CSO Perspectives (Pro) 12.6.21
Ep 64 | 12.6.21

Pt 2 – XDR: from the Rick the Toolman Series.


Rick Howard: When I introduced the Rick the Toolman series a couple of weeks ago, I got a few questions from the fans about why we were doing it. They said things like, you know, we understand that your show caters to security practitioners at all levels - from the tier-one and above analysts to the middle managers and all the way up to the senior security executives - but it does tend to skew towards the leadership team. So why should they be interested in how security tools work? Isn't that much more in the purview of the day-to-day security operators? Well, that's a great point. And I think that some security executives might agree with them. They would prefer to stay in policy land or budget land. But let me make my case using one of my favorite World War II movies, the 1970 movie "Patton."

Rick Howard: The great actor George C. Scott plays Patton. And there's a scene early in the movie when Patton's second corps goes up against Rommel's Afrika corps and defeats them in a big tank-on-tank battle with artillery, infantry and aviation in support. And Patton, in victory, with a big, fat, smug smile on his face yells out loud... 


George C Scott: (As George Patton) You magnificent bastard - I read your book. 

Rick Howard: It's a fact that General Patton was a huge reader of military history, especially. And he likely agreed with Otto von Bismarck, the famous Prussian prime minister and chancellor of the German Empire in the late 1800s, who said, I quote, "any fool can learn from experience. It's better to learn from the experience of others," end quote. Patton reading Rommel's book on military tactics gave him experience on how to deploy his own forces without having to learn those hard lessons on the battlefield, when lives were on the line. Now, I'm sure that Patton probably knew how to drive a tank. But that's not the skillset I'm looking for here. What was important was that Patton knew how to deploy the tanks in total as a tool, as well as their artillery, the infantry and his aviation assets. 

Rick Howard: And it's the same for security executives. They don't necessarily need to know how to configure a firewall, but what they do need to understand are all the ways in which you can deploy a firewall. In other words, they need to understand the full range of the tools' capabilities so that they can set the direction for their InfoSec teams. We talk about cybersecurity first principle strategies a lot in this podcast. Security executives who don't understand the tools at their disposal have no hope in pursuing their cybersecurity strategies. They don't have to know how to drive the tank, so to speak. But they do have to be able to articulate to their InfoSec team about how they want the tank to be deployed in support of the first principle strategies - which brings me to last episode. I talked about this new security tool that's just getting started called XDR, or extended detection and response. I came to the conclusion that the tool has a lot of potential for helping all of us achieve our cybersecurity first principle strategies. But as a mature technology, it's not quite there yet. Still, I might be wrong. 

Rick Howard: I thought I would get a second opinion and invite an expert to the CyberWire hash table to see what he thought. His name is Jon Oltsik. He is the senior principal analyst and fellow at the Enterprise Security Group, covering security, operations, analytics and risk management. I've known him for years. And I thought he would be perfect for this Rick the Toolman episode. 


Tim Allen: (As Tim Taylor) Uh? 

Rick Howard: My name is Rick Howard. And I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor. And you are listening to CSO Perspectives, my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: As I said, I've known Jon for years. In fact, he was one of the original Cybersecurity Canon Committee members some seven years ago. But when I started looking into XDR as a technology, his name kept coming up in the research. He's written several essays on XDR over the past year or so. And one of the points he makes is that trying to nail down a definition for XDR is a little tricky. Every vendor has their own flavor for it. So I started out by asking him if he could take a swag at a consensus definition for what XDR is. 

Jon Oltsik: To me, it's an architecture. And it's an architecture that brings together controls, data sources, analytics and operations into a common kind of command-and-control environment. So we're aggregating a lot of what we've done historically with individual tools into a common architecture, common toolset. 

Rick Howard: Is it fair to say that the future potential of XDR is that it's going to become a orchestration platform for, like, visibility and alerting and automatic response across all of our data islands? You know, when I say data island, I mean endpoints and data centers and cloud deployments and SaaS applications. Is that a fair characterization of it, do you think? 

