The era of solely relying on endpoint detection and response (EDR) is rapidly coming to an end. Even EDR vendors offering MDR or a cobbled-together extended detection and response (XDR) solution can’t solve growing attack surface gaps. In this Let’s Talk SoC podcast, Kyle Falkenhagen, Vice President of Product at Secureworks, discusses how organizations can move beyond their reliance on EDR to a solution that provides the holistic security coverage that covers cloud, network, endpoint and more using a purpose-built XDR security operations platform.
Moving Beyond the Endpoint: Why EDR Isn’t Enough
March 8, 2023
Kyle Falkenhagen, Vice President of Product
What We'll Cover:
The era of solely relying on endpoint detection and response (EDR) is rapidly coming to an end. Even EDR vendors offering MDR or a cobbled-together extended detection and response (XDR) solution can’t solve growing attack surface gaps. In this Let’s Talk SOC podcast, Kyle Falkenhagen, Vice President of Product at Secureworks, discusses how organizations can move beyond their reliance on EDR to a solution that provides the holistic security coverage that covers cloud, network, endpoint and more using a purpose-built XDR security operations platform.
Host
Hello and welcome to Let's Talk Soc, a podcast series brought to you by Secure Works. A leader in cybersecurity focused on empowering security and IT teams worldwide to better prevent, detect, and respond to cyber threats. I'm Professor Sally, your host, and joining me today is Kyle Falkenhagen, VP of Product at Secureworks. Welcome, Kyle, it's great to have you here.
Kyle
Thanks Sally, it's great to be here.
Host
Yeah. Maybe just to start us off, could you just share a little bit more with the audience about yourself and your role and perhaps something that's mattered along the way in your journey?
Kyle
Yeah, absolutely. So, I've been with Secureworks now for a little over five years. I lead the product management and user experience teams here at Secureworks. I've come on as part of a small team that set out on a mission to redefine how we deliver detection and response for customers, built the Taegis platform, and Taegis services that we have. So it's been a ride for the last five years. We've gone from kind of a concept of something we wanted to build to building an initial version and we now have thousands of customers that we are protecting with Taegis platform today.
Host
Oh, that's super. Thanks so much. You set the scene really, really nicely for our kind of main subject area today on all things EDR. We've seen organizations relying so long on endpoint security, but more recently we've had this evolution. You described that evolution so well actually in your answer just now, Kyle, the evolution into EDR. So what are you thinking and seeing at Secureworks in terms of this continued transformation and emphasis on security and how well-placed it actually is?
Kyle
Yeah, so I think especially with the focus on endpoint, there was NGAV at first and then kind of transitioned into EDR and there's a lot of focus on the endpoint. What we find is that the endpoint is necessary, but it's not sufficient. So 60% of the cybersecurity threats that we see, within the Taegis platform, come from outside the endpoint. So they're coming from email systems, so think like business email compromise, phishing attacks coming from cloud workloads, identity systems, account compromise type attacks that we're getting that telemetry from active directory, and other identity providers like Okta, then network visibility. So while the network has kind of moved to the background over the last decade or so from a security perspective, it still plays a key role in providing a kind of comprehensive protection across the environment. We just see this pace of change continuing where the organizations will continue to move beyond the endpoint and they'll focus more and more on holistic coverage. So as they continue on their digital transformation journeys, you see endpoints, managed endpoints and servers kind of giving way to bring your own devices and mobile devices and container-based workloads. So while there's a critical role that endpoint technologies like EDR will continue to play, they're not sufficient in and of themselves in being able to really protect an organization holistically.
Host
Are so well described, Kyle I couldn't agree more strongly. I've been writing something literally earlier on today actually entitled Endpoint Security, kind of your Barriers are not yours anymore, if you know what I mean. Those different areas are the vertical and the horizontal. For example, types of threats we're seeing today, but they're just coming from so many different areas. These vectors have changed even to the extent of collaboration, bad actors coming together and re-imagining security threats. Like MTE is one example of that too so many different things to contend with. So I think you've explained that evolution really strongly and why EDR can make a big difference. You mentioned a little bit about telemetry data there. I'd love to come back to that and how helpful are you seeing EDR in its role for stopping taps, particularly when adversaries have already done a lot of research into how to fall or circumvent endpoint defenses? I think that example actually of Emmett's a good one there in terms of that re-imagining is kind of like the chameleon really I think of security threats today.
