CyberWire Daily - Living security: the current state of XDR. [CyberWire-X]
Episode Date: April 3, 2022In this CyberWire-X episode, host Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, explores the state of XDR. Joining Rick on this episode are Ted Wagner, SAP National Security Servi...ces CISO and CyberWire Hash Table member, and from episode sponsor Trellix are Bryan Palma, the Trellix Chief Executive Officer, and John Fokker, the Trellix Head of Cyber Investigations. Listen as Rick and guests discuss XDR, SASE, SIEM, and SOAR. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the CyberWire.
And today's episode is titled, Living Security, the Current State of XDR.
XDR as, quote, a unified security incident detection and response platform that automatically centralizes and correlates data from many proprietary security elements, end quote.
Now, for a definition, I think that's pretty close, but that same definition could also
easily apply to any SIEM on the market or any SOAR platform. The Gartner definition is missing
a bunch of promised functionality. Promised because
not all XDR platforms are created equal, as the security vendor marketing teams describe their
XDR solutions with subtle distinctions. In this episode, I've invited a number of subject matter
experts to the CyberWire hash table to see if we can sort this out. A program note, each CyberWire
X special features two segments. In the
first part, we'll hear from an industry expert on the topic at hand. And in the second part,
we'll hear from our show's sponsor for their point of view. And since I brought it up,
here's a word from today's sponsor, Trellix.
Today, there's a new way to look at security, not just as a cause for concern, but as an opportunity to better your business. With a living security solution from Trellix, you can face the future with confidence, knowing that every day you're getting smarter and more agile.
Threats are evolving, but so is your company.
When you have a platform that's always learning and adapting, you can stay one step ahead of the threats.
Incidents are on the rise, but your organization can rise above them.
By tapping into open partnerships and native connections, you can respond to incidents in real time.
Risk management is growing more complex, but your business has what it takes to overcome complexity.
With embedded tools and
expert insights, you can make risk management easier. Bring your security to life with Trellix,
and we thank Trellix for sponsoring our show.
I'm joined by an old Army buddy of mine and a colleague and a regular here at the Cyber Wire hash table, Ted Wagner, the CISO for SAP National Security Services.
Welcome to the show, Ted.
Great to be with you, Rick.
Ted, we've known each other for, what, 20 years now? Is that right?
I think that's about right, yeah. And we've worked together in the military, at the Army's Computer Emergency
Response Team, and in the civilian world in a small beltway bandit called PASC. And now you're
a big fancy CISO in your own right. How long you been at SAP and tell me about your responsibilities
there. I've been with SAP for seven years and I've been at the part of SAP that's focused on
the federal market, supporting the Department of Defense and federal customers.
And it's been very good. We've seen a lot of growth in our cloud offerings.
And we think there's great opportunity as well as great challenges for security.
So I'm excited to be here. It's been a changing, evolving experience, but been a great experience altogether.
So today we're talking about XDR, and that stands for Extended Detection and Response.
But the security community's understanding of it, it's a bit fuzzy, right?
The name has gone through the marketing meat grinder, with every vendor putting their spin
on it and adding features that benefit their specific suite of tools.
Like Microsoft's XDR products is not the same as Trend Micro's
XDR products, and the technology is relatively new. Gartner defines XDR as a unified security
incident detection and response platform that automatically centralizes and correlates data
from many proprietary security elements. But to me, that sounds like a SIEM or maybe like a SOAR platform. So what's
your take on this, Ted? How would you differentiate the three tool sets, SOAR, SIEM, and XDR?
I think XDR is an EDR that's grown up a bit and is challenging the SIEM environment. And I think
that's interesting as a consumer of security technology.
I think it's very exciting, but I think we need to learn a little bit more about what the boundaries are of this capability.
So in my mind, though, I think XDR is probably the next stage in the evolution of security tool sets.
XDR is API-driven, meaning that instead of logging in to each of the tools in the security stack to monitor it, to collect telemetry, update it with data and new configurations, you do all that through software.
