CyberWire-X 4.3.22
Ep 28 | 4.3.22

Living security: the current state of XDR.


Rick Howard: Hey, everyone. Welcome to "CyberWire-X," a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire. And today's episode is titled Living Security - the current state of XDR. Gartner defines XDR as, quote, "a unified security incident detection and response platform that automatically centralizes and correlates data from many proprietary security elements," end quote. Now, for a definition, I think that's pretty close. But that same definition could also easily apply to any SIEM on the market or any SOAR platform. The Gartner definition is missing a bunch of promised functionality - promised because not all XDR platforms are created equal, as the security vendor marketing teams describe their XDR solutions with subtle distinctions. In this episode, I've invited a number of subject matter experts to the CyberWire hash table to see if we can sort this out. A program note - each "CyberWire-X" special features two segments. In the first part, we'll hear from an industry expert on the topic at hand. And in the second part, we'll hear from our show's sponsor for their point of view. And since I brought it up, here's a word from today's sponsor, Trellix. I'm joined by an old Army buddy of mine and a colleague and a regular here at the CyberWire Hash Table, Ted Wagner, the CISO for SAP National Security Services. Welcome to the show, Ted.

Ted Wagner: Great to be with you, Rick. 

Rick Howard: Ted, we've known each other for - what? - 20 years now? Is that right? 

Ted Wagner: I think that's about right. Yeah. 

Rick Howard: (Laughter) And we've worked together in the military at the Army's Computer Emergency Response Team, and in the civilian world in a small beltway bandit called Pasch. And now you're a big, fancy CISO in your own right. How long you been at SAP? And tell me about your responsibilities there. 

Ted Wagner: I've been with SAP for seven years. And I've been at the part of SAP that's focused on the federal market, supporting the Department of Defense and federal customers. And it's been very good. We've seen a lot of growth in our cloud offerings. And we think there's great opportunity, as well as great challenges, for security. So I'm excited to be here. It's been a changing, evolving experience, but been a great experience all together. 

Rick Howard: So today, we're talking about XDR. And that stands for extended detection and response. But the security community's understanding of it is a bit fuzzy, right? The name has gone through the marketing meat grinder, with every vendor putting their spin on it and adding features that benefit their specific suite of tools. Like, Microsoft's XDR products is not the same as Trend Micro's XDR products. And the technology is relatively new. Gartner defines XDR as a unified security incident detection and response platform that automatically centralizes and correlates data from many proprietary security elements. But to me, that sounds like a SIEM or maybe, like, a SOAR platform. So what's your take on this, Ted? How would you differentiate the three toolset SOAR, SIEM and XDR? 

Ted Wagner: I think XDR is an EDR that's grown up a bit. And is challenging the SIEM environment. And I think that's interesting as a consumer of security technology. I think it's very exciting. But I think we need to learn a little bit more about what the boundaries are of this capability. 

Rick Howard: So in my mind, though, I think XDR is probably the next stage in the evolution of security toolsets. XDR is API-driven, meaning that instead of logging in to each of the tools in the security stack to monitor it, to collect telemetry, update it with data and new configurations, you do all of that through software. So in other words, if you get the right XDR tool, you can automate the orchestration of your entire security stack. Now, SIEM, then, allowed us to automate the collection of telemetry. And SOAR platforms allowed us to automate the handling of Tier 1 through three tasks from the SOC analyst. And truth be told, I see the SIEM, SOAR toolsets merging in the near future. But is the idea of XDR automating the orchestration of the security stack, does that have enough capability enhancements to justify using it as a replacement to those other tools? Or how are you thinking about this? 

Ted Wagner: We are committed to a SIEM right now. We've partnered with them. And we spend a lot of money ingesting a lot of data from different data sources, including endpoint detection responses, the precursor to XDR. But where we see challenges are ingesting all these different data types and normalizing them and making them queryable is a big challenge. So does XDR allow us to extend the collection of data across different elements of the infrastructure beyond the host and be able to ask those analytical questions about, is the threat present in this environment? And do they provide those behavior analytics and those other analytics that we want to take advantage of as the technology grows and innovates in the ability to identify threat activity? Is it really better than a SIEM that we're currently using? I don't know that we know the answer to that question. But I'm very anxious to know if they can overcome the inroads that the SIEM vendors have made. 

Rick Howard: It's a slightly different approach, though - right? - because ***** 

Rick Howard: *** XDR is using strictly APIs. I guess you could say the same thing about SOAR and SIEM, OK? But if I understand it right, though, XDR tools are not storing the data, so you'd still need to store it somewhere, perhaps a SIEM. Is that right, or am I misunderstanding that somewhere? 