Kyle
Absolutely. So I think the endpoint came onto the scene and it provided a level of telemetry and visibility and understanding as to what was happening on the endpoint that prior to had been really hard to get for security analysts. The kind of fidelity of that telemetry was amazing and it allowed them to do their jobs much more efficiently than they had been able to do in the past. What we're seeing now is some of the comparison that I like to draw is EDR is to NGAV in many ways what XDR is to SIEM and what I mean by that is NGAV what collected thumb telemetry from the endpoint and it had obviously the capabilities to evaluate rules and IOCs against the processes and the files that was seen. It was really EDR that came along and said okay, there's more telemetry on the endpoint and we're gonna correlate it and stitch it together in a way that it provides meaning to an analyst very similar to SIEM. So SIEM pulls in a bunch of data from a bunch of different sources, and oftentimes that data's not very well correlated. You don't really understand how patterns of activity are occurring kind of across an environment so horizontally like you mentioned. That's really where XDR has come onto the scene and it allows you to not only ingest that data from a wide variety of sources, but it stitches that data, it normalizes it, it correlates it in a very deep way from all of the different systems that you have. It runs a range of detection algorithms on top of it everything from indicators compromise through more standard rules through advanced machine learning and deep learning-based detectors. Very importantly, it provides very strong response capabilities. So it gives the analysts the tools that they need to quickly kind of triage, investigate, and respond to the threats across all of that data. Then it even begins to really open up the opportunity for things like threat hunting and being able to do effective threat hunting across the environment. One of the other things that we see a lot of the XDR vendors in the market offering today is really beginning to offer security services on top of the platform as well for those customers that are looking for assistance and partnership.
Host
Excellent. I love what you made there around facilitation and the power of partnership. That aspect I think is so key, particularly when you look at the scale, the scope, this sophistication even of some of these threats that we're talking about today. But I also love your point about doing this well, optimizing that telemetry data can really give you that active intelligence that we all need and also reduce the load. Now we're seeing quite a lot in terms of security teams, etc and managing kind of like, almost like a threat overload. If you see what you mean with that noise of data being granular. We had to pick out for things that really matter the most and react to that increasingly in real time is absolutely key. Helps us to get ahead of these threats rather than be reactive to all of them, so I think that's hugely significant. Thank you Kyle and talking about this in a little bit more detail. So this kind of looking ahead being more forward thinking as a scientific security organization today, how would you advise moving forward? So moving away from say a reliance on EDR and really scaling up to deal with the different vectors of change we discussed today, but also the increase in the cloud-based world and endpoint loss world that we are living in. So what would your advice be there? For example as a starting point. Would you be kind of sticking with an EDR vendor to scale out their platforms to do more or would you be looking at things like team upsizing or focusing on security operations and looking at kinda that evolution of combining EDR with XDR into the future?
Kyle
So, I think most organizations, especially in the macroeconomic environment that we have at the moment, organizations are looking for the solutions that can effectively reduce their risk and have a proven return on investment and a low total cost of ownership. In many ways what that begins to lead to is a little bit of consolidation, right? Can I consolidate the partners that I'm working with? Can I get more bang for the investment that I'm making? What we're seeing more and more of an acceleration of is, customers that are looking to XDR vendors and looking to MDR vendors. Obviously both of those kind of sit at the peak of inflated expectations at the moment. Every vendor is kind of touting their approach to XDR and MDR, but I think there's things that you can absolutely look for that are critically important. As you go out and evaluate the landscape, I think from a XDR perspective there's different approaches that are being taken. There's the Simmons or vendors which are trying to kind of position what I would say are kind of the previous generation capabilities as more of an XDR solution. There's EDR vendors that are saying, well XDR is really nothing more than a kind of EDR plus some other telemetry. Then there's the pure-play providers that really built kind of a cloud-native XDR platform from the get-go. That's really where the SecureWorks Taegis platform fits. This is in that third bucket really from the beginning, a focus on building something that we felt would meet the needs of organizations and be able to effectively stop threat actors in their tracks across an organization. As you look at the criteria of requirements for an effective XDR solution, it's really what's the breadth of coverage that it has? What are the response capabilities that it has? I mean, can an analyst effectively do their work completely within the platform? or Are they still gonna be bouncing around between a number of individual security controls to get their jobs done? Then what sort of value added services can be applied to that XDR platform? That's really typically where MDR comes into the picture. With all of the kind of skill shortage that's out there, the difficulty in building and retaining, security operations teams, the cost of doing that is incredibly prohibitive to have a 24 x 7 SoC. What we're finding is that the vast majority of organizations really need that combination of XDR and MDR.