So, in other words, if you get the right XDR tool, you can automate the orchestration of your entire security stack.
Now, SIMS allowed us to automate the collection of telemetry,
and SOAR platforms allowed us to automate the handling of Tier 1 through 3 tasks from the SOC analysts.
And truth be told, I see the SIMS SOAR tool sets merging in the near future.
But is the idea of XDR automating the orchestration of the security stack,
does that have enough capability enhancements to justify using it as a replacement to those other tools? Or how are you thinking about this? We are committed to a SIEM right now.
We partnered with them and we spend a lot of money ingesting a lot of data from different
data sources, including endpoint detection responses, the precursor to XDR. But where we see challenges are ingesting all these different data
types and normalizing them and making them queryable is a big challenge. So does XDR allow
us to extend the collection of data across different elements of the infrastructure beyond
the host and be able to ask those analytical questions about, is
the threat present in this environment?
And do they provide those behavior analytics and those other analytics that we want to
take advantage of as the technology grows and innovates in the ability to identify threat
activity?
Is it really better than a SIM that we're currently using?
I don't know that we know the answer to
that question, but I'm very anxious to know if they can overcome the inroads that the SIM
vendors have made. It's a slightly different approach though, right? Because XDR is using
strictly APIs. I guess you could say the same thing about SOAR and SIM, okay? But if I understand it
right though, XDR tools are not storing the data,
so you'd still need to store it somewhere,
perhaps a SIM.
Is that right, or am I misunderstanding that somewhere?
That's right.
You still need a place to store it
and then run your queries against it.
That integration is always a tough point
because when we go across technologies,
those types of integrations, those APIs, do they really
work?
And are we able to integrate with the diversity of technology that we have in our environment?
So those are always challenges that we confront.
Where we have great success in standardization, that's always a faster way to get to where
we need to be.
So the SIEM tools come with prearranged connections to common tool sets, right?
They could connect to a vendor's firewall, you know, name some of the prominent ones.
They could connect to an intrusion detection system.
So can the SOAR platforms.
So I'm assuming that the XDR services can do the same.
So what's the value again from an XDR service?
Why would you pick that over SIM and SOAR?
The opportunity here is the cost of the SIM is expensive. These SIMs have really monopoly power
to charge pretty high cost to do their work. And can we cut the cost and simplify the implementation
of these technologies to collect data across the spectrum of our
infrastructure. So that's why I think there's an opportunity. We always like to see a little
competition in the space to see if we're getting, one, the best technology, the best detection
capability, and are we getting the right price? Because to be honest, some of these SIM vendors
are pretty expensive. Well, and the cost comes from storing the data, right?
That's how they made their money.
I remember when you and I worked together back at TAS, we had a SIM.
Nobody on the team liked it because it was so expensive to store everything, right?
So we started making decisions about what not to store.
You know, we're only going to store three weeks of data or only the important stuff.
So it became not useful.
Presumably with an XDR solution,
you're going to collect the telemetry you absolutely need
and store it in your own relatively cheaper cloud service somewhere, right?
That's how we're going to configure this, right?
That's correct.
And where you can identify that meaningful data
and only store that data is always a critical decision point and
a great filtering capability that you want to adapt to. The reason I like the idea of an XDR
is it's not just be able to collect the telemetry. Like you said, you can do that with SIM and SOAR
tools, but it gives you the ability to automate going back the other way. If I need to upgrade a block list on a new firewall
or update some rules in a new intrusion detection system,
I can do that through the XDR interface.
It goes both ways.
You can do that with SOAR and SIEM,
but that's not what people are using them for.
They're basically collecting telemetry right now.
And with SOAR platforms,
there's an easier way to eliminate a bunch of
noise, but it's not really updating the security stack in any way, any kind of orchestration.
Is that your understanding too? Yeah, that's right. And we want to be able to filter out or
create access control lists at the firewall through these integrations to keep those things
away from our environment, our data.
So you and I are big fans of a potential technology or architecture coming up.
