John Tolbert, Lead Analyst, Managing Director for KuppingerCole, who will talk about XDR and the related Leadership Compass. John, thank you. So good morning, everybody.
Yep, we are publishing today a new Leadership Compass on Extended Detection & Response. We call it XDR. This is something that's sort of been out there in the field for a while. We will talk about what it is, what are some of the trends that we see. We'll look at the Leadership Compass process and methodology, and then we'll give you a preview of the results and encourage you to take a look at it because it's going live today. So a little bit before we begin, kind of reiterate what the threat landscape is.
I mean, we've heard quite a bit about this the last couple of days. There are account takeovers, you know, happening every day. They're going after your enterprise employee accounts. And we know, you know, for many years now that compromised credentials are involved in most every data breach or cyber attack that happens.
In fact, I read recently that info stealers are one of the most prevalent forms of malware again. You know, and these can be things like rootkits or keyloggers to grab information, username, password, history, for the very purpose of being able to take over those accounts. And then the people that take over the account aren't necessarily the ones that are going to use it. They get this information. They put it on the dark web for trade or for sale.
And then, you know, your ransomware operators will use those accounts to break in. And, you know, they might not even use malware these days. And we've heard that over the last few days, too. They might just break in, steal information, and then, you know, blackmail you if you don't, you know, pay a ransom. Then we're going to publish this PII or, you know, sensitive trade secrets that you've got. So it doesn't really matter if they use malware or not.
It's, you know, the damage has already been done. So what's XDR? It's yet another next-gen security tool sort of thing. It's combining EPDR, endpoint protection, detection, and response, with network detection and response, cloud security, some application and identity components. And it's a good thing to bring these things together. And we'll see why. Similar to things like EPDR and, as we learned yesterday, MDR, managed detection and response, the aims of XDR are to, you know, make it easier for the customers to monitor their entire environments.
You need a comprehensive view of what's going on, whether it's coming from endpoint or coming from network or your cloud. This can help you improve your overall security posture. A couple of the metrics that we need to reduce are things like the mean time to detect an incident in progress and then the mean time to resolve it. What I think makes XDR a little bit different is it can help you reduce the number of discrete security products that you have to operate and also give you a, we've heard it many times before, a single pane of glass to have this view on your environment.
Well, some of the things I learned going through this research, XDR is kind of really increasing in popularity for midsize companies, maybe not so much the larger enterprises, but definitely the target market seems to be midsize companies. You know, and they can help simplify your security architecture by bringing endpoint network cloud together. Technically, seams and sores are not needed for XDR, and that's kind of another advantage, but a lot of the XDR solutions that are on the market provide connectors for those things too.
Another big benefit could be the possibility of reducing your data storage costs because, you know, if you've got a lot of information that you need to transfer between either on-premises to like a cloud-hosted SIEM or information in your cloud assets to a SIEM, then those egress fees can be pretty high. So, XDR also aims to help you reduce costs in a number of different ways. XDR is really not an alternative to SIEM or SOAR though. It's not really focused, at least at this point, the products that are out there aren't really all that focused on regulatory compliance.
They're really all about the security, so just the detection and response. So, if you're, you know, a large organization and you've got reporting requirements, you're likely going to want to run at least a SIEM in parallel so you can have access to that compliance information. I think the most effective XDRs are the ones that have direct network sensing capabilities. There's a couple of different architectural models for how they do network detection.
You know, you could simply have your network devices forward logs and telemetry to like a log collection server. But really, I think the most effective way of doing it is having appliances or virtual appliances that can plug into the SPAN or TAP ports on routers and switches. The DR part, whether it's EPDR, NDR, XDR, they have to provide response capabilities and customers want a mix of either manual things that they can do, but they also would like the opportunity to automate certain things.
But obviously, you know, if it's going to be a pretty drastic response action, most customers seem to prefer to have a human in the loop to say, well, okay, I do want to roll that node all the way back or I do want to block an entire network. Single vendor solutions are more tightly integrated, and I'll call these like the full stack vendors that have everything in one package, but there is open XDR, and I'll tell you more about that here in a second. So the major components, well, you need endpoint agents because it's just like, you know, EPDR.