Ted Wagner: That's right. You still need a place to store and then run your queries against it. That integration is always a tough point because when we go across technologies, those types of integrations, those APIs, do they really work, and are we able to integrate with the diversity of technology that we have in our environment? So those are always challenges that we confront. Where we have great success and standardization, that's always a faster way to get to where we need to be. 

Rick Howard: So the SIEM tools come with prearranged connections to common tool sets, right? They could connect to a vendor's firewall - you know, name some of the prominent ones. They could connect to an intrusion detection system. So can the SOAR platforms. So I'm assuming that the XDR services can do the same. So what's the value again from an XDR service? Why would you pick that over SIEM and SOAR? 

Ted Wagner: The opportunity here is the cost of the SIEM is expensive. These SIEMs have, really, monopoly power to charge pretty high costs to do their work. And can we cut the cost and simplify the implementation of these technologies to collect data across the spectrum of our infrastructure? So that's where I think there's an opportunity. We always like to see a little competition in the space to see if we're getting, one, the best technology, the best detection capability, and are we getting the right price? Because to be honest, some of these SIEM vendors are pretty expensive. 

Rick Howard: Well, and the cost comes from storing the data, right? That's how they made their money. I remember when you and I worked together back at TASS, we had a SIEM. Nobody on the team liked it because it was so expensive to store everything, right? 

Ted Wagner: (Laughter). 

Rick Howard: So we started making decisions about what not to store. You know, we're only going to store three weeks of data or only the important stuff. So it became not useful. Presumably, with an XDR solution, you're going to collect the telemetry you absolutely need and store it in your own relatively cheaper cloud server somewhere, right? That's how we're going to configure this, right? 

Ted Wagner: That's correct. And where you can identify that meaningful data and only store that data is always a critical decision point and a great filtering capability that you want to adapt to. 

Rick Howard: The reason I like the idea of an XDR is it's not just being able to collect the telemetry. Like you said, you can do that with SIEM and SOAR tools. But it gives you the ability to automate going back the other way. If I need to upgrade a block list on a new firewall or update some rules in a new intrusion detection system, I can do that through the XDR interface. It goes both ways. You can do that with SOAR and SIEM, but that's not what people are using them for. They're basically collecting telemetry right now. And with SOAR platforms, there's an easier way to eliminate a bunch of noise, but it's not really updating the security stack in any way, any kind of orchestration. Is that your understanding, too? 

Ted Wagner: Yeah, that's right. And we want to be able to filter out or create access control lists at the firewall through these integrations to keep those things away from our environments, our data. 

Rick Howard: So you and I are big fans of a potential technology or architecture coming up. You know, it's just on the horizon. It's called SASE, or secure access service edge, and it's a replacement architecture for how you and I have done this for the last 20 years. You know, most of us today manage our own security stacks across multiple data islands like SASE and traditional cloud, traditional data centers, office buildings, mobile devices. And it's very complicated. SASE combines the cloud model, where the vendor manages the infrastructure, and the customer manages the policy with really fast internet pipes, combined with some sort of SD-WAN networking meta-layer to make the bandwidth as fast and as reliable as possible. And so somewhere down the line, you can install an XDR service using the SASE model. Does that make it more compelling for somebody like SAP? 

Ted Wagner: Absolutely. And I'm a big fan of SASE. I love the concept. During COVID, we adopted some elements of it to replace our access, how we access our corporate environment, using a SASE service and - very pleased. I'm really excited about the opportunity to implement CARTA, or the continuous adaptive risk and trust model, with identity. We are really deeply investigating those capabilities. And then to your point, integrating them to an XDR capability, that - I won't say it's nirvana, but it gets me excited. 


Rick Howard: There's a couple of nerds getting excited about XDR technology, OK? That's just - that's perfect for us to... 

Ted Wagner: Exactly. 


Rick Howard: So what that means to me is that the first hop from your laptop, wherever you are, whether you're back in headquarters or your house or in the sales office in Singapore or in some cloud service, if you need to get to the internet, the first hop is through or to the SASE vendor. 

Ted Wagner: Yes. 

Rick Howard: And it runs through the SASE vendor security stack, which could be XDR, right? XDR is going to collect all the telemetry, all the - from all the security tools you deploy. It can do everything centrally from that spot, right? And the only thing I have to manage is the policy. I decide that Ted is allowed to get to this resource but not this resource, and the SASE vendor *** 

Rick Howard: ** handles all the - you know, the turning of the crank. That's what I think is going to happen. And we're, like, five to 10 years away from that. But I'm excited about it, too. Are you guys designing your networks now to kind of accommodate all those things - SASE, SD-WAN and security stack - in some SASE vendor somewhere? 