You know, it's just on the horizon. It's called SASE, or Secure Access Service Edge.
And it's a replacement architecture for how you and I have done this for the last 20 years.
You know, most of us today manage our own security stacks across multiple data islands like SaaS and traditional cloud, traditional data centers, office buildings, mobile devices, and it's very complicated.
SaaS combines the cloud model where the vendor manages the infrastructure and the customer manages the policy with really fast internet pipes combined with some sort of SD-WAN networking meta layer to make the bandwidth as fast and as reliable as possible.
And so if somewhere down the line,
you can install an XDR service using the SASE model,
does that make it more compelling for somebody like SAP?
Absolutely. And I'm a big fan of SASE. I love the concept.
During COVID, we adopted some elements of it to replace our access,
how we access our corporate environment using a SASE service, and very pleased. I am really
excited about the opportunity to implement CARTA, or the Continuous Adaptive Risk and Trust model,
with identity. We are really deeply investigating those capabilities.
And then to your point,
integrating them to an XDR capability,
I won't say it's nirvana, but it gets me excited.
There's a couple of nerds getting excited
about XDR technology, okay?
That's perfect for us.
Exactly. A couple of nerds getting excited about XDR technology. Okay, that's just, that's perfect for us.
So what that means to me is that the first hop from your laptop, wherever you are,
whether you're back in headquarters or your house or in a sales office in Singapore or in some cloud service, if you need to get to the internet,
the first hop is through or to the SASE vendor.
Yeah.
need to get to the internet, the first hop is through or to the SASE vendor. And he runs through the SASE vendor security stack, which could be XDR, right? XDR is going to collect all the
telemetry from all the security tools you deployed. It can do everything centrally from that spot,
right? And the only thing I have to manage is the policy. I decide that Ted is allowed to get to this resource, but not this resource,
and the SASE vendor handles all the, you know, the turning of the crank. That's what I think is
going to happen, and we're like five to ten years away from that, but I'm excited about it too.
Are you guys designing your networks now to kind of accommodate all those things, SASE,
SD-WAN, and security stack, in some SASE vendor somewhere?
Yes, we are putting the pieces together as we speak.
We think this is the pathway forward.
And the reason why I'm so mindful of this, a couple of years ago, there were some vulnerabilities with VPN concentrators where at your poor
perimeter, you had a zero day just lying in wait for someone to attack you.
You were none the wiser, and that created so much risk against your perimeter and against those islands of data.
Now, with the SASE model, we transfer that risk to a vendor that can diversify that cross-infrastructure
and create much more secure access to the environment.
So we're very excited about these opportunities.
Two nerds geeking out about XDR and SASE.
Good stuff, Ted.
But we're going to have to leave it here.
So thanks for coming on the show.
Thank you, Rick.
It's always great to talk to you and great to catch up.
That's Ted Wagner, the CISO for SAP National Security Services.
Next up is my conversation with two key members of the Trellix leadership team,
Brian Palma, the CEO, and John Farker, the head of cyber investigations and principal engineer. Brian, let's start with you. I was going over your bio. You're a busy man. Just in the last
six years, the general manager of several Cisco product lines, the CEO of BlackBerry, the chief
product officer for FireEye, and now you're the CEO of two companies. First, the newly emerged FireEye and McAfee
companies, and second, the CEO of Trellix. I'm surprised you have time to even tie your shoes
in the morning. So can you give your listeners, our listeners, a Reader's Digest version of how the
FireEye and McAfee Trellix companies all fit together? Absolutely, Rick. So first of all,
I was with FireEye last year. We ran a process to divest
the business from the Mandiant portion. And that process culminated in June with a sale to
Symphony Technology Group. Symphony Technology Group had also purchased McAfee Enterprise.
