CSO Perspectives (Pro) 11.29.21
Ep 63 | 11.29.21

Pt 1 – XDR: from the Rick the Toolman Series.

Transcript

Rick Howard: Hey, everybody - Rick here. I'm going to try my hand at a sports metaphor, so bear with me.

(SOUNDBITE OF FILM, "JURASSIC PARK") 

Samuel L Jackson: (As Ray) Hold onto your butts. 

Rick Howard: This past summer, the coach at my local high school football team, the mighty West Springfield Spartans, put a call out to the local fans. He needed volunteers to film his opponent's teams in the upcoming season. I enlisted with a cackle of tech dads to film one of the competitors. By tech dads, I mean, we all came from the tech sector and didn't necessarily know anything specific about the sport of football. And yes, I realize that cackle is normally reserved for a group of hyenas, but I thought it was appropriate for this group of wisecracking dads. 

Rick Howard: Anyway, we attended a South County Stallion game and filmed the plays we thought were pertinent. Later, we got a slightly miffed email from the coach wondering where the rest of the film was. It turns out that he wanted both sides of the game filmed, the Stallions' offense and defense, whereas our cackle thought the important stuff was just the Stallions' offense. It might have had something to do with the amount of beer consumed, but I'm going to plead the fifth on that one. 

Rick Howard: And at this point, you should be asking yourself, what exactly does Rick's cackle adventure have to do with XDR? 

(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT") 

Tim Allen: (As Tim Taylor) Uh? 

Rick Howard: Well, sports and infosec are similar in at least one respect. Collecting all the data available as opposed to collecting the most obvious data or the easiest will improve your chances at defeating the adversary. In football, you want film on your opponent's offense and defense. In infosec, you want film on wherever your opponent operates. I call these our data islands. We want telemetry from our endpoints, for sure, but also from our networks, from our data centers, from our cloud deployments and from our SaaS applications. We really want visibility across the entire intrusion kill chain. The film in this metaphor is the telemetry from the networking equipment and software we use and any security technology that we deploy. XDR is a tool that attempts to corral all of that telemetry in order to simplify visibility and all the data islands, centralize alerting and automate the response. In this Rick the Toolman episode with my sports metaphor firmly in the rearview mirror, let's break down XDR in terms that busy security executives can understand and apply to their first principle security strategy. 

(SOUNDBITE OF "HOME IMPROVEMENT" THEME SONG) 

Tim Allen: (As Tim Taylor) Uh? 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire secret sanctum sanctorium studios located underwater somewhere along the Patapsco River near Baltimore Harbor. And you are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: XDR stands for extended detection and response, but the security community's understanding of it is a bit fuzzy. 

(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT") 

Tim Allen: (As Tim Taylor) Uh? 

Rick Howard: The name has gone through the marketing meat grinder, with every vendor putting their spin on it and adding features that benefit their specific suite of tools. Microsoft's XDR product is not the same as Trend Micro's XDR product, and the technology idea is relatively new. Palo Alto Networks released the first XDR tool in 2018. But back then, it was mostly a behavioral analytics product. They used machine learning algorithms on endpoint and networking data, but their competitors quickly caught up. In the recent 2021 Forrester New Wave XDR evaluation, almost 15 vendors cooperated with the study. Gartner, on the other hand, defines XDR as quote, "a unified security incident detection and response platform that automatically centralizes and correlates data from many proprietary security elements," end quote. For a definition, I think that's close. But that same definition could also easily apply to any SIEM on the market. That's SIEM as in S-I-E-M. The Gartner definition is missing a bunch of promised functionality - promised because not all XDR platforms are equal. 

(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT") 

Tim Allen: (As Tim Taylor) Oh, no. 

(LAUGHTER) 

Rick Howard: Pundits, including me, have made the obvious point that XDR is an extension of EDR, or endpoint detection and response, and NDR, or network detection and response, because XDR combines the two into one capability. That's the right idea, but XDR is much more than that - or could be, depending on the vendor. 

Rick Howard: The current state of the XDR idea is the convergence of a cackle of technical strategies. See what I did there? Cackle. Sometimes I crack myself up. These things, these ideas, these products have been bouncing around the security industry for years. Before now, each tool in the security stack was a stovepipe and operated on different data islands. If you wanted intrusion kill chain prevention in the cloud and in your data center, you were probably using two different tool sets to do it. If you wanted zero trust on your endpoints and in your SaaS applications, there was a good chance that you were using two different identity systems to get that done. If you wanted to coordinate and correlate all of that activity, you were doing that on your own, too, manually or with code that you wrote. XDR in general will reduce that complexity. It has the potential to take the security community one step closer to collapsing all that functionality into a meta layer of visibility, alerting and remediation. The promise of XDR is really the next step in security orchestration. 

