CyberWire Daily - The current state of XDR: A Rick-the-toolman episode.
Episode Date: June 17, 2024Rick Howard, The CSO, Chief Analyst, and Senior Fellow at N2K Cyber, discusses the current state of “eXtended Detection and Response” (XDR) with CyberWire Hash Table guests Rick Doten, Centene’s... VP of Security, and Milad Aslaner, Sentinel One’s XDR Product Manager. References: Alexandra Aguiar, 2023. Key Trends from the 2023 Hype Cycle for Security Operations [Gartner Hype Cycle Chart]. Noetic Cyber. Daniel Suarez, 2006. Daemon [Book]. Goodreads. Dave Crocker, 2020. Who Invented Email, Email History, How Email Was Invented [Websote]. LivingInternet. Eric Hutchins, Michael Cloppert, Rohan Amin, 2010, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [Paper] Lockheed Martin Corporation. Jon Ramsey, Mark Ryland, 2022. AWS co-announces release of the Open Cybersecurity Schema Framework (OCSF) project [Press Release]. Amazon Web Services. Nir Zuk, 2018. Palo Alto Networks Ignite USA ’18 Keynote [Presentation]. YouTube. Raffael Marty, 2021. A Log Management History Lesson – From syslogd(8) to XDR [Youtube Video]. YouTube. Raffael Marty, 2021. A history lesson on security logging, from syslogd to XDR [Essay]. VentureBeat. Rick Howard, 2020. Daemon [Podcast]. Word Notes. Rick Howard, 2021. XDR: from the Rick the Toolman Series. [Podcast and Essay]. CSO Perspectives, The CyberWire. Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Goodreads. Staff, n.d. Open Cybersecurity Schema Framework [Standard]. GitHub. Staff, 2019. What is EDR? Endpoint Detection & Response Defined [Explainer]. CrowdStrike. Staff, 2020. Log Formats – a (Mostly) Complete Guide [Explainer]. Graylog. Stephen Watts, 2023. Common Event Format (CEF): An Introduction [Explainer]. Splunk. Thomas Lintemuth, Peter Firstbrook, Ayelet Heyman, Craig Lawson, Jeremy D’Hoinne, 2023. Market Guide for Extended Detection and Response [Essay]. Gartner. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
In the early days of this podcast, back in 2021,
we published a Rick the Toolman love letter
to this newfangled security tool called XDR.
Oh, yeah. You might have heard about it.
The acronym stands for Extended Detection and Response, and I was gushing about how this tool
might transform the modern-day security architecture.
Back then, Gartner placed XDR at the beginning of the journey on its famous hype chart,
just starting to climb the peak of inflated expectations.
And I was jumping on the bandwagon to help inflate the hype.
Two years later, July 2023, Gartner placed XTR on the back end of the peak,
just starting the steep roller coaster ride down toward the trough of disillusionment
and forecasted five to ten years
before it reaches the plateau of productivity. Since this is the time typically when security
pros start to lose faith in a product idea because the hype surrounding it hasn't matched existing
products, I thought it was time to revisit the current state of XDR because I still believe that
it represents the future security architecture that we all need. I don't want the InfoSec profession to lose sight of this potentially
transformational tool just because it's not quite ready for prime time. So, hold on to your butts.
Hold on to your butts. In this Rick the Toolman episode, we're going to explore the current state of XDR. My name is Rick Howard, and I'm broadcasting from M2K Cyber's secret Sanctum Sanctorum studios,
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland,
in the good old U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas,
strategies, and technologies that senior security executives wrestle with on a daily basis.
I can understand why the idea of XDR is sprinting towards the trough of disillusionment, though. Most of the security platform vendors have a product that they call XDR,
like Sentinel-1, Splunk, Microsoft, IBM,
CrowdStrike, Cisco, Palo Alto Networks,
just to name a few.
But none of their explanations about what XDR is
and what it does matches exactly.
Gartner says that XDR is a, quote,
unified security incident detection and response platform
that automatically collects and correlates data from multiple proprietary security components, unquote.
That's accurate, but you could also say the same thing about SIEM tools,
security information and event management tools.
I'm looking for something a little more descriptive.
What makes XDR special?
The subtle difference between a SIEM tool and an XDR tool is how the two technologies collect the data.
With SIEM tools, the monitored system, let's say a Fortinet firewall, generates logs as part of its normal operation.
The firewall administrator configures the system to automatically send
the log data to the SIEM tool for storage and processing. The XDR tool is different.
XDR administrators configure the tool to directly connect to the Fortinet firewall via an API,
an application programming interface. The API allows XDR administrators to interrogate the
firewall for the specific data they need,
not just general-purpose log data, but any information on the system,
and transports the data to the vendor-provided XDR data lake for storage and future processing.
