XDR may succeed but XDR vendors face deployment challenges and competition on several fronts.
My colleague Dave Gruber and I are all over this new concept called XDR. Just what is this new acronym all about? In a recent CSO Online blog, I defined XDR as:
An integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.
Hmm, sounds interesting but is there a market for yet another type of security product?
ESG research certainly indicates that there is. For example:
- 76% of security professionals say that threat detection and response is more difficult today than it was 2 years ago. Why? Organizations must deal with the volume and sophistication of cyber-threats, an increasing cybersecurity workload, and a growing attack surface. Infosec pros also bemoan the fact that they still rely on manual processes and an army of point tools for threat detection and response.
- To address these issues, 82% of organizations are building a security technology architecture that integrates multiple products together. Furthermore, 77% of firms are actively consolidating the number of security technology vendors they do business with.
- Finally, 80% of organizations say they would be willing to spend the majority of their security technology budget with a single enterprise-class cybersecurity technology vendor, assuming it had a technology portfolio that met their requirements.
Now, in theory, XDR fits these issues and meets threat detection and response needs like a custom-made suit. Think of XDR as a modern SOC-in-a-box, designed to integrate controls, normalize telemetry, provide advanced analytics, and automate responses. In ESG terms, XDR qualifies as a security operations and analytics platform architecture (SOAPA).
Sound good? The industry clearly thinks so. Heavyweights like Broadcom (Symantec), Check Point, Cisco, FireEye, McAfee, Microsoft, Palo Alto Networks, Trend Micro, and VMware are gluing security controls together as quickly as they can to offer some form of XDR today. Likewise, EDR players like CrowdStrike, Cybereason, and SentinelOne start at the endpoint and partner for additional security technology coverage.
Yup, XDR seems like the real deal in theory and may succeed over time. That said, ol’ Dave and I see three BIG challenges ahead for this burgeoning market segment:
- The deployment challenge. Today’s security technology infrastructure is a potpourri of assorted “best-of-breed” point tools. As diverse as this sounds, it’s even worse: many organizations use multiple endpoint security software products, firewalls, IDPs, etc., from different vendors. These products were installed organically overtime, purchased using different budgets, and are operated by different individuals and teams. XDR’s ultimate value proposition assumes that organizations wipe the slate clean by replacing this mishmash with a suite of integrated but proprietary products. Few if any organizations will willingly jump into the XDR pool by “ripping and replacing” everything at once. Therefore, XDR vendors will need to convince CISOs of the strategic benefits of XDR and then work with them on phased deployment projects. XDR vendors will also have to persuade security staffers to give up their favorite point tool in favor of a longer-term vision of cybersecurity technology harmony.
All of this suggests that XDR must transform from transactional to strategic selling. Oh, and they will need to support customers by offering enhanced knowledge and skills around industry solutions, enterprise security architecture, and software customization. I can’t overstate what a big cultural change this is for customers and vendors alike.
- The SOC challenge. XDR kind of assumes that organizations either don’t have existing SOC technologies (i.e., SIEM, SOAR, threat intelligence platforms (TIPs), etc.) or that these systems are also ripe for replacement. This is probably a good assumption for mid-market and small enterprises but it’s not at all true for large enterprises. In fact, many large organizations have not only spent millions of dollars on SOC technologies, customization services, and employee training, but also have completely independent SOC technology integration projects that have nothing to do with underlying security controls like endpoint security software and firewalls.
Rather than step on the SOC, XDR vendors will have to figure out how to interoperate and enhance existing SOC technologies and processes. This is not innate knowledge for most security controls vendors who make up the bulk of the XDR market today.
- The MDR/MSSP challenge. With threat detection and response growing increasingly difficult, many organizations need help, not just the latest technology widget. ESG research indicates that 51% of organizations currently employ a managed detection and response (MDR) service while 27% have an active project to adopt MDR services. Now some organizations look to MDR service providers as outsourcers who take over everything, while others seek staff and skills augmentation. Either way, MDR providers will influence or assume full ownership of the underlying threat detection and response technology decisions. Heck, some service providers like Secureworks cover the whole enchilada, offering XDR technologies AND services.
Clearly, XDR vendors need to respond here by offering homegrown managed services or working with established MDR/MSSP.
There’s an obvious winning strategy here. XDR vendors must offer:
- An open architecture to interoperate with existing security controls.
- Strong project management, security architecture, and deployment services.
- Managed services.
- Solutions that can immediately improve the efficacy and efficiency of existing SOC technologies and processes.
If any XDR vendors can pull this off, I have no doubts they will be wildly successful.