example? Interoperability. This is about supporting standards for communication and, you know, having connectors for other parts of your security infrastructure. Usability. Products like this, it's more about admin usability. That's why we like to look at what is it like to be an admin or, say, a forensic analyst and use a tool like this. Is it easy to use? Does it make a lot of sense?
Does it have all the options that you would expect it to have? Then innovation.
You know, is this a leading-edge product or is it kind of trailing-edge? Do they have ways to go to catch up with the rest of the field or are they really out there delivering lots of new features for their customers? Market.
You know, how many customers have it? Where are those customers? Are they targeting specific industries or is it, you know, for anybody? Ecosystem is, you know, how many partners do they have? What different types and how globally distributed are they? And then financial strength. Is the company profitable? Is it a startup? Is it a big security stack vendor?
You know, all those things often need to be factored into purchasing decisions and we try to represent that in our market leader graphic. So we do have four major charts that tie back to the four categories of leadership. We've got product leadership. This is about, you know, does it have everything that we think it should have plus, you know, interoperability and easy to deploy. Market leadership is sort of a conglomeration of, you know, ecosystem, financial strength, market position. Innovation is just about innovation. How innovative do we consider them to be?
And then all those get rolled up into the overall leadership graphic. So walk through quickly the required capabilities. Now I broke this up into, you know, what are the common features? Then what are the endpoint related features and network and cloud? So on the common side, I won't read all of these to you.
But just, you know, this is about how is it deployed? You know, is there a management console available? Can it be hosted in cloud, for example?
You know, does it have, does it support all the CTI standards? You know, what can it do in terms of anomalous behavior detection? Does it do case management within its own system? How extensible is it? And then most of them align to MITRE ATT&CK today, which is good because I think most of us in the field, particularly those that are doing, you know, forensic investigations and, you know, working in SOCKS, think in terms of MITRE ATT&CK. So these are just sort of the common capabilities that we look for.
The ones that are specific to endpoints, of course you've got to have agents for all your different kinds of OSs. Like I said earlier, those agents should be able to operate just as well offline, if possible, as when they can connect to the vendor's cloud. It's got to be really good at finding malware before it runs, stopping it, especially things like file lists.
You know, file lists can be difficult to stop. That's why older style antivirus, you know, signature-based stuff won't catch file lists. So you need, you know, really good endpoint protection, detection and response capabilities in your XDR. As well as, you know, some of these secondary, well, they're really not secondary, but they're just features that used to be other products that were standalone.
You know, things like application control, URL filtering, system file integrity monitoring, all that should be built into the endpoint part of the XDR agent. Plus response capabilities as listed there. Then networking cloud.
Again, I think this is one of the reasons why companies are looking for XDR to sort of expand their capabilities. So again, having those on-premise sensors, things that can work in the cloud as well.
You know, if you can have an image, you can put in a virtual appliance or container. They need to be able to do analysis without decrypting traffic because I think like 85% of traffic, even on the inside is, hopefully 100% on the inside is encrypted.
So, you know, you would raise the security risk if you require decryption in order to do analysis. And there are various ways. We talk about that a bit in the paper, how you can do encrypted traffic analysis.
Of course, you have to be able to do responses, things like terminate sessions or isolate subnets and then have support for cloud. So as you'll see here in just a second, I've got, you know, we do spider charts to show how various features roll up and then we rate that, you know, on a per vendor basis. The eight criteria that I've chosen here are in-point, network, cloud, overall detection capabilities, overall response capabilities, administration, what's it like to run the product, and then autonomous operations.
And by that, I mean, how good is it at standing alone and being an effective member of your security team? You know, is it good for running in SOCKS?
Does it, you know, doesn't need to be connected? Could it work in an air-gapped environment? What level of automation is available on the response side? Innovation. Here are some of the things that I thought were innovative this time around. This is our first instance of this report.
But, you know, OpenXDR, there's definitely, this is trending. And I think it's because people are happy with some of the products that they have and they don't want to get rid of them. So OpenXDR features, you know, various API type support, lots of connectors. I think that can be innovative. But note that if you don't have, let's say, your built-in endpoint capabilities within your XDR and you're relying on another product for that, then overall I think that weakens the product rating. So you'll see that reflected in some of the charts in the report.
Support for operational technology, industrial control systems, industrial IoT, or critical infrastructure protocols. This is important because, you know, we live in a world in IT where we're very used to, you know, HTTP, SMTP, DNS, the protocols that we work with every day. But in this world, the OT world, big umbrella for that, they have a lot of different protocols that are very different from what we work with.