And we took the opportunity then to bring those two companies together. That transaction was
closed on October 8th. and I was very excited to be
named the CEO of the joint business. Then in January, we renamed the joint business to Trellix,
which is the brand that we operate under now. I would say a few points. One, most importantly,
both of these companies are very focused on the extended detection and response market, or XDR.
very focused on the extended detection and response market, or XDR. We have a large public sector global business that we are continuing to grow and is a major area of focus for us.
Excellent. So, John, you came over to Trellix from the McAfee acquisition, and you're the
Chief Investigations Officer. Does that mean you run the Threat Intelligence team at Trellix,
or does it mean something else? Threat intelligence is a very broad concept. I run head of cyber investigations
and that's my day-to-day. I run a team that collects a lot of threat intelligence
that service our customers. So everything we collect, we put back
into our product so our customers have the best protection. One of the key points
that is my speciality, because in my former career I was with law enforcement
with the Dutch High Tech Crime Unit, is seeking out these collaboration efforts where we as Trellix can make a difference.
Where we can actually maybe even attribute an attack to a threat actor or help law enforcement and the public sector to uncover and indict cyber criminals.
So that's part of my responsibility as head of cyber investigations.
that's part of my responsibility as head of cyber investigations. So Brian, you wrote a blog back in January titled, With Trellix, the Future of Cybersecurity is Now, in which you introduced
this really interesting concept called living security. I was intrigued by it and that you
based the company name on the word trellis, which is a framework designed to support the growth of
living things such as plants and trees. So can you tell the listeners what you meant by that connection? What's going on here? I sure can, Rick. So first of all,
when I took over as CEO, we looked out at the landscape of cybersecurity companies and how they
were presenting themselves and what was happening in the market. One of the things we came away with
was there was still a lot of what I believe are backward-looking kind of branding around
guards and gates and striking and this notion of battling. And when we looked at the market,
we said that's just not what's needed anymore in the market. What's needed is living security,
something that's flexible, a system that's adaptable, a system that's open, a system that learns and helps you get the capabilities you need to be able to effectively mature your program around cybersecurity.
So as we dug into that, we got around this notion, as you mentioned, of the word trellis.
And trellis is an infrastructure that you grow plants and trees.
That felt like a really good underpinning
for where we wanted to go with the company, creating an XDR platform that underpins the
cybersecurity capabilities for our customers.
I really like that idea because you're right, the cybersecurity space has been filled with
the military metaphor since the beginning.
And maybe you're right that it's time to rethink
that a little bit. And I know at least half our listeners don't even like that metaphor anymore.
So to get it out of the attack, defend kind of thing, was that a marketing move or was that
something you've been thinking about for a while while you were moving through the ranks here?
We did a number of focus groups. We went out there and studied what other folks in the security business were doing, what folks outside the security business were doing.
And it's really, I think, at the heart of who we are and who we want to be, which is the living
security company that's able to help our customers. And we think critically important to that is
machine learning. Critically important to that is data science. And that's really where we're
pivoting the company. And that's really when you think about the data we have, the telemetry we have, the intelligence,
that's where John and his team are so valuable.
One of the other really important parts of living security is it takes people.
It takes expertise.
And we talk about that expertise being embedded.
John, I don't know if you want to just mention a little bit about the work your team's doing
and how that fits into living security. I come from a military background,
but I keep that within our team. So we do not, like we said, within Trellex, we're living security
when we want to make it more adaptable. And what my team does and what we do is we look at these
attacks, we disseminate them from a very low atomic level. So people know IOCs and all these things. But we also figure out how they work, how the behavior is, and what are the methodologies
for the tradecraft.
And we go to very far lengths in disseminating these attacks.
And then we look at our product stack.
And we think, OK, how can we best load our product stack with the intelligence from these
attacks to best load our product stack with the intelligence from these attacks
to best protect our customers? And we've been doing this for several years now within McAfee
and FireEye. And I'm super excited because we're putting everything on, you can say one pile where
we're putting all the heads together. And that is really a great foundation for building some really,
really good behavioral models for our data science teams, some good machine learning models,
because we're going above that low atomic level
that a lot of the conventional signature-based
type of AV companies are doing.