You need endpoint agents for Windows, Mac, Linux, whatever you've got. Those network sensors, images or APIs for cloud, a data lake. A data lake is what's used in lieu of a SIM. Then functions on top of that are analytics, the automation, having a management or investigative interface, and then various integrations for third-party tools. So how is it different from EPDR or NDR?
Well, like I said, it doesn't require a SIM or a SOAR, but you may still want to run one. Full stack XDR can be just a single vendor. Open XDR takes a different approach. They usually have a lot more integrations, and they allow you to use the tools that you already have.
But, you know, with each product, if you're going to run a separate endpoint network cloud security products, then almost by definition, you're going to have to have more security support staff, like an internal product manager for each one of those. And XDR, I think, will be kind of a stepping stone to MDR, or at least code management, you know, with an MDR having a second set of eyes to look at what's going on in your environment. And that makes it easier because, again, it's hopefully just a single solution for that.
So Open XDR, you know, maybe you're happy with your current endpoint protection product. Maybe you are simply needing to add more visibility for networking cloud. Open XDR is probably the right way to go then because if you find an Open XDR vendor that has integrations with your favorite endpoint product, you can just kind of layer that on top. And in a few cases, you have companies that really, really like their MDR product and they don't want to replace that with XDR.
Open XDR then, again, gives you that flexibility to use what you want, as long as the vendor you choose has integrations for your particular tools. So who's buying XDR? Like I said, mid-sized companies.
But, you know, SMBs are increasingly looking to manage detection and response. You know, let's say a company of 100 employees or less. They may not know it, but they're likely getting XDR on the back end, you know, because the MDR service provider is using an XDR product. State local government agencies, you know, they've been hit really hard for the last couple of years with ransomware. And a lot of them don't have big budgets for, you know, buying multiple point solutions to cover everything.
So I've seen that many state and local agencies are looking for things like XDR to simplify their architectures. Maybe also organizations without, you know, a full SOC yet. This is a good way to try to get that coverage without necessarily having to spin up a full SOC.
Of course, you should also be looking to MDR if that's your requirement. And then the labor shortage.
You know, again, if you're going to run three or four different products, it's going to be much more expensive in terms of labor as well as your cost for the software. What's driving the growth?
Obviously, lots more cyber attacks, increase in severity. But, you know, I think a lot of executives are wanting to simplify how they manage contracts, reduce the cost.
You know, again, going from three to one can help you achieve that. But then also the increasing complexity of IT environments.
You know, more edge, more mobile. You know, surprisingly, some of these XDR vendors don't offer mobile agents yet. But then also, you know, more remote work, more hybrid work, and then the aforementioned skilled staff shortage. In the interest of time, we'll move ahead here. So what do we see for the future of XDR?
You know, there have been some of the very large vendors have already gone out and acquired specialty companies, like especially in the network or cloud security space. And I think these acquisitions are likely to continue as XDR vendors try to complete their portfolios.
OpenXDR, let's say you're an EPDR company. You've got a lot of endpoint capabilities, but you don't have network. I think we're going to see more partnerships so that when you go approach a vendor, you get this NDR capability, you know, tacked onto the EPDR. And then even full stack XDR vendors are just going to build more integrations for other tools because why not? That helps them capture more customers. One area technically that some of them seem to be weak in is on cloud security. So I think we'll see, you know, additional cloud security features built into all of the products.
Deception, I'll try to quickly cover this one. Deception is something that's only in, I think, two of the products that are out there, but this is kind of a cool, innovative feature. This is being able to spin up, you know, fake user accounts of all kinds and even esoteric things like certificates, RDP sessions, SSH tokens or whatnot. And the advantage here is if you've got these in your environment and an attacker comes in and interacts with them in any way, you know that you've got an attacker in your environment because nobody else should be using these things.
So that's a pretty cool way of getting some extra detection and response features. MDR versus managed XDR. I've started to see companies marketing, you know, managed XDR, but really it's pretty much the same as MDR because MDR service providers are likely using XDR as the backend. So let's take a look at the process. Like I said, we just completed a research cycle on XDR. This is our first report on the subject. What we do is we go out and we find all the vendors that are advertising themselves in a given field like XDR.