Ted Wagner: Yes, we are putting the pieces together as we speak. We think this is the pathway forward. And the reason why I'm so mindful of this - couple years ago, there were some vulnerabilities with VPN concentrators where at your poor perimeter, you had a zero-day just lying in wait for someone to attack you. You were none the wiser. And that created so much risk against your perimeter and against those islands of data. Now, with the SASE model, we transfer that risk to a vendor that can diversify that cross infrastructure and create much more secure access to the environment. So we're very excited about these opportunities. 

Rick Howard: To nerds geeking out about XDR and SASE. Good stuff, Ted, but we're going to have to leave it here. So thanks for coming on the show. 

Ted Wagner: Thank you, Rick. It's always great to talk to you and great to catch up. 

Rick Howard: That's Ted Wagner, the CISO for SAP National Security Services. 

Rick Howard: Next up is my conversation with two key members of the Trellix leadership team - Bryan Palma, the CEO, and John Fokker, the head of cyber investigations and principal engineer. 

Rick Howard: Bryan, let's start with you. I was going over your bio. You're a busy man. Just in the last six years, general manager of several Cisco product lines, the CEO of BlackBerry, the chief product officer for FireEye. And now you're the CEO of two companies, first, the newly merged FireEye and McAfee companies, and second, the CEO of Trellix. I'm surprised you have time to even tie your shoes in the morning. So can you give your listeners, our listeners a Reader's Digest version of how the FireEye, McAfee, Trellix companies all fit together? 

Bryan Palma: Absolutely, Rick. So first of all, I was with FireEye last year. We ran a process to divest the business from the Mandiant portion. And that process culminated in June with the sale to Symphony Technology Group. Symphony Technology Group had also purchased McAfee Enterprise. And we took the opportunity then to bring those two companies together. That transaction was closed on October 8. And I was very excited to be named the CEO of the joint business. Then in January, we renamed the joint business to Trellix, which is the brand that we operate under now. I would say a few points. One, most importantly, both of these companies are very focused on the extended detection and response market, or XDR. We have a large public sector global business that we are continuing to grow and is a major area of focus for us. 

Rick Howard: Excellent. So, John, you came over to Trellix from the McAfee acquisition. And you're the chief investigations officer. Does that mean you run the threat intelligence team at Trellix? Or does it mean something else? 

John Fokker: Threat intelligence is a very broad concept. I run the head of cyber investigations, and that's my day-to-day. I run a team that collects a lot of threat intelligence that service our customers. So everything we collect we put back into our product so our customers have the best protection. One of the key points that is my specialty - 'cause in my former career I was with law enforcement with the Dutch High-Tech Crime Unit is seeking out these collaboration efforts where we as Trellix can make a difference, where we can actually maybe even attribute a certain attack to a threat actor or help law enforcement in the public sector to uncover and indict cybercriminals. So that's part of my responsibility as head of cyber investigations. 

Rick Howard: So, Bryan, you wrote a blog back in January titled "With Trellix, the Future of Cybersecurity Is Now" in which you introduce this really interesting concept called living security. I was intrigued by it and that you based the company name on the word Trellis, which is a framework designed to support the growth of living things such as plants and trees. So can you tell the listeners what you meant by that connection? What's going on here? 

Bryan Palma: I sure can, Rick. So first of all, when I took over as CEO, we looked out at the landscape of cybersecurity companies and how they were presenting themselves and what was happening in the market. One of the things we came away with was there was still a lot of what I believe are backward-looking kind of branding around guards and gates and, you know, striking and, you know, this notion of battling. And when we looked at the market, we said that's just not what's needed anymore in the market. What's needed is living security, something that's flexible, a system that's adaptable, a system that's open, a system that learns and helps you get the capabilities you need to be able to effectively mature your program around cybersecurity. So as we dug into that, we got around this notion, as you mentioned, of the word trellis. And trellis is an infrastructure that you grow plants and trees. That felt like a really good underpinning for where we wanted to go with the company, creating an XDR platform that underpins the cybersecurity capabilities for our customers. 

Rick Howard: I really like that idea because you're right; the cybersecurity space has been filled with military metaphor for, jeez, since the beginning. And maybe you're right that it's time to rethink that a little bit. And I know at least half our listeners don't even like that metaphor anymore. So to get it out of the attack-defend kind of thing, was that a marketing move? Or was that something you've been thinking *** 

Rick Howard: ** about for a while you were moving through the ranks here? 

