Detection and Response
An expert discussion on XDR
Discover why industry veteran and former Gartner analyst, Greg Young, believes that XDR is the most exciting thing that has happened in cybersecurity in the last 20 years.
As new security tools and acronyms crop up, one stands above the rest. Greg Young, vice president of cybersecurity at Trend Micro and former Gartner analyst, tags XDR as the most exciting security advancement in the last 20 years. Explore why the industry veteran believes XDR and cybersecurity platforms can finally deliver on the promise of “better together.”
Platform vs. point products
Time is of the essence in cybersecurity—you need comprehensive visibility across your entire ecosystem, and you need it quickly. Siloed point products across endpoints, especially e-mail (the most exploited attack vector), are more of a hinderance than helpful. Using a platform with connected capabilities that provide visibility across multiple security layers is ideal—but like anything worthwhile, you need to choose carefully.
Integration
Upgrading your security strategy and system does not have to be complex or time-consuming. Choosing a vendor with a platform solution that integrates into your overall ecosystem, other solutions from that vendor, and third-party products, can improve your security posture without big interruptions to downstream workflows.
1+1 should equal 3
When choosing a platform, make sure it goes beyond what you already have in place. Swapping out point products just to receive more false-positive alerts isn’t worth it. Select a platform with XDR capabilities that go beyond collecting data, instead correlating it into actionable alerts that can be accessed and viewed from one console, so you can respond and remediate threats faster.
If your security team is understaffed or already stretched thin, consider a platform with managed service support for XDR, so you don’t have to sacrifice robust detection and response due to a shortage of resources.
For additional insights on the value of XDR and cybersecurity platforms, watch Head-to-Head: Security Platform vs. Point Products.
Transcript
Lori Smith: Hi everyone. It's such a pleasure to be here. I’m Lori Smith and I’m part of the Global Product Marketing team here at Trend Micro. I'm managing the Trend Micro Vision One product marketing, and I'm delighted to have Greg Young with me.
Greg Young: Hi, I'm Greg Young I'm Trend Micro’s vice president of cybersecurity. 33 years in cybersecurity and still going and really happy to be here with Lori today.
Lori: We're talking today, all things XDR and Greg, I was very interested… I've listened to a podcast that you did recently where you mentioned that XDR was one of the most exciting things that's happened in the security industry in the last 20 or so years, which I find fascinating because we have been through a lot with this industry and certainly seen a lot as a former Gartner analyst. I am definitely interested in hearing your thoughts on how XDR is establishing itself.
Greg: In this funny business we're in, there's a couple of times where there's a lot of incremental changes, but once in a while we get this really big sort of dot zero changes in the business. And personally I believe this is one of them.
Lori: Yes. And I mean, the thing is with the emergence of a new space or new technology, there’s no one way necessarily that you're seeing providers deliver it or companies adopt adopted. We're seeing a lot of different flavors of XDR. what are you seeing as the different approaches that people can take?
Greg: Yeah, you’re absolutely right. There's a number of ways to get here. There's not just sort of the one path or you just buy five pounds of XDR and away you go. But first of all, I challenge you and ask you what XDR stands for.
Lori: That's fair. Definitely, just as there's different flavors, there's different definitions out there too. here at Trend Micro, we define it as extended detection and response. It's really about providing that holistic detection and response capability across the multiple security factors or layers.
Greg: Right. That's a great description. You’ve given a fantastic description. The paths… there’s really three.
I think one really interesting one is where you have EDR already, and you're taking all that telemetry that you have very narrow to the end point. And you're saying: hey, I need more of this deep sort of amount of information and telemetry and data I'm getting from the endpoints, but I want more from the rest of the business. Why can't I have this everywhere? That's kind of number one. And that's a very common one because a lot of organizations have already had the capability to pull that kind of information and utilize it effectively. They're good candidates for that.
The second one is where you already have a lot of different collectors out there from point products and you're going to do a best of breed integration for those. You're going to say: great, I have a whole bunch of these things. I'm going to pull a bunch of information, but I need something to make sense of that information. It's not just good enough for me to have to do it with my operators. This best of breed integration really describes a lot of SOCs we see today, or security ops centers, where they have all these great tools and who has to be the integrator? People. And that's not the resource that we want to be doing.
Lori: Then of course, a third way is the platform approach, which is what Trend Micro is doing. And so, as you said, there was a lot of talk when you talk that XDR about connecting more data sources or ingesting more data sources as a way to enrich endpoint telemetry and EDR protections.
But the ability to serve the customer need is really dependent on being able to offer a full depth of detection, investigation, and response capabilities to the other layers. When it comes to diving deep into the problem, taking actions to respond, that can't be siloed, that too needs to be part of that XDR equation.