We get briefings, we get demos, we put together a very long technical questionnaire that looks a lot like the RFP questionnaires that you all probably send to vendors to find out exactly what do you do. When we get that back, we analyze it, we write up a draft, then we go through a fact check process with the vendors. And once all that's agreed upon, we publish it on our website.
Again, in the interest of time, I'll summarize these. So we have four categories of leadership. Product leadership, that is looking at things like functionality, internal security of the product, deployment, interoperability, usability. Market leadership, that's sort of the combination of how many customers do they have, how geographically distributed are those customers, what are their support options, do they have a lot of ISVs and VARs and systems integrators in different places around the world, and then of course their overall financial strength.
And then innovation leadership, that is about whether or not they are cutting edge or kind of lagging the field, and then we combine those into overall leadership. So I've got a rather long list of capabilities. Feel free to snap a picture if you want. I've got a few pages of these, and I'm not going to read through them all, but just to let you know what were the things that we were looking for specifically, like in that questionnaire, with regard to what the different products do.
So common to all of them, they need to have support for cyber threat intelligence standards and of course anomalous behavior detection, but then they also need to be able to do things like manage cases, integrate with ITSM systems, and then ideally, and most of them do, sort of align with the MITRE ATT&CK matrix. Endpoint. This didn't get updated. Endpoint capabilities, of course they need agents for all the different kinds of machines that are in your environment. So Windows machines, Linux, Mac, virtual, desktop, mobile.
They should be able to operate on their own, you know, not necessarily connected back to the vendor's cloud for maximum effectiveness. Then they need, you know, some other prevention kinds of things, kind of keeping in line with what Max was saying, you know, looking for exploit prevention, having an endpoint firewall built in, URL filtering, system file integrity monitoring, and application control.
And then on the response side, ideally they're able to do things like terminate your processes when they detect that they are malicious, quarantine files, and then do rollback, either, you know, of registry entries that have been changed or even full node rollback. On the network side, again, you need sensors. There is that log forwarding model that's a little less than ideal, I think, but sensors that can be placed, you know, in line or in the span or tap ports of switches and routers. And then also coverage for containers, clusters, and things like that.
They need to be able to baseline the environment, look at encrypted traffic. I mean, the majority of traffic on our intranets is encrypted, and you don't want to have to force that to be decrypted to be able to figure out what's malicious. And there are a number of different methods that vendors use to determine whether or not something is malicious, even though it's encrypted. Network types of responses include terminating the session, blocking by IP, or even isolating whole subnets. It should also support the cloud in all of its iterations.
And then on the cloud side, you know, it should be able to respond to, like, you know, disabling users or stopping instances. The evaluation criteria, and I'll show you a spider chart here in a minute, which is, we do these for each vendor in the report.
Here, you know, this didn't get updated either. I'll skip ahead. Innovation. So the things that I found in this edition that are particularly innovative are OpenXDR.
You know, I think this is a good approach. A lot of vendors are not quite there yet. So it also allows flexibility for customers to use the products that they have.
OT, you know, operational technology, industrial control systems, IOT, and critical infrastructure protocol support. These are important because it's very different than what we deal with in IT environments every day. The protocols are different.
There's, in some cases, not a lot of security built into those protocols. And not every endpoint that lives on an OT network can even actually run an endpoint security agent. That's where the network detection piece can be especially important. So the companies with XDR products that are aware of OT and ICS protocols and how to use them, I think, are the ones that have a definite advantage there. I mentioned mobile support, XDR as a service, deception that we talked about, container support.
And, you know, there are a few that actually have, like, DLP and CASB kinds of capabilities. And I think that's definitely something that's quite innovative. So here are the vendors that participated this time. It's a pretty good crew. And a quick look at the overall leadership chart. And we expect this to grow in the next edition. And here's the spider chart. Here I have tried to call out the features related to endpoint, network, cloud, capabilities for detection and response. What is the administrative experience like in an autonomous operation?
I mean, you know, can you buy this as an entire product? You're not relying on some third-party product. And that rating will sort of show you how autonomously they can operate. And here is our related research. So any questions on this before we move to the panel? Because we do have a panel coming up.
