Expanding security threats requires an expansive response, but how do you move beyond the endpoint without increasing complexity and risk? All too often, extended detection and response (XDR) is a complex hash of disjointed systems that struggle to plug the growing gaps in your attack surface. In this episode, Senior Product Marketing Manager George Anderson will tell you more about the “X” in XDR. He’ll explain what XDR is – and what it isn’t – and why you need to know the difference. We’ll discuss what to look out for in a vendor and how to know if a solution measures up. And we’ll explain why open, extensible security platforms hold the key to the future of XDR.
What We'll Cover
Secureworks George Descript
Sally: Hello and welcome to Let's Talk Soc, a podcast series brought to you by Secure Works. A leader in cybersecurity focused on empowering security and IT teams worldwide to better prevent, detect, and respond to cyber threats. I'm Professor Sally, your host. With me today, I have George Anderson. Welcome, George. I'd love for you to introduce yourself.
George: I'm George Anderson. I'm a senior product marketing executive working closely with our product team, our sellers, and our partners to really drive our go-to-market strategy for Taegis XDR for SecureWorks.
Sally: Fantastic, brilliant, pleasure to speak to you today. And perhaps a great place to start would be maybe to unpack some of the language around cybersecurity. Like we use a lot of kind of acronyms, don't we? All the time. And education makes such a difference around awareness. So perhaps as a place to start, we could unpack EDR, MDR and XDR.
What are the key differences?
George: Yeah, good question. And we start that canundrum, as you say. I think some of the analysts can't even answer this question, so it's it's gonna be, a little bit of a long-winded answer. So, EDR is obviously used for endpoint detection and response, which was, which we'll go into a little bit minute. MDR for managed detection and response and XDR for extended detection and response.
And I think what's common here is we're talking about detection and response and solutions that are trying to. Solve the need for rapid early detection to the threats and attacks that we're all sort of facing, you know, today from, from various threat actors. and I think the differences in these lie in the extent and reach of the detection and response approaches being taken, you know, endpoint detection and response really addresses
these really the endpoint looks at that, maybe looks at some of the kill chain leading up to that and others various areas that maybe were, where the, where the actual infection came from in the first place, how it got into the network, et cetera. But it's very, very much an endpoint focused solution and we see quite a few of the endpoint vendors today
also starting to offer what they call XDR there. In fact, I think that's, it's not really true. XDR is yet, in my, in my view of that, the managed detection response is really a whole range of services where companies are outsourcing their security to somebody else to manage it for them.
And then really when you get into that explanation, it can be a variety of different things that they're managing. So really trying to to know what's being managed is actually half the battle there, and from many MDR is really a managed DDR service, actually, they're managing an endpoint detection response.
I can think of many people in the market that were saying that, and they too also sometimes say they're doing XDR, but again, Maybe, maybe in a very narrow way of doing it. You know, maybe looking at firewalls, maybe a couple of other things, but not really very extended in that sense. So managed detection response is something we offer at SecureWorks.
Then extended detection and response is really something where you're looking for somebody. To do something on a much larger scale and holistically cover your entire IT stack.
So that's a very different thing to say to somebody, you know, come in and help me manage and look after and secure everything that I've got within my IT stack. So you're looking at cloud, you're looking at network, you're looking at an endpoint, you're looking at 24 by 7, by 365, you might get that one managed as well.
And you're looking for a, a very proactive threat hunting approach and you're able to do that because you've actually unified and integrated all the different telemetry and pieces within their network to bring that together. So the difference in detection and response really lies in that word extended.
And as I said, I do feel like extended XDR is extended MDR and, and offers a whole lot of different things as, as a minimum to do that as well.
Sally: Absolutely. I think that is a really comprehensive answer there, George. Honestly, and I, I love the fact that you are reflecting, you know when, when we look at cybersecurity threats, it's that scope, it's that scale, it's that sophistication and all these different vectors of change and you need that XDR to be that far more holistic approach.
To dealing with all these different things and the visibility you mentioned, you made me smile when you said that, cuz how many times do you hear that now, don't you? In terms of what actually have we got and what are we looking after? It gets incredibly complicated and lots of issues of sprawl, for example, at the moment too, whether that's cloud or code or, or even vendor for example. So helping that process, having that holistic visibility, that integration, but making it easier to manage as well. So, so important. So I love that. It's a great explanation there. It's a useful to kind of look at what's changed.
So why are we in this position at the moment. And you're absolutely right. I think in the past we've had an entrenchment or a kind of kingpin sort of, approach around security protection and security prevention that's really relied on that endpoint kind of approach. But as you've kind of really elucidated in many ways, endpoints aren't even ours anymore.