It's not about just delivering that unified data layer, but a unified platform for all of the detection and response capabilities and, and beyond, right? It's about capitalizing that power of the platform to provide added value and benefits. Really leveraging the data that's being pulled in to offer new insight and new use cases and scale and expand over time to become a broader threat defense platform.
Greg: Yeah, so designed for it from the bottom up. That's interesting.
Lori: Exactly. Right. I think the platform can help address that complexity issue that's so prevalent in the security environment. The solutions that don't mix and match become complex and we know that that can have pretty significant impacts. What have you seen sort of, as they impact a complexity on an organization's security posture?
Greg: Complexity is the frenemy of security. It's the friend of it because we want security to be able to help resolve it. It's our enemy though, because it can cause problems, like all the stuff we have littered today, like, all of the acronyms everywhere. And the ones in blue, we made up by the way just to kind of demonstrate the landscape we’re in.
Endpoint protection platforms, endpoint detection and response, deep telemetry at the endpoint, managed detection and response where you get help to do it, and XDR is that level of depth across many platforms, security information and event management (SIEM) as well. This is the kind of stuff that we want to pull together and have less complexity, but we don't want just a bunch of data thrown at us. We don't want more alerts that is not what our customers and people out there are looking for… What they want is yes, we want more data, but we want good information. We want to resolve [issues], then we should be able to get that from advanced tools. We keep hearing about AI and ML, but hey, where's the payoff? Why aren't we getting help with all this data?
Lori: With all of them sort of multiple solutions pulling data, you're still missing what's in between. And we know that the attackers really love to live in between those silos.
Greg: Absolutely. Yeah. We've gotten to the situation where we have really deep information on a few spots and the bad guys know that we have these blind spots or places that we don't have. Great information about unmanaged endpoints or unsanctioned applications… Those are places.
In fact, one of the biggest blind spots is email. It's being kept as a separate silo. SOC operators are constantly asked to tab back and forth between the email security system and all the other great tools they have and try to, they have to meld them themselves or make the correlation themselves. That's not required because almost all the attacks today have an email vector to them, like more than 95%. These blind spots are getting more so and the bad guys know it.
Lori: We say platform, but what, what does that actually mean? What does a platform entail? Because we've been talking about platforms and the industry has been promising, platforms for a while.
Greg: Yes. We've been promised jetpacks and platforms. The term platform has been sadly, sadly abused and yes, both of us are wearing those shoes right now. Oh, you can't see them.
What they started out saying: hey, buy all our stuff. Right. That was kind of one of the proposals out in the market. If you buy all our stuff, it’s going to work great. Well that's not okay because enterprises today are complex places and you're going to have different stuff and it's not good enough to say that you have to swap it all out. That's not acceptable in it in any reasonable timeframe.
There's also the problem that one plus one should equal three… That if you're buying two things that are giving good information, what you get out of that should be more valuable than just twice the alerts. And a lot of the API programs are saying: yes, you can integrate with our product, but you have to sign up to a program. But as a customer, I can't navigate all my vendors and force them to work together that way, or all the products, and especially open source stuff I have.
In the same, the APIs have been very narrow. But the goal should be now, instead of limiting the information, it should be, let's pull all the information and I can have it available, especially when we're not sure if it's going to be security relevant today, maybe security relevant tomorrow.
Lori: With Trend Micro, the platform approach… What differentiates a platform is really in its architecture. I think there's a few things that make a platform architecture important, particularly for XDR, there are fundamental differences to effectively ingesting and analyzing and enacting on the data across multiple security layers, right? The data needs are different. The investigation views and actions are different depending on what source you're talking about, the response options are different and the list goes on. And so having a purpose-built [platform] or that's designed with that in mind to accommodate that and enable that is really important.
Also, just in terms of the development… the [Trend Micro] Vision One platform is composed of a dashboard and then multiple apps. So each app provides a certain capability for the platform. This app approach really enables agile development practices. We've seen that since introducing [it], and the amount of features and functions and just how that platform has developed. We really embraced that DevOps model and the way the solution is architected enables that.
As you were talking about, the third thing is the integration piece of it, right? For us, there's integration across the native security staff and the third-party solutions. And we do believe that leveraging the native security stack has significant advantages. Pulling from a vendor’s native securities that it allows sort of an unmatched depth of integration and interaction between the components that is really impossible otherwise. Having said that, as you said, third-party integrations is extremely important as a means to fit within the ecosystem and the workflows and really be able to capitalize on that broader.