(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT") 

Tim Allen: (As Tim Taylor) Oh, yeah. 

Rick Howard: But it's a big swing. The general architectural model that most XDR vendors are using is a subscription SAS service. In its most mature form, XDR could use APIs to hook into all of your security tools and IT infrastructure. In that way, it's similar to an asset discovery and management platform. But like the SIEM, it might also collect essential telemetry for future processing and investigation. If customers don't have a SIEM, it might act as one for them. In addition, though, it could also collect raw log data from customer endpoints and networking infrastructure into giant data lakes and use machine learning techniques for behavioral analysis across the intrusion kill chain. In other words, don't tell the machine specifically what to look for. Use machine learning to train the machine to find bad guys on its own. 

Rick Howard: This is where the X in XDR comes into play, extended as an endpoint and networking data combined. With this approach, an XDR platform could become an essential tool for your intelligence teams, your blue teams and your threat-hunting teams. In a more traditional approach, though, like an intrusion prevention system, an XDR platform might also allow users to craft their own alerting rules on the data in the scene and in the data lake. This would be on a much grander scale, though, since its visibility across the entire intrusion kill chain wouldn't be limited to just the networking data that most intrusion detection systems use today. Like a SOAR platform, though, an XDR service might then allow the customer to send configuration updates to the technology stack. In other words, it could provide an automatic remediation capability, a kind of DevOps or DevSecOps capability. 

Rick Howard: For example, if the system notices that 100 laptops don't have the latest Apple patch or a vulnerability that hackers are exploiting in the wild, the XDR SoC operator might be able to push a button to immediately and automatically send the patches to the afflicted systems. If the intel team discovers a new tactic used by APT29, they can mass distribute the countermeasures to every applicable device on every data island. With all of that capability in a single service, XDR is a modern-day orchestration platform. 

(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT") 

Tim Allen: (As Tim Taylor) Oh, yeah. 

Rick Howard: Parts of all that functionality exist today. They are highlighted in the current vendor offerings from the 2021 Forrester XDR report. That's the good news. The bad news is that no XDR vendor today offers a complete solution that works flawlessly for every device and application in the technology stack and protects on all of our data islands. 

(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT") 

Tim Allen: (As Tim Taylor) Oh, no. 

Rick Howard: But that's to be expected. I mean, the idea is only three years old. It's going to take time to build the connectors to all the devices we all use in the IT and security stacks. The 2020 Gartner Hype Cycle puts XDR at the very beginning of the journey. It still has the steep cline of the innovation trigger in front of it. In the future, it has to hit the peak of inflated expectations, slide down the trough of disillusionment, hit bottom and start the slow climb through the slope of enlightenment and finally reach the plateau of productivity. Gartner says it's at least five to 10 years out, and I don't disagree. 

Rick Howard: That said, if you're a certain kind of user, XDR could probably be very useful to you right now. Back in season four, I did a deep dive into the security tools for the three major cloud providers - Amazon, Google and Microsoft. I came to the conclusion that the security stack from each of these vendors isn't mature enough for us to implement our first-principle strategies across all of our data islands. This is similar to the current situation for XDR. I did say, though, that if you've committed to one of the big orchestration platforms - like Check Point, Cisco, Fortinet or Palo Alto Networks - you already have a mature environment in place to deploy your first principle strategies, maybe not 100% but a long way down that journey. And all of these orchestration platforms have a version of XDR that they sell. Adding XDR to your existing subscriptions, then, would be more of an upgrade than a revolutionary step and would likely reduce your environment's complexity. 

Rick Howard: And in that vein, if you've already committed to a suite of tools from the likes of Trend Micro, CrowdStrike, Bitdefender and SentinelOne, it's a no-brainer to add an XDR subscription just to orchestrate all of that capability. It doesn't fulfill the promise of XDR yet, but it does reduce the complexity of orchestrating all of those products together. One last thing. If you're a single technology Microsoft customer, the Microsoft XDR product is worth considering. By single technology customer, I mean that you only run the Microsoft operating system on all of your devices, and you are singularly focused on their cloud offerings and Microsoft Azure. If that's your situation, by all accounts that I could find, the Microsoft XDR offering does a nice job of orchestrating the security of all of that technology. With orchestration platforms like Check Point, security suite tools like SentinelOne or single-version tech giant solutions like Microsoft, there is one road map item all of us should be asking for - connect to more third-party tools and intelligence feeds. 

