Extended Detection and Response, or XDR for short, is one of the acronyms that are increasingly used by cybersecurity vendors to explain their approach to solving the cyber security problem. We have been spending trillions of dollars on approaches to secure our systems and data, with what success? Cybersecurity is still one of the biggest and most challenging areas that companies, small and large, are dealing with. XDR is another approach driven by security vendors to solve this problem. The challenge is that every vendor defines XDR slightly differently and makes it fit their own “challenge du jour” for marketing and selling their products.
In this presentation we will demystify the XDR acronym and put a working model behind it. Together, we will explore why XDR is a fabulous concept, but also discover that it’s nothing revolutionarily new. With an MSP lens, we will explore what the XDR benefits are for small and medium businesses and what it means to the security strategy of both MSPs and their clients. The audience will leave with a clear understanding of what XDR is, how the technology matters to them, and how XDR will ultimately help them secure their customers and enable trusted commerce.
Extended Detection and Response (XDR)An Overhyped Product Category With Ultimate Security Potential
1. Extended Detection and Response (XDR)
An Overhyped Product Category With Ultimate Security Potential
R a f f a e l M a r t y
G e n e r a l M a n a g e r C y b e r s e c u r i t y, C o n n e c t W i s e
3/ 3 1 / 2 2
2. Raffael Marty
General Manager
Cybersecurity @ ConnectWise
Professional:
• Based in Austin, TX
• General Manager Cybersecurity @ ConnectWise
• Chief Research and Intelligence Officer @ Forcepoint
• Head of Security Analytics @ Sophos
• Founder @ Loggly – the first logging as a service platform
• Chief Security Strategist @ Splunk
• Head of Content @ ArcSight
Other:
• Investor and Advisory
• LED Tinkerer
• Zen Student
3. • What You Should Know About XDR
• The Cybersecurity Challenge
• The Cyber Defense Matrix
• The MSP Product Landscape
• What’s XDR?
• What does XDR mean for MSPs?
Extended Detection and Response (XDR)
4. • There is too much hype around XDR
• Extended Detection and Response (XDR) is here to stay
• No two vendors define XDR the same way
• The XDR “concepts” have a lot of potential and you should
understand them
What You Should Know About XDR
6. Introducing the Cyber Defense Matrix
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
7. Product Categories in the Matrix
Identify Protect Detect Respond Recover
Devices
Asset Mgmt, Vuln Mgmt,
Certificate Mgmt
AV, EPP, FIM, HIPS,
Whitelisting, Patch
Mgmt, Email security
EPP, UEBA, SIEM
EP Response, EP
Forensics
IR
Applications
SAST, DAST, SW Asset
Mgmt, Fuzzers
CASB
RASP, WAF, ZT App
Access, CASB, SSPM
Source Code
Compromise, App
IDS, SIEM,CASB,
SSPM
SSPM IR
Networks
Netflow, Network
Discovery, Vuln Mgmt
FW, IPS, UTM,
Microseg, ESG, SWG,
SASE, ZTNA, DNS,
VPN
DDoS Detection, Net
Traffic Analysis,
UEBA, SIEM, DNS
DDoS Response,
NW Forensics,
SASE
IR
Data
Data Discovery,
Classification
Encryption,
Tokenization, DLP,
DRM, DBAM, Email
security
Dark Web Scanning,
Data Behavior
Analytics, SIEM
DRM, Breach
Response
Backup
Users
IAM, Background Chk,
MFA
Security Awareness
Training, MFA
Insider Threat,
UEBA, SIEM
• Not one product covers all areas – one needs multiple solutions to get comprehensive security coverage
8. Where We Are (SMBs)
Identify Protect Detect Respond Recover
Devices Excel EDR EDR EDR
Applications
Networks FW, IPS, VPN IDS
Data Encryption Backup
Users MFA
MFA
Security Awareness Training
8 products / solutions
Partial Coverage Good Coverage $10T Security Gap
9. • Based on risk, extend necessary capabilities (leverage an assessment tool)
• Implement asset (and application) inventory
• Are cloud workloads protected?
