ESG's Jon Oltsik discusses EDR, XDR, and how they relate to SOAPA with Sam Curry of Cybereason. This is Part 1.
Read the related ESG Blog(s):
Jon: Welcome to another SOAPA video. I'm Jon Oltsik, and I'm here with my old friend, Sam Curry, who is the CSO at Cybereason, and a visiting fellow at the National Security Institute. So, welcome, Sam.
Sam: Thanks, Jon. It's good to be with you.
Jon: Great to have you. And you have I have been talking this for years. So, let's start with something that's near and dear to me, SOAPA, and something you're doing now with EDR. So, how does EDR fit into SOAPA?
Sam: So, I think the way to answer that is to say, "What's the main problem for the users?" Those that have to deploy a SOAPA solution, or my customers, in other words. And the answer is our job is actually to stop the intelligent opponent. And they're adaptive. They will get around prevention, they will find ways to get into our networks, and so the security department is supposed to stop those attackers, more reliably, sooner, more completely.
Not detect them, but actually stop them, and that's a combination of all the things you talk about in SOAPA.
Jon: And part of that process, then, is integrating with other existing technologies, to accelerate the stopping of bad guys. So, in that light, what types of technologies are your customers asking Cybereason to integrate with today, and do you anticipate anything changing?
Sam: Yeah, I mean, the most important thing is they wanna find the signal, and make it actionable. We want to make systems that stop the bad guys more completely. The expectation right now is that they have victory. They can try many times and just get it right once. Good SOAPA, regardless of the components you put together, should have the reverse effect.
You should expect to win in defense. And we can dive into what the various pieces are, but there's a lot of things that make up, as you know well, the SOAPA architecture.
Jon: So, one of the things I'm hearing... I'm working with my colleague Dave Gruber a lot on XDR. And so, one of the things we're hearing that's a knock on EDR is, "Well, EDR can see discrete events, but it really can't track and attack across the kill chain." You and I have talked in, and I believe Cybereason can do that. So, can you talk about that a little bit?
Sam: Yeah, so let's talk about the two flavors of EDR. There's EDR that's going looking for known bad. Think of it as EPP plus, or whatever acronym we choose for that, the prevention layer, done a little better, looking for some new things. But ultimately, well-done EDR is a behavioral tracker. There are actual things out there that bad guys are doing, and good people, too. And what we wanna do is to have a system of record that keeps track of those behaviors.
What are the sequences? And say, "Let's find the pathways," by many different techniques, to describe that. Now, EDR was effective because it really went after the most important telemetry, not the only telemetry, that it went after what's happening on the endpoint. Some do it well, and some do it less than well. And what should be happening is on the back end, a data structure should be emerging, without the noise of the SIEM.
Look, I was in the SIEM wars, and partly responsible for them to some extent. Apologies to folks. But, that was the bitbucket we threw data in for decades. And it said, "You know what? We'll sort it out after," for every security use case. But the cyber ones take a back seat to perhaps compliance, or reporting. EDR stepped up and said, "No, no, no, no, no.
Job one is finding the bad guy. By the way, so too did NBAD, or NTA. So too did things like UEBA, in its day. And that's what's so interesting about our industry. We're constantly finding new ways of finding the signal in the noise. The great thing, I think, in, if you approach SOAPA from this perspective is, the job is to find that, and make that signal actionable.
Jon: Okay, so, here's what I'm hearing from a lot of customers, is, "I wanna do a better job of detecting and responding to threats. I don't know where to start. I have the networking guys, I'm getting EDR sort of through the back door now, because it's bundled in with EPP. I've got threat intelligence."
So, when your customers are asking these things, how do you tell them... Where do you start, and how do you proceed?
Sam: Really what we wanna do is say, "What are the results that we wanna get?" And that is, finding things, processing them, and then resolving them and learning from that. And one of the great things about, say, SOAPA approaches, however you cast it, and whatever is shaping up as major components of SOAPA, is it's about how we coordinate the humans. Because there's intelligence in security, in cyber.
It's carbon-based, it's not silicon. There's roles for the silicon, and there's roles for the carbon-based, and if you can get those numbers right, you can tune, and you can improve. So, one of the ones that I use as CSO is, I say, "How many systems per analyst do I have?" And I started, by the way, in the early days of 10,000 to 20,000 systems per analyst. Now I'm over 200,000. So I can ratchet up quality, and scale, and I can get my humans doing more valuable things.
That's where you wanna get to. Of course, there are dangers in automation, which we can discuss, but the results are the things that drive it. Now, how do you get there? There's lots of ways to build a reference architecture or a SOAPA architecture. But you should be hiring and firing people on how well they contribute to that whole, and that requires a whole bunch of things, like being able to interoperate with each other, and share more than just syslog back and forth, for instance.
Jon: We're just getting started, Sam, so can you stick around for part two?
Sam: I absolutely can.