Both methods allow, as Gartner says, a platform to collect data from varied sources,
log data in the case of the SIEM tool and any kind of data in the case of the XDR tool.
But the evolutionary step of using APIs to collect the data
is what makes XDR tools so transformational.
It gives us some options.
Oh!
Rick Dalton is an old friend of mine, the security VP at Centene and a regular contributor here at the N2K CyberWire hash table.
This is how he describes it.
Like zero trust, it's not a thing.
It is an approach.
And so when someone says there is an XDR tool, then's like well that's how everything works now I mean to me it's about the difference between waiting for logs to be written and then
consuming logs and reading logs and deriving things from those logs as opposed to connecting
directly with the API and having instant access into things that are happening and then sending alerts and be able to do responses based on that.
I mean, that's the fundamental to it.
And I talk to a lot of vendors and a lot of startups
and all of the posture management tools,
whether it's cloud posture management,
data posture management, identity match management,
asset management, runtime, all of them,
this is how it works.
It's like everything is just,
everything is API based. So let's just plug into the APIs and pull the stuff we want to pull and be able to set rules around it. In order to understand what I mean by this,
it might help to understand that XDR arrived on the scene in 2018 by merging two different security tool sets, logging and antivirus.
These were the prequels to XDR, you might say.
So let's start with logging.
Raphael Marty over at the VentureBeach website says that you can trace the origin of the logging piece
all the way back to the original email sendmail program on BSD Unix in the 1980s. Eric Allman was building
sendmail to be one of the first to implement the simple mail transfer protocol. He needed a way to
log what was happening as the various pieces and parts of the sendmail system banged against each
other. When he wrote the first syslogd program for BSD Unix to do that, he birthed the first logging system that we all know and use
today. For the uninitiated, syslog stands for systems logging, and the d stands for daemon.
In the Unix world, daemons are little standalone programs that start up, do a task, and then
disappear again until needed. In this case, syslogD receives a log message from a monitored system, like the Fortinet firewall, and stores it somewhere.
As an aside, I did a WordNotes podcast on the word demon back in 2020.
For the nerd reference in the show, I highlighted one of my favorite sci-fi novels.
It's called Demon and was self-published by Daniel Suarez in 2006.
Here's Suarez describing the book at a Google Tech Talk in 2009.
So for those of you who haven't read it,
I'll give you the high concept that I gave the Hollywood folks.
That seemed to work okay.
It is the story of a highly successful online game designer
who creates a program that monitors the web for the appearance of his own obituary.
And when that appears, this program activates and cascades in activating other programs that begin to tear apart the
systems supporting the modern world.
As the years went by, though, we started collecting logs on everything.
The amount of stored data started to become unmanageable. In the late 1990s and early 2000s,
SIEM tools emerged to help us corral the volume of messages.
Instead of collecting logs separately for each application
and trying to manually correlate the information with homemade databases,
administrators could dump all the logs to this centralized SIEM system and use some of the vendor-provided functionality to scrub the data.
But these SIEM systems were expensive.
You had to provide local storage, hard disk space, to accommodate the volume of data.
I remember it was a constant struggle to keep ahead of the demand.
Every time we added more disk space, we filled them up with data quickly.
The vendors, of course, made their money by selling more disk space,
so they were only too accommodating to help us upgrade.
But like I said, upgrades were expensive.
InfoSec professionals were making trade-off decisions about what not to save to disk
or how long we would store things before we would overwrite them.
That was counter to what we were trying to do with the logging project in the first place.
You wanted to use the logs to trace bad guy activity over time.
If your logs only went back three weeks or if your analysts needed log data on systems you weren't watching, that was a problem.
It was also a major task to manage the storage system.
Unless you were a Fortune 500 company or your vertical had strict compliance and reporting
requirements, most of us couldn't afford to buy and maintain them. That all started to change
when Amazon rolled out AWS in 2006. AWS made it possible to store all kinds of data relatively cheaply, and they handled all the
administration. Bonus! There was another big problem, though. All vendors used their own
proprietary logging format. If security professionals tried to correlate their Cisco
firewall logs with their semantic antivirus logs, that represented a ton of low-level grunt work normalizing the data so that
the SOC analysts could make sense of it all. By normalizing, I mean they had to match the fields
of the Cisco firewall dataset to the fields of the semantic antivirus logs. That normalizing task was
and is an intermediate step that provides no value. Google site reliability engineers call that toil. We needed
to do normalization to get to the thing that was valuable, but the normalization thing itself
wasn't. The vendor community took a swing at addressing that issue back in the mid-2000s.
