ESG's Jon Oltsik discusses EDR, XDR, and how they relate to SOAPA with Sam Curry of Cybereason. This is Part 2
Watch more in this series:
Read the related ESG Blog(s):
Jon: I'm Jon Oltsik, and I'm back with the CSO of Cybereason, who is also a visiting fellow at the National Security Institute, my friend, Sam Curry. Welcome, Sam.
Sam: Jon, thanks for having me.
Jon: So, Sam, there's this new buzz term in the industry, and my colleague Dave Gruber and I are really all over it. It's called XDR. Now, I've defined it for our clients, but I'm really interested to hear how you define it.
Sam: Well, I think in our last chat, we talked a bit about SOAPA and about the fundamental problem that I think security departments are trying to do with their cyber function. And I think XDR is taking EDR to the next level, or put another way, it's taking the whole kit and saying how do we do that job better. A lot of the emphasis is on the X, right? Things should be telemetry independent. But really, it's ingestion, having a lot of different types of ingestion, the platform behind it, and then the R, we can't underestimate it, and that these pieces have to work well and play nicely in a community and an ecosystem.
Jon: I agree with you. But one thing you didn't mention is analytics. And to me, the vendor that has the best analytics that can get to root cause, that can give you high fidelity alerts with a lot of forensic details is going to win. But what's your thoughts on analytics?
Sam: I don't love the acronym, by the way. I like the X, I like the R, the D bothers me a little because it's not about detection. It's not about turning the dial up to 11 and finding things. Instead, what we should think of is in the middle, how are you making data structures that are able to both store the right context with as little noise as possible? I don't care, for instance, about six failed logins in the cyber world, I do for compliance, but not for cyber.
I care about the successful login. I care about what happened before. I care what happened afterwards. I care about how these chains are formed. That's an analytics problem. And how I then make it queryable. so, the mark one human being on the other end can ask natural intuitive questions and have them rendered in ways that are snappy, that's very human-centric.
And there's a problem with automation, by the way, by itself. First of all, with an adaptive opponent, you've always got to make sure it's still doing the job. And the second is it can be exploited against you. If somebody knows how you automate, and you're not checking under the hood, right, and you're not seeing how is this brought to me, how is noise filtered out, it can become a tool that's used by attackers. So, judicious automation and analytics, that's what's going to make XDR successful.
Jon: Okay, so I look at XDR, I say mid-market, small enterprise makes sense, maybe certain industries makes sense. Large enterprises already have SOCs, they already have SIEMs. They already have threat intelligence platforms and SOAR. And so, one of the things I think the industry is struggling is what is the top end of XDR, and how does that work with the SOC?
And I know you've written about this specifically. So, what are your thoughts there?
Sam: Well, I mean, if you go back, once upon a time, the big enterprises used to make all their own software for everything. They used to make their own ERP. They used to make their own databases. At some point, commercial solutions come along and say, "You shouldn't be doing that as part of your core business." And I think that whichever solutions break through and have success and show results, this is a business problem, right? What is the philosophy of those developing the solution in making it as usable and consumable by advanced users and simple?
If done right, this can help both the SMB and the enterprise well. And frankly, we should be able to uplevel the game of every analyst in the game. So, we don't have that huge gap in talent that everyone keeps talking about.
Jon: Yeah. So, what I hear you saying is the design point should be around the processes in the humans and then let the technology fulfill their needs?
Sam: Absolutely. I think we need to send a lot more engineering cycles dedicated in each security department on making the average blue teamer much more effective. I have a pet peeve when people say, "I had a great policy, the problem was the user." That's not a good policy. Likewise, simply coming up with a reference architecture and saying figure it out.
You should be a great networking person and a systems internals person and a crypto person and keep going means that we're going to be looking for special snowflakes as analysts for decades. Instead, we should make it approachable and widen the net for what we consider as starting conditions and an easier journey to get to true excellence.
Jon: Now, along those lines, I know that Cybereason has this concept called the ASOC, the automated SOC. And so, that certainly, when I looked at SOAPA, that was sort of my end goal. So, tell me what you're thinking of there.
Sam: The ASOC, we sometimes refer to it more as like an autonomous SOC. I don't want to say that the SOC is just like a plug and play automated thing. What we want to do is to have kind of a SecOps revolution that's a little bit like DevOps. We want to be able to say that it is democratizing and that the loop between what somebody needs as a tool or an applet in order to do the job isn't found in having to go over to the engineer and do the scripting or spend hours in figuring how to ask the question.
We want to create a bus and we want to create a data platform that's much more intuitive and lets people do their own innovation and creativity. Let's make it simpler for people to say, "Oh, this is what I'm looking for," and there it is. Less tool focus, more task focus.
Jon: Okay, Sam, real quick to finish up, the future of SOAPA, what do you think?
Sam: I think SOAPA is describing what the goal of the entire cyber operation is. So, regardless of what acronyms emerge now, or in the future, that's the mission. And, you know, it's funny in a lot of IT, we talk about the tendency to suites versus best-to-breed.
In most industries where suites have dominated, it's because these things have become a commodity. And in cyber, we're still trying to get to the point where we can catch the bad guys more than they win, and where we win more. And I think as long as that's true, we're constantly going to see new engines emerge that are better detection engines somewhere. And what we've got to do is create an infrastructure to hang them on and enjoy the benefits of improved efficiency over time.
So, SOAPA is the problem and the goal that all of these architectures are supposed to serve. That's not going anywhere until one day it is all a suite and it is all one you rack-mounted as we discussed previously.
Jon: Well, Sam, thank you and I must say, you answer questions like a CSO or a CISO not like a...
Sam: Too long-winding.
Jon: ...someone who's down in the weeds. I appreciate your time, Sam. Thanks again for watching, and we'll be back with another SOAPA video soon.
Sam: Thank you, Jon.