Part one of a three part series - A SOAPA Discussion on EDR and XDR With Jon Oltsik and Dave Gruber
Watch more in this series:
- SOAPA Discussion on EDR and XDR With Jon Oltsik and Dave Gruber Part 2
- SOAPA Discussion on EDR and XDR With Jon Oltsik and Dave Gruber Part 3
Jon: Welcome to the ESG SOAPA video series, and I've got a special guest today, my own colleague, Dave Gruber. Dave, welcome to my world, man.
Dave: Thanks, Jon. It's always great to hang out and chat.
Jon: Now, I've invited Dave for two reasons. One is because he comes from the EDR world, which is a very important component of SOAPA, and he and I are collaborating on something called XDR, which is very SOAPA-esque. Let's start at the beginning, Dave. Tell us about EDR and its place in security operations.
Dave: Yeah. So EDR has, over the last few years, grown up to be a pretty important tool in security operations environment to investigate attacks or potential threats to organizations through the use of endpoint telemetry. And so, as EDR solutions have agents that are deployed on endpoints across an attack surface, we're able to capture lots of telemetry and understand exactly what's happening on endpoints and hopefully help the SOC stitch the attack together and also be able to respond to that.
That's the R in EDR, allowing people to both detect and also to respond.
Jon: In the spirit of SOAPA, what have you seen in terms of points of integration? So EDR plus what equals a solution?
Dave: Yeah. Well, EDR started out just looking at the endpoint. Turns out that when you can stitch together telemetry from other security controls, you start to see more clarity in the picture of what's happening. And network data, top of the list, gets associated with endpoint telemetry, allows you to see some aspects of the attacks that you wouldn't otherwise see.
Cloud data as well. As people move into cloud workloads, and often the adversary trying to get into more sensitive critical data in business applications are going to navigate from an endpoint across the infrastructure into the cloud environment and attempt to gain access to data that's there. And then we've seen connectivity to email data as well, people that want to understand a little better about what's happening throughout the organization, maybe post-delivery, what attacks might still linger in the environment as well.
So, yeah, lots of connectivity. I want to just sort of pivot there and say a little bit about SOAR and SIEM too. So in addition to that kind of, you know, what you bring together, then there's a pivot point also to then what you do, so the actions that you want to take, get connected into the operations tools.
Jon: Yeah. So lightning round, important or not important, I ask you, Dave Gruber. Important to integrate with threat intelligence.
Dave: Probably number one. Yeah, top of the list.
Jon: Number one, okay. Important to integrate with file sandboxing, file detonation.
Dave: Also very important along the way, but that happens more at the sort of core controls level. So I'll push that down on the list a little bit.
Jon: Okay. And then you said important SIEM, important SOAR.
Dave: Very important SIEM, for sure, because we got to bring the pieces together, and it's not always easy to do that in the EDR tool by itself. SOAR, yeah, in a big way, got to gain access to playbooks and sort of repeatable actions and knowledge capture too.
Jon: And network telemetry too.
Dave: Yeah, right on, I've told you, like, top of the list for bringing control data together.
Jon: Well, it sure sounds like SOAPA to me, Dave, which is why you're here. So I appreciate that. And what does our research tell us about EDR? Are customers adopting it? Are they successful with it?
Dave: So while EDR was not widely adopted up until just the last 18 to 24 months, what we see now is more than half of the organizations say that they have EDR in place or are actively engaged in EDR projects, another third on top of that say that they have plans to coming soon. So EDR is mainstream now. Budgets are in place and people are ready to roll.
Jon: You know, one of my pet issues is the global cybersecurity skill shortage, and what I've heard for years is EDR is not for the faint of heart. It's a complex, very labor-intensive tool. So why would companies go with EDR versus just outsourcing or getting help from an MDR vendor?
Are those two things competitive?
Dave: Yeah, super important question. And so EDR does require some skills, and one of the knocks that it's had over the years is that it is a little complicated. A bunch of security vendors have been trying to simplify that process, and they've added more automation into the equation, they've stitched the data together better, simplifying sort of the response actions as well. But it still requires some skills there.
Therefore, lots of people have said, "You know what, I don't know that I have the skills. I need some help from a service provider. I'm going to get an MDR player in place." So managed detection and response service is super popular today. More than half of the organizations are utilizing some form of MDR service. It's not always just for skills, sometimes for coverage. So people have 7 by 24 coverage, it's a little hard to staff that as well. But, yeah, an important element.
Jon: Yeah, this is a great discussion. And EDR is an important component of SOAPA and the SOC. I totally agree. There is rich telemetry there. So let's talk about XDR in our next video, Dave. Can you stick around for that?
Dave: Yeah, I sure can.
Jon: Okay. We'll be back with part two of my SOAPA video with my esteemed colleague, Dave Gruber, really soon.