And we're looking at our whole portfolio
from email all the way to network sensors,
the whole nine yards.
So Brian, I really liked the idea
that instead of this military metaphor, that
living security is really, it becomes part of the company. It becomes part of their culture.
It just becomes something they do as another function, as opposed to a specialized category
of intelligence and attacks and all that kind of stuff. How has it been received by your customer
base? Are they glomming onto the idea that that's a better way to think of the problem?
I think so.
Yeah, I've had conversations with probably over 100 customers.
And all those customers tell me, number one, they like the rebrand.
They understand it.
They understand our culture, our mission, where we're going.
In general, they find it to be refreshing.
Obviously, if you kind of put it side by side to most in the industry, we're very different. They're also finding it very appropriate for the times we live in.
Obviously, we saw over a year ago the issues with solar winds. Since then, we've seen log 4J.
Now we have the Ukrainian crisis. We're seeing nation states attack private companies. And our
customers realize they have to be adoptable. They have to be flexible. It's not always going to be a fair fight. And the most important thing for them
is to be able to engage in remediation and resiliency, because the reality is the attacks
are going to happen. It's how you respond to those attacks. And I think the majority of our
customers are focused on that, and they believe our living security platform will help them be more resilient.
And I'd like to add to that, Brian, what really sets us apart is that we think with the customer.
If you compare it to an organism, it's like, yeah, we can talk about threats and fires and all that stuff, but that's very hostile.
But that's very hostile.
What we like to do is we would like to go on an architectural journey with the customer and think about constructing and how can they do their business in the best way while doing it secure.
That's some of the things that I'm really excited about. It's not only, yeah, the reds and the shields and all that stuff.
No, it's translating everything that happens in the world, making sure that they're protected with the right suite every single time.
They don't have to worry as much about certain threats.
We inform them on the right level and then make sure that they can do their business.
We're like a safeguard to make sure that they can actually grow their own organization.
XDR, called Extended Detection and Response, was introduced as a concept back in 2018 by Palo Alto Networks as an extension to EDR services or endpoint detection and response that came out around 2013.
And the extension, quote unquote, was that it didn't make sense just to run machine learning algorithms on endpoint telemetry, when we knew that the adversaries had to string a series of actions together across the intrusion kill chain, both across the endpoints and across our networks.
But earlier in the show, Ted Wagner, the SAP CISO, and I were complaining about how security
vendors in the XDR space had put the phrase XDR through the marketing meat grinder, where
no two vendor XDR solutions are exactly the same.
How do you guys approach that issue?
I think, first of all, the first thing I would say to you is,
when we think about extended detection and response, we are seeing exactly what you're seeing.
Everybody's defining it a bit different.
We believe, number one, you have to have an endpoint solution, as you talked about.
It's an extension of EDR. It's the next phase of that. So I don't think
you're credible if you don't have an endpoint. The second piece we find is very important is
to have a security operations capability with some degree of SIM and SOAR to be able to bring
together these threats. For us at Trellix, we also have a number of native components. We have
data loss prevention. We have network sandboxing. We have network IPS. We have CASB. So we have a number of native components. We have data loss prevention. We have network sandboxing. We
have network IPS. We have CASB. So we have a number of different technologies that we natively bring
in. However, we're also open. I think that's the third criteria of a strong XDR is the ability to
be open and ingest technologies from across the capabilities matrix. So for us, that means our security operations tool,
Helix, is able to ingest over 600 security technologies and do exactly what you talked
about. Look across the intrusion kill chain and bring together sources from email, sources from
network, sources from the endpoint, and be able to help our customers do what we call guided investigations.