Bryan Palma: We did a number of focus groups. We went out there and studied what other folks in the security business were doing, what folks outside the security business were doing. And it's really, I think, at the heart of who we are and who we want to be, which is a - the living security company that's able to help our customers. And we think critically important to that is machine learning. Critically important to that is data science. And that's really where we're pivoting the company. And that's really when you think about the data we have, the telemetry we have, the intelligence - that's where John and his team are so valuable. One of the other really important parts of living security is it takes people. It takes expertise. And we talk about that expertise being embedded. John, I don't know if you want to just mention a little bit about the work your team's doing and how that fits into living security. 

John Fokker: I come from a military background. But I keep that within our team. So we do not - like we said, within Trellix, we're living security. We want to make it more adaptable. And what my team does and what we do is we look at these attacks. We disseminate them from a very low atomic level. So people know IOCs and all these things. But we also figure out how they work, how their behavior is, and what are the methodologies, so the tradecraft. And we go to pretty far lengths in disseminating these attacks. And then we look at our product stack. And we think like, OK, how can we best load our product stack with the intelligence from these attacks to best protect our customers? And we've been doing this for several years now within McAfee and FireEye. 

John Fokker: And then I'm super excited 'cause we're putting everything on - you can say one pile, where we're putting all the heads together. And that is really a great foundation for building some really, really good behavioral models for our data science teams, some good machine learning models because we're going above that low atomic level that a lot of the conventional signature-based type of AV companies are doing. And we're looking at our whole portfolio, from email all the way to network sensors, the whole nine yards. 

Rick Howard: So, Bryan, I really like the idea that instead of this military metaphor, that living security is really - it becomes part of the company. It becomes a part of their culture. It just becomes something they do as another function, as opposed to a specialized category of intelligence and attacks and all that kind of stuff. How has it been received by your customer base? Are they glomming on to the idea that that's a better way to think of the problem? 

Bryan Palma: I think so. Yeah. I've had conversations with probably over a hundred customers. And all those customers tell me, number one, they like the rebrand. They understand it. They understand our culture, our mission, where we're going. In general, they find it to be refreshing. Obviously, if you kind of put it side by side, to most in the industry, we're very different. They're also finding it very appropriate for the times we live in. Obviously, we saw over a year ago the issues with SolarWinds. Since then, we've seen Log4j. Now we have the Ukrainian crisis. We're seeing nation-states attack private companies. 

Bryan Palma: And our customers realize they have to be adaptable. They have to be flexible. It's not always going to be a fair fight. And the most important thing for them is to be able to engage in remediation and resiliency 'cause the reality is the attacks are going to happen. It's how you respond to those attacks. And I think the majority of our customers are focused on that. And they believe our living security platform will help them be more resilient. 

John Fokker: And I'd like to add to that, Bryan. 

Bryan Palma: Yeah. 

John Fokker: What really sets us apart is that we think with the customer. If you compare it to an organism, it's like, yeah, we can talk about threats and viruses and all that stuff, but that's very hostile. What we like to do is we would like to go on an architectural journey with the customer and think about constructing and how can they do their business in the best way while doing it secure. That's some of the things that I'm really excited about. 

John Fokker: It's not only, yeah, the reds and the shields and all that stuff. No, it's translating everything that happens in the world, making sure that they're protected with the right suite every single time. They don't have to worry as much about certain threats. We inform them on the right level and then make sure that they can do their business. We're like a safeguard to make sure that they can actually grow their own organization. 

Rick Howard: I'm glad that you brought that up, John, because XDR, called extended detection and response, was introduced as a concept back in 2018 by Palo Alto Networks as an extension to EDR services, or endpoint detection and response, that came out around 2013. And "the extension," quote-unquote, was that it didn't make sense just to run machine learning algorithms on endpoint telemetry when we knew that the adversaries had to string a series of actions together across the intrusion kill chain, both across the endpoints and across our networks. 

Rick Howard: But earlier in the show, Ted Wagner, the SAP CISO and I were complaining about how security vendors in the XDR space have put the phrase XDR through the marketing meat grinder, where no two vendor XDR solutions are exactly the same. How do you guys approach that issue? 

Bryan Palma: I think, first of all, the first thing I would say to you is when we think about extended detection and response, we are seeing exactly what you're saying. Everybody's defining it a bit different. We believe, number one, you have to have an endpoint solution, as you talked about. It's an extension of EDR. It's the next phase of that. So I don't think you're credible if you don't have an endpoint. The second piece we find is very important is to have a security operations capability with some degree of SIEM and SOAR to be able to bring together these threats. For us at Trellix, we also have a number of native components. We have data loss prevention. We have network sandboxing. We have network IPS. We have CASB. So we have a number of ** 

Bryan Palma: *** different technologies that we natively bring in. However, we're also open. I think that's the third criteria of a strong XDR, is the ability to be open and ingest technologies from across the capabilities matrix. So for us, that means our security operations tool, Helix, is able to ingest over 600 security technologies and do exactly what you talked about - look across the intrusion kill chain and bring together sources from email, sources from network, sources from the endpoint, and be able to help our customers do what we call guided investigations. 