• Are SaaS applications protected?
• Deploy patch management (70% of all breaches happen to unpatched machines) –
don’t forget your IoT devices (and your NAS)
• Business Email Compromise (BEC) still one of the top attack vectors
• Be prepared for the inevitable (Incident Readiness)
That’s Not Good Enough
10. Where SMBs Should Be
Identify Protect Detect Respond Recover
Devices
Asset
Inventory
(or Vuln Mgmt)
EDR
Patch Mgmt
Email Security
EDR
Email
Security
EDR IR
Applications
Application
Inventory
(or Vuln Mgmt)
CASB, SSPM CASB, SSPM SSPM IR
Networks
Vulnerability
Mgmt
FW, IPS, VPN IDS IR
Data
Encryption
Email Security
DarkWeb
Scanning
Backup
Users MFA
SAT
MFA / SSO
15 products / solutions
• All operating systems
• On-prem, cloud, IoT
• On-prem and SaaS
• Covering BYOD
• Dealing with alert monitoring
and false positives
• What data?
• MFA across all applications (on-
prem, cloud, SaaS)
New Additions
11. Further capabilities not covered in the matrix:
• Orchestrate remediation and response [includes SOAR]
• Conditional access, step up auth, zero trust
• Risk-based analytics engine [includes UEBA]
• Common policy and workflow engine (enforce across any channel)
• Alert triage with enriched alerts and incidents in a single pane of glass
• Threat intelligence across channels
Shortcomings of the Cyber Defense Matrix
‘coverage’ ‘interplay’
12. SIEM and MDR
Security Information and Event
Management (SIEM)
• Provides a single console to see
across multiple point solutions
• Supports other use-cases, such
as compliance reporting or
assisting in incident response
scenarios
• No response capability
13. SIEM and MDR
Managed Detection and Response
• Outsources ability to stay up to
date on latest threats
• Running your own SOC is
expensive
• Provides 24x7 monitoring
• Provides basic response
• Often lacks full response
capability
• Generally lacks data and user
security
14. EDR++ SIEM++
A New Concept - What Is XDR?
vs
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
15. The XDR Platform
XDR Platform
(cloud based)
Multi-vendor
Product Ecosystem
Detection
Response
Driving Outcomes – The Right Way to Invest in Security
• Decreased mean time to detection and response (MTTD and MTTR)
• Operationalize manual steps into automated actions
• Superior protection and detection (higher accuracy)
• Move left of boom
• Improve efficacy of entire product ecosystem
• Decreased deployment complexity
Multi-channel
Threat Intelligence
Policy
16. XDR – Intelligence and Orchestration
Extended Detection and Response
(XDR)
• Bi-directional information flow
• Automated response and
remediation
• Central policy
• Risk centric
• Drive zero trust and left of
boom detections
vs.
Security Information and Event
Management (SIEM)
• Threat detection use-cases
• Threat hunting
• Compliance reporting
• Event centric
• Long term storage
• Needs point products to provide data and execute actions
• Unfortunately not what you get from XDR vendors today…
17. Point Products
• You need individual products
• Find products that cover multiple areas
• Get a handle on inventory of devices and applications
XDR
• Do not let the XDR vendors fool you
• If you are just starting out, start with MDR
• Find a vendor that has a vision you can understand and matches your path
• Plot a path to zero trust data access
• Can your XDR provider match your existing processes (e.g., via your RMM)?
Process
• Find a vendor that meets you where you are and matches your growth strategy (DIY, DWY, DFY)
• Work with a vendor that offers products, education, and coaching
• Be incident ready and please, have backups
Next Steps on Your XDR Journey
Identify Protect Detect Respond Recover
Devices
Applications
Networks
Data
Users
18. Grow your cybersecurity practice
June 6-8, 2022
Gaylord Palms Resort & Convention Center | Orlando
theitnation.com/secure
Secure
TM