And understanding those protocols, if that can happen in the XDR, is a huge advantage for, you know, an XDR solution that can operate in those environments and find threats and, you know, mitigate them. Mobile support, like I said, is not across the board yet.
Sandboxes, delegated administration. Delegated administration is really important for, you know, organizations that maybe have subsidiaries. They may have, you know, complex hierarchies of who can manage what. Delegated administration can be very important. XDR as a service, that's your MDR.
Deception, like I said, only a couple of vendors offer that at this point. You know, specific things within cloud.
And then, you know, DLP, CASB types of things. There are a couple of vendors that have, if not this built in, it's in an adjacent product that's fairly easy to license on top of your XDR. So now we're ready for the results. Here's a list of the vendors that participated this time. This is a really good selection. And here's a look at the overall leadership graphic.
And, you know, you'll see that everybody is in a pretty good place, because, well, think about it. I mean, you can't really claim to have an XDR product unless your product can already do a lot of different features.
I mean, it's trying to span network, endpoint, and cloud. So, you know, I think it makes sense that there's a pretty good spread across here, but everybody has, you know, a product that it's well worth considering.
You know, the leaders in this case are the ones that are large cybersecurity stack vendors. You know, they had all these bits and pieces together before. They have assembled this into, you know, a whole XDR offering.
So, but again, any of these vendors are definitely worth looking at their products. The spider chart I mentioned. Here's just one as an example.
I said, you know, we've got endpoint, network, cloud. So, you can see how, you know, the farther out toward the edge, the more complete the functionality in this area.
So, this is kind of a sample of what you would see in the rest of the report for all those other vendors. So, let's take a look at the poll results. Question number one was, do you have XDR or not yet? 50% are considering it. A third say, yes, we have it. And 17% say, no, we don't. Then on the motivation side, not surprisingly, most people are looking for better detection and response capabilities. That outshines all the other reasons that people might be looking for.
So, thank you for your answers there. That's very interesting. Let's take a look at the questions. Is this report available now? Yes.
Yes, it is on our website in the research area. Let's see. Seems to me that XDR needs a, for some reason that's a hard answer, maybe a real robust AI strategy moving forward to enhance analytics and automation while addressing skills shortages. What models do you see XDR vendors starting to adopt?
You know, that's a really good question. Several of them, most of them actually, I think, are moving in that area.
Of course, they're using ML, machine learning algorithms, for detection. I think that's been pretty common in the individual components of EPDR and NDR for quite some time now, probably going on 15 years.
So, they're using ML for detection already. And that's just an absolute necessity due to the volume of data that you have to look at to look for anomalous or suspicious behavior. GEN AI is being used by multiple vendors here in this space to help write descriptions for the events that are seen. It can help with writing reports. You can take, you know, information about a report or about an event and use GEN AI to write up, you know, more information around that such that you can, you know, show that to management or executives, which can be a real time saver.
Some are experimenting with now writing up descriptions of events, like in the case management area, so that you could help junior analysts become more effective more quickly. You know, once you see particular IOCs or something, using GEN AI to, you know, write a description of that IOC and populate that in the investigation screen. I think that's probably where most of the emphasis on the use of GEN AI will be for the next year or two. And then there's also going to be quality control around that, you know, to make sure that the things that GEN AI is writing are accurate.
So that would be, you know, where I think the majority of the emphasis on the usage of AI and XDR and really lots of other security tools too. But thank you for that question. That was a really good one. And then lastly, is ITDR included in XDR? I didn't mention ITDR, but, you know, that's a very good question. There are some elements of identity that have to be considered. I think I mentioned early on about user behavioral analysis. So that's taking a bit of IAM into account.
But, yeah, there are a couple of vendors here that have ITDR products. They are not necessarily built into the XDR, but they're sort of an adjacent product that can be licensed separately, I think, in one case. But I think, yeah, eventually ITDR. ITDR is growing in importance today, no question about that. And I think that XDR vendors are going to want to integrate those capabilities into their XDR platforms to make them more effective.
So, yeah, that's a very good question too. And I think that's all the questions that we've got for now. So I'd like to thank you all for attending. Here's a link to not only the XDR report, but we also did separate reports on MDR, Endpoint Protection, Detection, and Response. And MDR in the last three or four months of last year. So they're all pretty up-to-date and definitely encourage you to look at those. And if you have any questions, let us know. Feel free to reach out by email. So with that, I'd like to again thank you for attending and see you at the next webinar.