John Fokker: You know, a lot of vendors say they view as XDR, and like you said, Rick, everybody has their different view. And what I love about Trellix, the merger of our two companies, is that we have such a broad portfolio, we cover almost all of the sensors that there are. And I have the honorable job to make sense of the threats and then translate it. OK, but how does this translate to the sensors? How does the customer - can be actually guided through this, that they understand how they can improve their security posture? 

John Fokker: So there's certain things, I think, we're going to launch not too far from now and that go far beyond just updating your endpoint to the latest dat (ph). It integrates with your native controls within your operating system to setting your own sensors, your EDR solution or all the network sensors that you have to the best situation, either before an attack, when you're in relatively easy waters, or even during attack. And we're also thinking after an attack, when you actually need to do some consolidation and maybe need to evaluate all the measures that you took. 

Rick Howard: The thing I really like about XDR is that it's API-driven. I mean, you're right, each vendor of an XDR service might have their own services they offer that you buy and install. But I think the beauty of it is what you were talking about, is that you can connect to anything in your security stack. If you have a good XDR service, then you can connect to whatever tool you decided was important at the time and still collect that telemetry and then use the XDR metal layer to do the machine learning and do the analysis of whatever data they were collecting. I really like that. When you hear the arguments in the industry, though, is that it sounds a lot like what a SIEM does or what SOAR does. And so I wanted - one of you guys want to take a shot at explaining the difference between what an XDR does for you, compared to those other tools? 

Bryan Palma: I mean, I think, No. 1, it's a combination. So No. 1, we want to make sure - which I know I hear from a lot of customers, Rick, is that we're evolving the industry. We're not making the tools that you have, you know, useless. We're bringing it along. So I think it's really that next layer. How do you get the efficiency out of it? I talked a lot about guided investigation. How do you leverage the data coming from your SIM, coming from your SOAR, maybe coming from other data sources as well? Pull that together to help your analysts be more focused and also be more efficient. So it's about being effective and efficient. We think that's really the power of XDR. As you said, a big part of it is API, but it's also the content that you have behind it. So while we can ingest lots of different tools, we also have natively over a billion of our own sensors out there. So I feel like our content that we can help people with and we can balance our machine learning up against for guided investigation is second to none. 

John Fokker: What I often see with SIMs is that you only have a limited amount of data storage as a company. Our approach is a bit different. So we collect a lot of data from multiple companies over multiple years. And the guided investigations that Bryan talked about, we develop these, so we can actually leverage a lot of things and present that to the customer. They might not have experienced it in their SIM yet, or they might not have enough correlation that they will see it, but we'll give that back to them on top of the layer. So we can define better signals through the whole bunch of noise for them and basically take a lot of the heavy lifting from their shoulders. 

Rick Howard: Many security practitioners these days are talking about SASE, or secure access service edge, as a future way to architect their security stack. I know you guys are a brand-new company, but is SASE somewhere on your road map? 

Bryan Palma: You hit it. The two most important markets right now in cybersecurity are around XDR and then SASE - some like to call it SSE - at the edge. 

Rick Howard: I like SASE 'cause of the way it sounds (laughter). 

Bryan Palma: All right, we'll stick with SASE, Rick. I like it. It does sound better than SSE. So if we stick with SASE, then, you know, I think we have - obviously an important part of what we're doing is the work we're doing with our sister company, Skyhigh Security, and the work they do around CASB and also around secure web gateway. So those two technologies are natively embedded into our XDR platform. And we think, to your point, that at the edge and dealing with the cloud is going to be an really important horizon for us in cybersecurity. 

Rick Howard: Excellent and great stuff, guys. But we're running out of time. We're going to leave it there. So I'd just like to thank Bryan Palma, the CEO of Trellix, and John Fokker, the head of cyber investigations at Trellix. Guys, thanks for coming on the show. 

Rick Howard: And that's a wrap. We'd like to thank Ted Wagner, the SAP National Security Services CISO, Bryan Palma, the Trellix CEO, and John Fokker, the Trellix head of cyber investigations, in helping us gain a bit more clarity about XDR. And a special thanks to Trellix for sponsoring this show. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive producer is Peter Kilpe. And I am Rick Howard signing off. Thanks for listening.