Jon Oltsik: Well, that's the goal, Rick. I mean, I think it'll take us a while to get there. So right now the common data sources are really endpoint data, network data, threat intelligence and, to some extent, cloud data. Now, as you mentioned, if I'm a security vendor who sells email security, I'll include email. If I sell CASB, I'll include CASB. And the goal is to kind of understand the adversary behavior as they proceed through their kill chain. But we're just getting started here. And I think what the state of the art now is just advanced correlation rules. So the kinds of things that experts would develop for a platform like Splunk in the past are being canned into these XDR platforms. 

Rick Howard: Well, I've looked at some of the vendors that are selling XDR. There's a wide range of capability. On one end of the spectrum, it's basically the vendor orchestrating their own security suite. Let's say they have 10 security tools that they sell. And they use XDR technology or architecture - like you said - to kind of tie it all together. And then on the other end is vendors who try to - like what you said, OK - try to hook everything together - not just their own security suite - with lots of external sources. But what timeline are we looking for before this becomes useful? - 'cause this is kind of a brand-new idea. 

Jon Oltsik: I think it's already useful. I mean, if I do control the network telemetry and the endpoint telemetry with a common data format, with common analytics, with enrichment of threat intelligence in a common way, then I can add value. That's the things that security teams have done on their own for years. Maybe a vendor can help out there. But in terms of getting to the next phase, in terms of really advanced analytics and automation, I think we're just scratching the surface there. We're advancing quickly. But we're also just beginning. 

Rick Howard: In my last gig, I work for a big platform provider. And they rolled out XDR pretty early. And it was mostly then just behavioral analytics, looking at network and endpoint data. But it wasn't that useful back then. This is a couple years ago. We assumed that we could use machine learning algorithms to find bad guys in that data. And we - you know, we found a lot of interesting things but nothing that you could say, oh, there's the bad guy right there, and we used, you know, machine learning to do it. Have you got any positive stories that anybody's having success with that kind of thing? 

Jon Oltsik: Yeah, I think there are a couple things that they're successful at. One is triaging alerts. So if I can do a better job of triaging alerts, if I can prioritize what needs to be investigated, then I'm making progress. And we know that Tier 1 analysts are buried. So that's one thing that - it's starting to happen, and it's promising. The second thing is stringing together a timeline for an investigation. So instead of a Tier 2 analyst doing that, give me the breadcrumb trail that suggests that there's not only an attack in progress, but it's progressed through these steps. So those are the kind of promising things that I'm seeing. And, I mean, we're overwhelmed by security right now. So those things are good. It's good to make that kind of progress. But I think we have to be realistic about where we are and where we're going. 

Rick Howard: There are other mature orchestration platforms in the market today. And we don't really call them that, but that's what they are. They're the big firewall companies like Check Point and Cisco, Fortinet and Palo Alto Networks. You know, they have hardware and software offerings and can be deployed to protect all the data islands that are independent of, let's say, a Google or a Microsoft. They kind of sit in front of there. But what would you say the difference is between those mature technology offerings and these new XDR services? What's the big difference? 

Jon Oltsik: In the past, at least, all of those operated independently. So you had your firewall that you could input rules into, or you could look at files. But that was different than what you did on the endpoint, a different set of vendors. It was different than the threat intelligence that you collected. Now, certainly, some of the big vendors you mentioned have had all of those products, but they've been really sold as point products, and now they're doing more to integrate them. And I think that's the big step forward. I'm going to show my age here, Rick... 

Rick Howard: (Laughter). 

Jon Oltsik: ...But I equate it to the 1990s, when we went from departmental apps to ERP. 

Rick Howard: (Laughter) OK. 

Jon Oltsik: And it was a difficult transition, but it changed not only our technology but our business processes. And I'd say that's what we're aiming for with XDR. 

Rick Howard: The thing I noticed yesterday when I was reading through some of this stuff was, you know, those big platforms like I mentioned - you know, they sell hardware and software, and they make those services themselves, for the most part. But the promise of XDR is not that at all. Really, XDR services use APIs to tie into security tools or intelligence feeds or whatever they're tying into. XDR vendors don't have to build the underlying technology. They just have to be really smart about connecting via APIs to other tools in the environment. 

Jon Oltsik: Well, therein lies the confusion because I agree with you. And, sometimes, people call that open XDR. But the platform vendors will say that they've got better levels of integration because they control all of the development and design. They can standardize on the data formats. They can ingest and enrich and even correlate with threat intelligence. So it's kind of pick your poison. I think ultimately, though, Rick, it has to be an open architecture because there are just too many tools. There's too much diversity. No one's going to throw the baby out with the bathwater, so they have to all work together. And APIs get you there, but I'd like to see more standardization here, as well. 