You know, so many different things happening here. So in terms of the next evolution through that money detection and response, or the extended version we were talking about just now, why do you think we've got to that need to go to that next level?
George: I think the real thing that's changing is obviously we went through, you know, work from home, digital transformation, accelerated, all those things.
EDR or endpoint detection response almost became a victim of its own success. You know, we started to get really, I mean, I worked in that space for a long while, so we started to get really strong solutions that could offer, you know, very good malware protection. Stopping of, of incidents happening from the endpoint stage.
So partly cuz of that success, bad actors said, well actually there must be easier ways for me to do this and get around . This. I don't necessarily need to go to the endpoint. I think that is part of it. As you mentioned, you know, tax surfaces, et cetera, have proliferated too. We stop using different technologies now.
A lot more in the cloud, a lot more in different places, and I think that's affected a, a great deal. And, and we see things as well in that area. I mean, in 2022, for instance, we saw 60% of the, telemetry data that we were using to detect attack was coming from non endpoint sources. In fact, a lot of it was coming from the cloud, but also coming from IDS got a lot of other different areas, network areas as well.
So that is probably a radical shift for most people, cuz most people would've relied on their endpoint to give them all that telemetry and be acting on that. And a lot of people are still sort of looking to move to EDR to be the answer. And what I'd say is, I'm, I'm afraid these days, that's just partial.
And, and that's the problem. You're, you're, you're going to a partial sling role and something, it's gonna actually, you know, tackle the real problem that you're facing.
Sally: Absolutely. No, honestly, it's great, great response there. And I, I think it's just something else that, that was echoing when you were talking there as well as in terms of these kind of evolutions of different types of changes or different types of risks.
You know, I was just, just doing something with utilities companies, earlier on today. I think it's a great example there of different forms of threats that have really accelerated in recent times. You know, a lot of attacks, on utilities, whether that's pipelines or, or different types of versions of that.
But they're rising to the extent of, for example, it's not just well wear, it's kill wear there. There's really so much evolution there, let alone things like it and OT convergence affecting, many verticals as well. So put all these different things together. My next question was, you know, is XDR an evolution of endpoint detection and response?
And, and kind of, I wanna say no, absolutely not. And it's this convergence of, of things that we have to deal with that kind of brings that to the fore. I'd love your take on that, George.
George: Yeah, I think I know some analysts, I can think of some in particular who we think that, uh, it is an evolution of that.
But I think that's, and, and I don't mean to say this in a rude way, but I think that's a little bit over simplistic. It almost infers there was no other detection response going on outside endpoint before that. And I think. That's untrue. I've been, I, as I said, I've been in the business too long. I'm selling managed security services back in 1999, so I don't necessarily believe XDR is just an evolution of EDR, but for me it's really born out of different security requirements that have started to coalesce into one at this point in time. It's obviously, it's a logical step to start integrating and unifying security operations and management and all these fairly complex technologies and trying to make them work as one in a way to actually realize the value that they're, they're giving because the individual value is, is never as great as when they're put together, you know?
If you've got data coming from different areas, you can then compare that. You can correlate it, you can contextualize it. You can start to use a whole lot of different analytics and techniques to very rapidly understand what's going on. And that's, again, that understanding part of it is really that. So I think we're talking about XDR offering prioritized and things like categorized workflows, you know, detecting systems, obviously that security operations management expertise, network detection, the source security orchestration and response, which is, you know, playbooks or those sort of things that's saying, how am I gonna respond, how fast?
And these are all sort of components of a, a complete XDR solution. So it's a very different thing from just an endpoint detection and response, an evolution of that. It's really a whole raft of different things that are combining to make what I would call a true XDR type solution.
And I suppose another thing aspect, I, you know, again, coming from an endpoint vendor that was very cloud focused, I think the cloud and big data and, you know, collective approach and being able to put things together. and, you know, and sort of protect one, protect all if you like, as a concept, is also something which I think is, is very strong in this area.
Especially when you start to apply analytics and you can see things happening. You know, not only, you know, in, in that one environment, but across different environments at the same time and say, something's going on here, because I'm, I'm not just seeing it in one environment. I'm actually seeing it in a few, and maybe they're in the same sector, like utilities, I can see these things beyond the utilities organizations. So it is an evolution. You could say it's an evolution of, endpoint potential response. But as I said, I think that's a rather narrow view of actually what it's really trying to offer and where it's coming from.
Sally: Love that. Honestly, my analogy for that would be trying to unpack the differences between say 5G and 6G as well. There is obviously the echo of what's gone on before, but it's a step change in so many different ways. So totally agree with you on that. And I think for me it's those kind of, I like talking pillars.