You know, a lot of vendors, they view as XER. And like you said, Rick, everybody has their
different view. And what I love about Trellex, the merger of our two companies, is that we have
such a broad portfolio. We cover almost all the sensors that there are. And I have the honorable
job to make sense of the threats and then translate
it. Okay, but how does this translate to the sensors? How does the customer can actually be
guided through this, that they understand how they can improve their security posture? So there's
certain things I think we're going to launch not too far from now, and that go far beyond just
updating your endpoint to the latest data. It integrates with your native controls within your operating system to setting your own sensors, your EDR solution, or all the network sensors you can have to the best situation, either before an attack when you're in relatively easy waters, or even during an attack.
And we're also thinking after an attack when you actually need to do some consolidation and maybe need to evaluate all the measures that you took.
The thing I really like about XDR is that it's API driven.
I mean, you're right.
Each vendor of an XDR service might have their own services they offer that you buy and install.
But I think the beauty of it is what you were talking about is that you can connect to anything in your security stack. If you have a good XDR service, then you can connect to whatever tool you decided was important
at the time and still collect that telemetry and then use the XDR meta layer to do the machine
learning and do the analysis of whatever data they were collecting. I really like that. When
you hear the arguments in the industry, though, is that it sounds a lot like what a seam does or what sore does.
And so I wonder if one of you guys want to take a shot at explaining the difference between what an XDR does for you compared to those other tools.
I mean, I think, number one, it's a combination.
So, number one, we want to make sure, which I know I hear from a lot of customers, Rick, is that we're evolving the industry.
We're not making the tools that you have, you know, useless. We're bringing it along. So I think it's really that next layer. How do you get the
efficiency out of it? I talked a lot about guided investigation. How do you leverage the data coming
from your SIEM, coming from your SOAR, maybe coming from other data sources as well? Pull that
together to help your analysts be more focused and also be more efficient.
So it's about being effective and efficient.
We think that's really the power of XDR.
As you said, a big part of it is API, but it's also the content that you have behind it.
So while we can ingest lots of different tools, we also have natively over a billion of our own sensors out there.
So I feel like our content that we can help people with and we can bounce our machine learning up against for guided investigation is second to none.
What I often see with Sims is that you only have a limited amount of data storage as a company.
Our approach is a bit different.
So we collect a lot of data from multiple companies over multiple years.
And the guided investigations that Brian talked about, we develop these so we can actually leverage a lot
of things and present that to the customer. They might not have experienced it in their sim yet,
or they might not have enough correlation that they will see it, but we'll give that back to
them on top of the layer. So we can define better signals through the whole bunch of noise
for them and basically take a lot of the heavy lifting from their shoulders. Many security
practitioners these days are talking about SASE or Secure Access Service Edge as a future way to
architect their security stack. I know you guys are a brand new company, but is SASE somewhere
on your roadmap? You hit it. The two most important markets right now in cybersecurity are around XDR and then SASE,
some like to call it SSE, at the edge.
I like SASE because of the way it sounds.
All right.
We'll stick with SASE.
I like it.
It does sound better than SSE.
So if we stick with SASE, then, you know, I think we have obviously an important part
of what we're doing is the work
we're doing with our sister company, Sky High Security, and the work they do around CASB and
also around Secure Web Gateway. So those two technologies are natively embedded into our XDR
platform. And we think, to your point, that at the edge and dealing with the cloud is going to be a
really important horizon for us in cybersecurity.
Excellent and great stuff, guys.
But we're running out of time.
We're going to have to leave it there.
So I'd just like to thank Brian Palma, the CEO of Trellix,
and John Falker, the head of cyber investigations at Trellix.
Guys, thanks for coming on the show.
And that's a wrap.
We'd like to thank Ted Wagner, the SAP National Security Services CISO,
Brian Palma, the Trellix CEO,
and John Falker, the Trellix Head of Cyber Investigations,
in helping us gain a bit more clarity about XDR.
And a special thanks to Trellix for sponsoring this show.
CyberWire X is a production of the CyberWire
and is proudly produced in Maryland at the startup studios of DataTribe,
where they are co-building the next generation of cybersecurity startups and technologies.
Our senior producer is Jennifer Iben.
Our executive producer is Peter Kilby.
And I am Rick Howard signing off.
Thanks for listening.