Host
Excellent. Thank you so much for bringing those examples to life though. I think you really kind of described the trajectory ahead so clearly there, really interesting and I love the fact you've also mentioned one of the other key challenges today about talent gaps as well. You're absolutely spot on, whether it's security, testing architecture, bigger gaps, they're growing at the moment and Covid has obviously influenced that particularly around diversity and security too. I think some of the work you do there to support the community and get more people involved in cybersecurity is really key too. You did an amazing initiative on that earlier in the year, which I was part of. It's great the outreach work you're doing on that too at Secureworks. So great to see that and kind of going back to this area around EDR versus true XDR. I think we've seen it through the discussion so far. We were aware that there's been some confusion around this, but there's real clarity about what people are needing. So it is, for example, reduced complexity, increased visibility, detection, accuracy, getting in earlier to detect things being more future-oriented and obviously a faster response when a threat and attack occurs. Do you think that any EDR vendors, even for example, some that do have a limited XDR ability can actually truly deliver on that and if not, why not?
Kyle
I think they're really gonna struggle to deliver on it and it really comes down to what I would say the data architecture. So to effectively be able to correlate and normalize telemetry coming from a bunch of different sources so that you can effectively perform analytics on top of it. It really all needs to come into a central data lake where that activity is occurring and so if you're in a situation where you've got your data sitting in multiple places because maybe you're trying to glue together different products that were built for different purposes and and try to get them to effectively work together, you're gonna really miss out in two areas. One is you're not going to be able to do effective detection because you can't write, or it's much more difficult to write analytics that can analyze data coming from different platforms. Then secondly, you've created a bifurcated experience for analysts. So their job is gonna be harder, their workload is gonna be harder because they're gonna have to be pivoting between two different systems. I do think the EDR vendors are really gonna struggle to effectively grow into what I would consider true XDR. I really think it's the vendors that set out with the vision from the outset and built a platform capable of ingesting a breadth of different types of telemetry and correlating that together and analyzing effectively that are really going to end up winning in this space in the long term.
Host
Thank you Kyle, really appreciate that. Again, I love the examples we're bringing to the fore throughout this conversation. Super useful for the audience and I think we've got time for one final question, if I may.
Kyle
Sure.
Host
Again, drilling into EDR and in some ways it's been described. So should we say, as kind of the last standalone security response layer. Some research that came out in June of this year from Forrester XDR, research study. They were finding that about 70% of organizations today are looking for more from their security vendor. Again, it's that power of partnership I mentioned earlier, working together in that facilitation role to starve off threats and attacks. So are you seeing EDR vendors really offering that heightened level of partnership that clearly people are wanting more and more of? And again, I'm seeing that personally organizations of all sizes.
Kyle
I think they're definitely beginning to offer in the traditional pre-covid world five years ago. You had your technology vendors and then you had your service providers and very infrequently where they mix, right? You were either a technology provider or you're a service provider. What we're seeing more and more of is a realization that to deliver effective security, you need to be able to deliver both technology and service capabilities. So, you see most vendors out there moving towards that middle ground, either service solution providers and service providers beginning to build out their own technology or vice versa, technology providers offering their own services. I think what's critical though is all comes back to how holistic the solution is because a lot of the EDR providers. For example, they're offering services but those services are limited to what their EDR technology can see. So, what's a little bit disingenuous and I think some customers as they're looking at the market fall victim. They think they're buying a comprehensive MDR service, but in reality they're really only buying a managed service associated with that endpoint technology. Like I said at the beginning, 60% of the kind of alerts that the meaningful alerts that we're triaging and investigating and responding to, they're not coming from the endpoint, they're coming from those other systems. So it's critically important, especially when you're looking for an MDR provider, that you're finding a partner that can really support your entire environment, not just one particular security control within it.
Host
I couldn't agree more. I think at the end of the day when it comes to security, you mentioned the word very close to heart. That holism that you were talking about there, but it's so true to embed security by design. It has to be that combination of the right technology support, but that power of partnership, investment in culture, the right type of process. For example, change management that's also agile to change, like CICD and of course investment in skills and on boarding new talent as well as we've talked about a little bit too. I love the fact that we've brought all of that into our conversation today too. I think it's hugely significant, but all the different parts we need to bring together to optimize. As I said earlier, the good guys are coming together rather than those bad actors and the innovation we're seeing there.
Kyle
Absolutely.
Host
Well, thank you Kyle. Honestly, it's an absolute pleasure to speak to you and I hope we can revisit this conversation as this sector continues to dynamically evolve. But again, pleasure to speak to you and great to see the investment support you are giving in terms of negating these frightening threat areas.
Kyle
Thank you, Sally.
Host
Thank you very much and thank you all for listening too. Let's talk SoC is a podcast series brought to you by Secureworks. A leader in cybersecurity, helping organizations reduce their risk, maximize their existing security investments, and fill their talent gaps with their cloud-native security analytics platform Taegis. They offer MDR and XDR solutions, the better threat prevention, detection, and response. To learn more, visit secureworks.com.