So in terms of Xci kind of got the three pillars, haven't you? Prevention, detection, and hunting. And I love the fact it's this continuous approach to to doing this as well. And it's far more proactive to reactive, and I love the fact you talked about the collective there as well. I think when we talk about cybersecurity and all the elements around that we're seeing so much, you know, bad actors coming together frankly, to kind of push everything we're talking about here and really push sophistication of their type of threats.
We need to come together more and minimize their kind of attacker advantage as well in all these ways across technology, but also supporting that, you know, through process, through change management, through education, et cetera. And that open, secure data sharing around these challenges and, and when things have gone wrong as well.
It's so important to kind of unpack that and share. And so maybe another area we could look at here too is again, we, we kind of started this, didn't we? Talking about the jargon and making it easier for people to, to go to the right sources for information, to get help, to get support, to get that kind of trusted partnership to, to navigate.
So what advice would you give to people you know, listening at the moment, if they're considering their options around MDR at the moment, what would they be looking at? You know, what are the things, the top tips to look at about what support they can get and, and what to be aware of and, you know, maybe mistakes to avoid, for example.
George: Yeah, I think it's start internally with yourselves. I mean, whether that's doing something like a security audit and assessment, whatever it is. Try and get a very clear idea of your requirements first, because that is gonna give you your basic first checklist, if you like, of go when you're gonna speak to a vendor about, you know, do you do this?
Can you do this for me? How do you do this for me? How do you support me in this area? And look at it in a very, very holistic way if you like. Look across all your, your different parts. I mean, for instance, You might have a red team and a blue team, so you might have those sort of activities going on. You know, how can you help me with red, red blue team activities?
You might have not have instant response. You might have an instant response plan, but it's done by your own people, but you don't really have a lot of IR resources you're saying. Can you give me IR resources? That's maybe not something that's part of the basic offering, but something you maybe want extending.
So defining what you're gonna need at the different security, service levels, nevermind the actual managed part of the service is a good way to do that. Once you sort of narrow down from that, then I would very much go and talk to their existing customers. I mean, anyone who's reputable and who's got integrity is gonna say to you, well, okay, you work in this sector.
I've got two or three customers you know that have been using this sector for a number of years. Go and speak to them. See what they say. See what they find, the strengths even, you know what the weaknesses are too, cuz not every vendor is strong at ever doing everything. And that's, you know, that's, I don't like to talk against vendors at a point cause I'm a vendor, but nonetheless, that's the truth.
The market sector, as I did mention that is quite important too. Obviously finding someone's good experience in your sector. So again, let's go back to utilities. You're talking about scattered devices, you're talking about a whole lot of different things that come into that environment that you're not gonna find in a typical, say, manufacturing environment or maybe in a retail environment wherever else happens to be.
So this sector thing is, is important. I say it's. A deal breaker in its own, but it's obviously a good indicator of how much depth they have and expertise they have in that particular area that you are in. And also, When it comes to sharing intelligence, it's very important. And that is another thing I'd sort of add very much understanding.
Who is supplying the intelligence behind this? I mean, there's different sort of things. There's, you know, the analytics intelligence, there's the countermeasures, there's, there's that side of it. And, uh, what rate you do that at? Who does that for you? How'd you do it, et cetera. You know, what, are you gonna be able to tell me about threat groups?
What are you going tell me about the latest trends. How'd you, how'd you inform me about that? How'd you build that into the product? Because, I think with managed detection and response, you're only as good as, as the latest piece of intelligence you've got as well. So there's a lot of factors there that you really need to sort of understand.
The other thing, I think that's coming out more and more, especially with skill shortages, the ability to understand the, the whole partnership element of that, what sort of partner are you is very, very important. And that depth of the partnership, and we sort of touched that in a little bit of ways as well.
There's a lot of value you should be looking for in somebody to help you in this space. I think you've gotta go and seek out that value. And, and actually, I suppose that comes to another very pertinent thing, which is pricing. A lot of companies worry about the predictability of the cost, you know, especially if they're outsourcing something, what's included, what's not included.
And I think getting a lot of clarification around. You know, not only going through the requirements, but then saying, well, how much does that cost me? Is that included, et cetera, and, and understanding where that comes from. You know, price usually falls lower down the selection criteria button.
Nonetheless, these days, with the budget restraints and everything, I suppose it's extremely important to do that as well.
Sally: Absolutely. I think you are spot on there, particularly with, you know, that, that kind of mantra of do more with less, that's affecting so many and, you know, making sure we've got this security protection of organizations of all sizes as well.