Rick Howard: Well, you mentioned that in some of your articles in the past year - that some of these vendors are creating their own alliances. You mentioned one by CrowdStrike. And there's another one by Exabeam and ExtraHop and some others. A third one by the Open Security Alliance. What's going on there? What are they trying to do? And how come they're not working together? 

Jon Oltsik: Well, I wish I could answer that second question. And, I mean, just on a side note... 

Rick Howard: (Laughter) I thought you had the magic answer. 

Jon Oltsik: Yeah (laughter). On a side note, I'd like to see big consumers of security technologies forcing the vendors to work together a little bit more. So there should be standard APIs. There should be standard data formats and standard transports. I don't get it. It would benefit - well, I get it. We live in a capitalist society. But it would certainly benefit everyone in security if we worked better collectively. I think that's what you see - again, I'm going to show my age, but I remember the COM versus CORBA wars in terms of object-oriented programming. I know I'm dating myself there. But everyone's got their agenda. 

Rick Howard: Well, I don't know. I'm too young for that. I don't remember. I read about that. I... 


Jon Oltsik: I think you taught me about it, Rick. 

Rick Howard: (Laughter). 

Jon Oltsik: Everyone's got their agenda. Certainly, CrowdStrike wants the center of gravity of XDR to be CrowdStrike. Palo Alto wants the center to be Palo Alto. These are big market-strong companies, and they're going to influence people. But I really would like to see much more collaboration. And I - and open standards seem to me the way to get to that point. 

Rick Howard: These same companies, at least most of them, are - belong to other security alliances. Like, the Cyber Threat Alliance comes to mind... 

Jon Oltsik: Yes. 

Rick Howard: ...Where they've already agreed to share threat intelligence with each other - that they wouldn't compete on the intelligence, that they would compete, you know, on how they used the intelligence. And this seems, in that same ballpark, if not exactly the same thing - I don't know. 

Jon Oltsik: I couldn't agree more. And there are standards. Like, there's one that I wrote about recently called OpenC2. So it's sort of an abstraction layer so that when you see - let's say you see some malicious IOCs, you can tell every control to block them without having to know how to talk to every control differently. It's been around for several years. It's definitely in a state of advanced maturity, at least compared to where it was. I don't understand. I mean, this seems to be something that all the vendors could pick up on. It would level the playing field. So again, if I want to say block this IP address, I can say it once, and Palo Alto, Check Point and Fortinet firewalls all understand what I'm talking about. So it seems to me that that's a way to advance our defenses. But, hey, what do I know? 

Rick Howard: Well, I think you're right about there. And you mentioned the MITRE ATT&CK framework earlier, and I'm just flabbergasted that the vendors haven't glommed on to this yet. They'll alert us that there's some new technique from the MITRE ATT&CK framework or some new specific procedure, but they don't track the adversary, like APT29. There's no dashboard that says APT29 is, you know, active in your network. And it would be so easy to do with an XDR-like product. So what I - in my perfect world, I want a dashboard in front of me that says, you know, there's a hundred things that APT29 does, and we're seeing 80 of them in your network, and so there's a really good chance that APT29 is in your network. And then you've only deployed 30% of the known controls in your security stack for APT29. Push this button and get the other 70%. I would love to see that thing. What about (laughter) - do you think that's even possible? 

Jon Oltsik: I think we'll get there, Rick. I completely agree. To date, XDR has kind of focused on Tier 1, Tier 2 analyst activity. So triage, investigations. The Tier 3 threat hunting activity is - I mean, they talk about it, but I don't think it's there yet. Now, what I do see in the market is more organizations - buyers are - operationalize the MITRE ATT&CK Framework. I'm very bullish on whether you call it breach and attack simulation or continuous automated red teaming, whatever you call it, I'm bullish on that. So what we see is this notion of a threatened form defense. Go into 2022 predictions, I think we'll be talking a lot more about threat-informed defense in 2022. And that gets to where you're talking about where we do some security testing based on the actual TTPs that adversaries used. We find our gaps and not only technology gaps but process gaps as well. And then we have a good road map on what we need to address and what are the priorities. 