They started working on something called the Common Event Format, CEF. According to Splunk's
Stephen Watts, it's a standardized logging format designed to simplify
the process of logging security-related events and making it easier to interrogate logs from
different sources into a single system. Today, many vendors use the CEF format, but other competing
standards have emerged too, like JSON, JavaScript Object Notation, Windows Event Logs, the NCSA Common Log Format, or CLF,
the Extended Log Format, ELF, the W3C Extended Log File Format, and the Microsoft IIS, Internet Information Server.
The logging landscape is still a bit of the Tower of Babel, if you get my drift.
Oh, no!
still a bit of the Tower of Babel, if you get my drift. Oh, no. The vendors can't seem to agree on what log files should look like, and so SOC analysts still execute a lot of toil to normalize
the data. It's all in one spot, and the administrative burden is lower than it was back
in the 1990s, but SOC analysts are still sifting through multiple piles of data haystacks looking for needles.
And they spent a lot of time making the haystacks look the same.
So why is logging a prequel to XDR, you might ask?
Well, SOC analysts sifting through reams of machine-generated log files looking for bad guys has been the standard operating measure since the 2000s.
When XDR tools hit the market in 2018, the tool gave the infosec profession a chance
to upgrade that process. The other prequel to XDR is the evolution of antivirus software and EDR,
endpoint detection and response. In 1987, a German hacker and computer security expert named Bernd Fix wrote software
he designed to remove the infamous Viennivirus from his system, thus becoming the first documented
author of antivirus software ever written. Soon after, the notorious John McAfee created the first
antivirus commercial product called VirusScan, and the infosec profession gained a
must-have tool for the security stack. By the late 1990s, if you had any budget at all, your security
stack had a firewall and an intrusion detection system at the network level, and at least one
antivirus system deployed on every endpoint. When I was working in the Pentagon in the early 2000s,
we had two deployed on each
endpoint because we didn't trust just one to get the job done. The idea behind antivirus systems
was that the vendors would write signatures for known viruses in malware designed to detect their
deployment. Once detected, the engine could remove it or render it benign. It was a constant battle
to get the latest signatures deployed in a timely
manner. But in the late 2000s, a new technology emerged that looked at endpoint behavior to detect
malicious code. Instead of just using signatures of known malware behavior, the engine watched the
entire operating system looking for anomalies. If the endpoint started communicating with servers
in Tajikistan
when it previously never did before, that might be an indicator that something was amiss.
This model allowed the system to detect previously unknown malicious code,
a big benefit over signature-based antivirus. Anton Chuvakin was working for Gartner in 2013,
and he gave the new technology its name, Endpoint Threat Detection and Response,
ETDR. Now we all just call it EDR. According to CrowdStrike, EDR acts like your old TV's DVR,
recording relevant activity to catch incidents that evaded prevention. While EDR was an innovative
and disruptive technology, it was limited because it only dealt with the endpoint on the adversary attack campaign.
It didn't see the entire picture.
The Lockheed Martin research team had just published their now famous intrusion kill chain paper in 2010,
and the InfoSec profession was just starting to get their head around the idea that bad guys had to navigate the entire kill chain undetected
and unstopped in order to be successful.
EDR was just one piece InfoSec professionals could use on the kill chain.
To have control and visibility on the entire kill chain, SOC analysts dumped the alerts
from their EDR engines
as well as all the other...
And that's our show.
Well, part of it.
There's actually a whole lot more, and if I do say so myself, it's pretty great.
So here's the deal.
We need your help so we can keep producing the insights that make you smarter and keep
you a step ahead in the rapidly changing world of cybersecurity.
If you want the full show, head on over to thecyberwire.com slash pro
and sign up for an account.
That's thecyberwire, all one word, dot com slash pro.
For less than a dollar a day, you can help us keep the lights and the mics on
and the insights flowing.
Plus, you get a whole bunch of
other great stuff like ad-free podcasts, exclusive content, newsletters, and personal level of
resources like practice tests. With IntuK Pro, you get to help me and our team put food on the table
for our families, and you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So head
on over to thecyberwire.com slash pro and sign up today for less than a dollar a day. Now, if that's
more than you can muster, that's totally fine. Shoot an email to pro at n2k.com and we'll figure
something out. I'd love to see you on N2K Pro. Here at N2K, we have a wonderful team of talented people
doing insanely great things to make me and this show sound good.
And I think it's only appropriate you know who they are.
I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer.
I'm Trey Hester, Audio Editor and Sound Engineer.
I'm Elliot Peltzman, executive director of sound and vision.
I'm Jennifer Iben, executive producer.
I'm Brandon Karf, executive editor.
I'm Simone Petrella, the president of N2K.
I'm Peter Kilby, the CEO and publisher at N2K.
And I'm Rick Howard. Thanks for your support, everybody.
And thanks for listening. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.