Part three of a three part series - A SOAPA Discussion on EDR and XDR With Jon Oltsik and Dave Gruber
Watch more in this series:
- SOAPA Discussion on EDR and XDR With Jon Oltsik and Dave Gruber Part 1
- SOAPA Discussion on EDR and XDR With Jon Oltsik and Dave Gruber Part 2
Jon: I'm joined again by Dave Gruber, my colleague, to talk about SOAPA and XDR. Dave, welcome back.
Dave: Thanks, Jon. Good to be here again.
Jon: Security technologies have forever been very heterogeneous, especially in the large enterprises that we tend to cover, so XDR kind of poses a proprietary solution there. How does that work? How are we going to rectify, or get around the fact that most of the security controls are heterogeneous, and now we're trying to push a homogeneous solution in?
Dave: So, here's how I think about this. There's an opportunity for organizations to begin to assemble one or more pieces. So, if we take the typical security stack, it includes a lot of security controls. When you can put two together, three together, four together, five together, you begin to simplify the process, you begin to see more, begin to get more clarity. It's not a rip-and-replace mindset with this thing.
I think the way you have to think about it is, "Where can I start? How can I add value by beginning to stitch together one, two, three, four, five controls?" As you bring that telemetry together, the picture gets clearer. Imagine a lens on a camera, and you're turning the focus ring, and you're bringing more and more clarity, and that clarity is simply coming from more automation, more correlation, and, in the end, less time spent by the analyst having to do that in their own mind, little by little, the analyst gets more efficient, because the tool does more of the work.
Jon: Yeah, good answer. And, I mean, these tools have to be open, XDR has to be open, because people will consume them in phases. Now, the exception to that, I think, is smaller organizations, organizations with fewer security personnel, you know, maybe certain industries, like state and local government, academics, healthcare, where they have an acute need for detection and response improvement, so they may be able to throw out more technologies sooner rather than later.
Dave: Yeah, I mean, those are the organizations that you typically see that want more turnkey environments. And they're more apt to sort of single-source their security technology from a single vendor, so they're going to say, "Hey, give me everything that I need. Help me put the pieces together so I don't have to do that."
Jon: Yeah, to me, that's the sweet spot of the market, at least to start. Now, in the enterprise, XDR's going to have to coexist with SOC tools, so, threat intelligence platforms, SIEMs, SOAR platforms. How does that work, in your mind?
Dave: As every organization and security company tries to reduce the complexity in the environment, this drive to simplification, what we're doing is we're bringing together pieces of the equation, and then people are pushing them out as platforms. But, the truth is, no one's going to have a single platform. People are always going to live in this heterogenous world, and they're going to have a collection of platforms.
Those platforms need to be able to communicate, and as you just said, they need to be open. And so, sort of one of the fundamentals of when you're out selecting an XDR vendor, you needed to have an open mindset to build that open architecture. If you didn't build it that way, I think there's some risk here about trying to assemble the pieces and the parts.
Jon: Yeah, to me, the way those work together is, if you can get higher fidelity alerts, with a more accurate forensic timeline of what happened, and you can feed that into the SIEM and the SOAR, then your operations run smoother, because right now, the way you're doing that is piecing together the telemetry sort of piecemeal, or at least maybe on a runbook. But here, you're getting a lot of the primary data in a compact, already analyzed format, up to the operations platform, so that adds efficiency.
Dave: Yeah, you know how we often talk about the security operations as a funnel, where the funnel's real big at the top, when all the telemetry comes in at the top, and you narrow it down as you correlate more and more data, and you understand incidents, and you prioritize, and eventually you determine your actions. Well, this closes the funnel a little bit. Instead of being a really wide funnel at the top, hopefully, this solution set helps close the top of the funnel up a little bit, and makes that process a little faster, and require a little less effort.
Jon: So, final question, and I ask all my panelists, Dave, you're no exception, what do you think the future is for SOAPA, and in this case, you can extend that to XDR.
Dave: Well, the future of SOAPA, SOAPA as an architecture will continue to evolve, as solution vendors come up with new opportunity, new ideas, and I think that's what we all want out of good architectures. Architectures have a long life, and they evolve as opportunity comes to do things better or more simpler. And then, when it comes to putting all these pieces together, whether XDR becomes a long-term solution set or a short-term opportunity here, I don't know yet, Jon.
I'd like to know whether XDR is going to be, have its place in SOAPA for the long haul, but I think, in the short term, it does create some new opportunity for organizations to gain some efficiency and some value. We'll see how it holds up over the long haul, though.
Jon: Yeah, and if the supply side is any indicator, we've got a lot of vendors chasing XDR. They've got deep resources, they can acquire companies where they need to, so it does look promising at this stage.
Dave: Yeah, that's why I've been pretty bullish on the whole concept of XDR, and not everybody has been, but boy, when I see the momentum behind it, that usually leads to good things.
Jon: Yeah, well, Dave, thank you so much for coming into my world and participating in the SOAPA video series. And for all you out there, please stay tuned. We'll have more remote SOAPA videos very soon.