So again, looking for, for a partner that can help you innovate at your pace, for example, and that facilitation, that education piece. The knowledge sharing we were talking about earlier, the research, et cetera, and, and frankly helping to navigate through the noise that there is around this too, and bringing together the kind of that tech strength with the people strength as well.
Again, we talked about earlier, it's technology, but it's people and it's the right change management approach. You know, the, the C I C D for example, to be more agile to the threats. So many elements to this and, and perhaps to round that off, just thinking about that a little bit more. Perhaps we could explain, um, a little bit more from a SecureWorks perspective about how you are specifically helping to support customers in the wider ecosystem around this as well.
I'd love to kind of drill into that a little bit more too.
George: Yeah. I think a number of different ways. You know, we have a, a mission if you like, and a purpose that SecureWorks, which is we call to secure human progress by outpacing and out maneuvering our customers adversaries, which I think is a very good way of looking at the ball.
I mean, we, we are living in this, a reason we perhaps didn't mention for, for the reason and the move to this extended approach has just been the volume of sophistication of attacks. I mean, I think last year overall attack levels are up like over 40% or so. I think our approach to it is very much combining, you know, the human element and human intelligence, obviously with the analytics and we very much follow the route of trying to separate the high impact and high threat attack signals from the high levels of alert and background noise.
I mean, I think you mentioned that, I mean, if you look at security analysts and helping security teams perform and function, You don't want 'em spending their time doing false investigations or investigations that just lead to dead ends. You really want to be able to narrow that down.
I think the other thing we, we tried to do is we try to provide huge added value. Through contextual and correlated threat intelligence. Something I sort of touched on earlier, we've got a counter threat unit, which obviously is sitting there the whole time doing countermeasures and things like that and feeding that into the product on a constant basis.
But at the same time, we, you know, we're observing 175 odd threat groups with as a whole, you know, we've got, I think over a 1400, nearly 1500 independent instant response engagements we carry out each year. So that's really companies coming to us and saying, we've got an instant, can you help us with it? Can you help us clean it up, solve it, find out what happened, make sure it doesn't happen, you know, all the things that are involved with IR. Obviously that information we use immediately, like a company does. Any company gets breached the first thing they say is like, well, you know, dammit, but, um, but immediately they're onto, how could I have stopped this? What could I have done to prevent this?
And I remember a case like years ago. Where I had a, a client who, it was actually a bank and somebody was obviously coming in and put a dongle in a machine and, and taking data. And they had a, a huge fraud. And I remember my banking clients the following day follow me up and saying, can we stop this or can you stop this?
And I said, well, I can't, but I think I know someone who can. So in that area, that's a huge value. We try and do that. And I suppose we just constantly endeavor to ensure our customer's own situation. Well, they're actually protected and defended against both what are so the known, but importantly, unknown threats and attacks.
I mean, our whole job is to uncover those and see those very early either cuz we've got some intelligence in advance of that and so we're looking for it that way or because something starts to happen and we recognize those events and those behaviors shouldn't be happening and we should be doing... we should be getting in there rapidly and deciding what to do and, making sure we can bring up some security measures.
So I think I would badge under superior detection maybe, is the thing, and then having the response to go with that.
Sally: Excellent, great overview there, George. And honestly, I'm gonna throw in one extra thing as well. When you're looking, you know, at potential providers and support in this particular area. And this is a bit of a personal thing from the heart here, but also look for organizations that are really contributing to the sector and broader society as well.
So as one example of that, I was involved in one of the SecureWorks projects that is looking at diversity in security. Amazing outreach. You know, developing games, for example. Helping younger people to look at the security industry differently and creating something and kind of like storytelling around it and just changing the narrative and what these careers look like.
So I love the fact that you guys really support that really heavily as well. And again, that can only bring good things, you know, more diversity and security teams. We all know the amazing results we get from that, you know, the risk of implicit biases reduced. We just get that diversity of perspectives, looking at challenges and maybe spotting, you know, the invisible threat a little bit earlier, for example too.
So just wanted to give a shout out for that. And kind of overall, I think everything we've talked about today, again, it just changes the narrative. It's not around, say, the cost of security investment, it's the cost of not doing that, the cost of insecurity. I think that we should be bringing kind of center stage.
So really fascinating discussion. George, thanks so much for, for dropping by and taking the time to join us today.
Absolute pleasure. Thank you.
Thank you all for watching and listening too. It's our absolute pleasure.
Let's talk SoC is a podcast series brought to you by Secureworks. A leader in cybersecurity, helping organizations reduce their risk, maximize their existing security investments, and fill their talent gaps with their cloud-native security analytics platform Taegis. They offer MDR and XDR solutions, the better threat prevention, detection, and response. To learn more, visit secureworks.com.