Rick Howard: The idea of this XDR technology is that it can orchestrate across the entire kill chain of all your data islands with all of your technology. The idea isn't just to be a single pane of glass dashboard for a stovepipe security vendor. For XDR to be the next step in orchestration, we really have to hold our vendors' feet to the fire to give us everything. With all that said, XDR is probably not the tool for most small-sized organizations and for many medium-sized organizations. Those groups probably have other fish to fry before they need to embrace this kind of technology and deal with all the hiccups and false starts that are typical of new products. There are other things they can do today that will have more impact in reducing the probability of material impact due to a cyber event than embracing XDR. 

Rick Howard: Looking into my crystal ball, one thing to keep an eye out for is XDR in relation to SASE, or secure access service edge. According to the same Gartner Hype Cycle, SASE is just a little ahead of XDR. It may have just reached the peak of inflated expectations, but it still has a long journey before it reaches the plateau of productivity, probably around the same time that XDR does. One possible way this could go, though, is that SASE vendors will use XDR products to manage their customers' security stack for them. In other words, XDR will make it easier for them to do so, which will aid in cost and complexity reduction. This is just another reason that SASE is the wave of the future for most organizations. Whether you pay your SASE vendor to use the XDR tool for you or if you prefer to do it yourself, XDR in some form will be a key and essential tool that will work in conjunction with it. 

(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT") 

Tim Allen: (As Tim Taylor) Oh, yeah. 

Rick Howard: As XDR matures as a technology, it will help further the current trend of collapsing SOAR and SIEM tools into one technology. It just makes sense that the platform we use to collect telemetry, the SIEM, should also have a fairly robust capability to automate responses, like SOAR. This trend has been happening for a couple of years now, independent of XDR. But with the current direction XDR is taking, I think it might encourage it to happen sooner. 

Rick Howard: And by the way, the genius of XDR is not that the responsible vendors build all of that underlying technology into one unified platform. The genius of XDR is that the responsible vendors use APIs to connect to the customers' existing security stack. They don't have to spend years in research and development building those tools. They just have to find clever ways to connect into the tools that already exist. For many XDR vendors, they are using the XDR concept to unify their own suite of security tools, which is the easier part of the equation. They should be able to connect to their own products, for crying out loud. The tricky part is how robustly they embrace the idea of connecting to third-party tools and intelligence sources. 

Rick Howard: And speaking of intelligence sources. You've all heard me rant that security vendors don't really help their customers track cyber adversaries. What I mean by that is that they don't alert me to the probability that APT29 is in my network. Instead, security vendors will alert you that a generic technique that APT29 uses might be happening or that a specific procedure attributed to APT29 is occurring. But they don't focus on the adversary. With XDR, that could all change. Security vendors could use APIs to tie into the MITRE ATT&CK framework and provide that kind of collection, alerting and response. For example, you might get an alert that says, quote, "out of the hundred tactics and procedures that APT29 uses, our XDR product is seeing 80 of them active in your environment. Your current security stack is deploying 30% of the available countermeasures for APT29. Push this button to deploy the remaining 70% percent." Oh, I would love to have that button. 

(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT") 

Tim Allen: (As Tim Taylor) Oh, yeah (laughter). 

Rick Howard: Talk about supercharging your intrusion kill chain prevention strategy. And intelligence companies that have their own XDR product like CrowdStrike or big companies that have a robust intelligence team like Microsoft already track advisories in detail. They wouldn't have to tie into the MITRE ATT&CK framework at all. Instead of getting an APT29 alert, you'd get a Cozy Bear alert from CrowdStrike or a YTTRIUM alert from Microsoft. If you're listening, XDR vendors, please, please, please give me that XDR adversary button. I can hardly wait. 

Rick Howard: As I said, XDR could be the next evolutionary step in security orchestration. Although the idea has been around for a number of years, I'm excited that so many vendors have embraced the concept with working products. That bodes well for the security practitioner trying to reduce the complexity out of their environments. And it means that security executives should have the XDR concept planted firmly in their road map for future deployment. 

Rick Howard: And that's a wrap. One little known about full disclosure, Microsoft is a CyberWire partner, and they also host a number of their own podcasts on our CyberWire network. Well, it's kind of hard to talk about cybersecurity sometimes without at least mentioning Microsoft. I'm just saying. And as always, if you agree or disagree with anything I've said, hit me up on LinkedIn or Twitter, and we can continue the conversation. Or if you prefer email, drop a line to csop@thecyberwire.com. That's C-S-O-P - the @ sign - thecyberwire - all one word - dot com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to address them in the show. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.