Greg: Yeah. What you just said is core to what XDR is. How many times have you walked into a SOC and they say: well, if only your product also worked with our X. So they have other stuff and it was never forecast. It may be a product from a different region of the world or something, and it was never forecast or something new that's something that's very important to them and they want to integrate it.
In the past, a lot of security response and investigation tools were designed around the function first and the caring and third-party integration was going to be secondary. But this XDR and [Trend Micro] Vision One… It’s really flipped the script by saying: there's an unknown amount of things we're going to collect, but we're going to be able to collect it and make sense of it no matter what. It's really kind of been turned upside down for that.
Lori: Greg, it's great to talk about sort of how our platforms architected and all of that, but ultimately what's important is what is the value we're delivering or XDR can deliver to the customer.
Greg: I think the biggest value is going to be time to detection and time to response. Having this large data lake of information and acting in cooperation with your SIEM, for example, you can see things more quickly and you're getting assistance in finding the relevant events without having to kind of hunt down sort of nebulous things and follow them.
What we've learned from the MITRE ATT&CK Framework is that the bad guys will attack using lateral movement. And they will come in just kind of stable a lot of the detection thresholds that we have. We need new ways to find them. And this is what MITRE has been great about telling us is that they're going to be low and slow, they're going to be stealthy, they’re going to leave very few breadcrumbs, and we just can't be left to find these accidentally. We should be able to find these really quickly. MITRE has been good for that. But the other thing is that a lot of organizations follow MITRE in their security operation centers.
Lori: With the adoption of MITRE, from a product perspective, we've been really looking at multiple ties to MITRE Framework within the console itself. For example, all the detection, events and workbench alerts are matched to MITRE ATT&CK TTPs and include the MITRE reference and direct links to the framework.
We've got a great app called the Observed Attack Technique app, which provides all the endpoints with observed attack techniques and then can filter by the individual or tactic or technique IDs so you can proactively see what's happening in the environment. And of course, our search app, enables searching based on MITRE TTPs, so you can do some hunting on your own for that. It’s really important development and in the industry, in terms of this nice common language and framework of allows for a lot of advantages for that security organization.
Greg: Right. Yeah. I've seen that in action too. It's interesting with the complexity issue that you talked about… I hosted a capture the flag competition, where nobody had training in the product or in the XDR tool being used and people advanced really quickly. It's not one of these super expert tools that has to be used, so that was interesting. And those links, like you mentioned to the MITRE Framework, that's those faster time to detection, faster time to resolution.
Lori: That's been important… Really trying to make the user experience such that it really sort of aids that analyst in prioritizing and understanding what's critical and what needs attention. That's been validated a lot with our sort of customer feedback is this notion of, it's providing information in a way… That's my festival… It’s painting a picture for me… It's like reading a book. So, taking very complex activities and easing that is certainly a value proposition for XDR. XDR in general is still… There's risks and operational challenges involved in it, adopting that XDR approach. What are you seeing as people try to embark on this XDR journey?
Greg: Yeah, I think like any important security initiative, it has to have a project behind it. It's got to have some funding and it has to be adopted. It can't just be, we're going to throw this at a severely understaffed or a problematic SOC environment. If you don't have a SOC at all, maybe it's better to think about an MSSP who is going to use an XDR to do this for you.
It has to be planned because you have to know what data to collect to. There's all this really rich information out there to collect and to feed in the XDR data lake. And it's really important to go in and look for those great sources you can have. Because once an attack happens, it's really hard to go back and collect the attack information after the fact… That is pretty much impossible, right? You can't record a robbery where you didn't have cameras the next day. Getting that rich information and planning for it, and being able to feed it into your playbooks…
I think that's the fun part and it's probably the most powerful.
Lori: What we're seeing and what we recommend for customers is really taking a sort of a build out approach. Start with endpoint a lot of times and endpoint and email in particular, and then once in the platform, they understand the value of the platform, benefits, and potential of adding more layers. Also, as we talked about, if the organization is using SIEM… Use the API integrations to get the most value out of the solution, make it part of that ecosystem.
To your point, really be honest and clear about what internal resources and security maturity they have and consider the managed XDR service to support that in house team with the Trend [Micro] expert resources where appropriate.
Greg: That's a great description.
Lori: We’ve talked a lot today about leveraging both the Trend [Micro] native security stack and certainly a lot about third party integrations. We're going to turn it over to Eric. Schultz, who's our director of product management and he's actually going to go into the product, give us a little tour of some of those integrations we have so that we can see what the platform can do for us in SIEM and SOAR integrations and how to search and obtain data from those complementary third-party tools. Over to you, Eric,