Rick Howard: Yeah, I've noticed that, too, that we tend to use the MITRE ATT&CK Framework and other frameworks like that and go right to red teaming or purple teaming, which is great. I don't mind it. All right. But most organizations - I'm talking about in terms of size, you know, small to medium size - they don't have red teams. They don't have purple - they don't have enough resources to do that. What I would like to see is the vendors to get on this. And, yeah, I know red teams can use the data. But, man, it should be easy to automate most of that stuff or at least half of it. And that's what I would like to see. 

Jon Oltsik: Yeah, I think we'll see that emerge as a managed service, primarily, because you're right. I mean, where I see rapid adoption of this technology, it's at the top of the pyramid. And not everyone has an army of security professionals, security engineers who can customize rule sets and code. And so you're right. It has to become more pedestrian, if you will. And that means, to me, professional services or managed services. 

Rick Howard: You were looking into your crystal ball there. Are you expecting to see some security vendors actually apply the MITRE ATT&CK Framework, not just for the techniques but, you know, by adversary by adversary activity? You see that in the next year or are we still five, 10 years away from that? 

Jon Oltsik: No. I mean, I already see that, again, with some of these breach-and-attack simulation platforms from vendors like AttackIQ, Randori, SafeBreach, Cymulate. There's a whole bunch of them. Mandiant has its managed service from the Verodin acquisition. And that's exactly what they can do. They can test your controls independently or discretely. So here's your email security. Here's your endpoint security. But they can also launch an APT29 attack, and say here's the TTPs that are used. Here's how it fits into the MITRE ATT&CK Framework. Here's your gaps. What do you want to do, you know? And they actually can go to the next step and say, if I were you, here's where I'd prioritize. 

Rick Howard: Yeah. And I find huge value in that, but like I said, most organizations can't afford that kind of thing. I'm really looking for the vendor to, you know, do that for it - at the least, give us the view in their dashboard, you know, that says there's a chance or not a chance of APT29. 

Jon Oltsik: Mandiant bought Verodin, and I think that was a shrewd move. I think they saw that consolidation that you're hinting at. And so it wouldn't surprise me at all if we see more M&A activity in this area in 2022. 

Rick Howard: Most of the XDR vendors today are - they're using XDR to manage their own suite of tools. They wave at the idea of connecting to third-party tools, but mostly, they're trying to connect all their own stuff. Is that right? 

Jon Oltsik: I think it's a continuum. So on the one side, you've got people who want - who have a closed architecture. Or maybe they open it up on a partnering basis. 

Rick Howard: Yeah. 

Jon Oltsik: On the other end, you have someone with an open architecture that doesn't make any of the controls but just wants to be kind of a command and control or a manager of managers over everything else... 

Rick Howard: Yeah, like a middle layer. 

Jon Oltsik: ...Including SIM. 

Rick Howard: Yeah. 

Jon Oltsik: And then you've got everybody in between who work with some partners and not others, work with APIs - these kind of APIs or these data sets but not others. But I think the trend is moving toward that more open side. 

Rick Howard: If organizations are trying to buy XDR today, is it for everybody? I mean, we keep mentioning small, medium and big companies, but I don't think small, medium-sized companies can use this right now. 

Jon Oltsik: Well, if you're a really large company, well-resourced company, you've done this already. You've got your SIM with expertise there. You've got a threat intelligence platform. You probably have a SOAR, and you've automated a bunch of end-to-end processes. You've already done the integration of the EDR and the NDR with the SIM. You don't need it. You should look because it may - there may be opportunities to kind of consolidate your architecture, but you've basically done this yourself. On the other end, you don't have the skills. You're overwhelmed by technology. You're probably better off using MDR - that market's just growing like crazy - working with a skilled managed services provider. It's the people in between that that should look at XDR as a consolidation play, but also, like I said, to modernize the SOC, to help with alert triage, to help with investigations, to get you more of the automation without getting full-blown into a SOAR and coding your own playbooks. 

Rick Howard: I was looking at the Gartner Hype Cycle for lots of different technologies, and they have XDR just barely starting on the journey. But what I thought was interesting is a companion technology called SASE, Secure Access Service Edge, is just barely ahead of it, but they will likely both become useful in five years, according to Gartner. And that goes to your MDR model, I think. I believe that SASE vendors will use XDR to manage their customers', you know, security stack down the line. I see that, you know, happening as almost inevitable. I don't know. Have you thought about that at all? 

Jon Oltsik: Yeah, I think you're right. I mean, the difference to me with the platforms is SASE not only tries to aggregate a number of security functions in the cloud, but it does the same for networking functions in the cloud. 

Rick Howard: Yeah. 

Jon Oltsik: So now you've got two organizations, two budgets, two groups of goals and objectives. That's a big ask to get all that stuff together. And we've talked about this kind of intellectually in my long career here. But it's a lot of work, and you'd have to have the leadership and the oversight and the patience to put all that together. XDR is different because XDR is really controlled by the SOC buyer. We've taken things like SIM and EDR and NDR for years and tried to make sense out of the three of them. Well, if XDR is a commercial alternative to getting to that goal faster, then I think it does accelerate and goes a little bit - the hype cycle, as Gartner calls it, proceeds faster than SASE. 

Rick Howard: I like the way you said that, that it's a SOC tool, and the reason it is, I think, is that it doesn't necessarily need hardware and software apps that the SOC controls. We all know the SOC doesn't control anything in any kind of large organization. The networking team does, or the IT team does. But an XDR solution with APIs - that's a lot easier for the SOC to manage - right? - so they can get access to all that telemetry and make use of it, as opposed to owning all that infrastructure. 

Jon Oltsik: Right. And that - again, that kind of speaks to the open platform because, alternatively, you have to convince the EDR buyer who's leaned on Carbon Black and the NDR buyer who's based - who's used ExtraHop. And you have to tell all of them, well, I know you like these things and you developed expertise around these things, but get rid of them and centralize in this other thing because it's for the greater good. That's a tough, tough story to convince people when they've built a, you know, a center of excellence on a particular product. 

Rick Howard: Well, I mean, if this all goes well - right? - then they can have their EDRs, and they can have their NDRs and whatever thing they have in the security stack. The XDR software just needs to be able to connect it - collect the telemetry and then be... 

Jon Oltsik: Yes. 

Rick Howard: ...Able to send configuration updates back to the security stack based on some algorithm the SOC uses - right? - something like that. That's what I want. 

Jon Oltsik: Exactly. But the more you play out that example, the more you get to SIM, and we've got SIM. So it's a work in progress, Rick, but everything you're saying suggests that open solutions will be more attractive, and I couldn't agree with you more. 

Rick Howard: That's good stuff, Jon. Any last words of wisdom that I didn't ask you about on this conversation about XDR? 

Jon Oltsik: Yeah. I mean, what I tell CISOs when I talk to them, Rick, is this is a new technology, and it really is sort of a security transformation that's going on. So everything that you've done in the past, you should use as sort of wisdom. But on the other hand, do some fresh research. Think outside the box. Cast a wide net. So really, I mean, there's a lot of innovation here. There's a lot of new players. So I think it's an opportunity to really get further along if you - if you're creative and, like I say, you think outside the box. 

Rick Howard: Well, thanks, Jon, for coming on the show and giving us those words of wisdom. I appreciate it, and I need to do this more clearly. You know more about this than most people. So thanks, Jon. 

Jon Oltsik: Rick, anything you need, any time, I'm your guy. I'm here. 

Rick Howard: I appreciate it. 

Rick Howard: That was Jon Oltsik, senior principal analyst and fellow at the Enterprise Security Group. And it appears that his thoughts and mind on the future of XDR generally align. XDR is a tool that we'll all be using in the very near future. I think where we slightly disagree is that Jon thinks it's mostly an advanced tool for the SOC that will make it easier to manage SIEM and SOAR functions. I don't disagree in principle, but I have high hopes that XDR can be much bigger than that as a security orchestration tool that can manage our security stacks in all of our data islands for things like asset management, alerting and response, and focuses on adversary playbooks across the intrusion kill chain. 


Tim Allen: (As Tim Taylor) Oh, yeah. 

Rick Howard: And that's a wrap. As always, if you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Or if you prefer email, drop a line to csop@thecyberwire.com. That's csop@thecyberwire.com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to answer them on the show. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.