Endpoint Security, Cloud security, Intrusion detection

As XDR trend gains steam, new alliance seeks ‘shared schema’ for data exchange

George Kurtz, CEO at CrowdStrike, speaks during Web Summit 2018 at the Altice Arena in Lisbon, Portugal. (Photo by Seb Daly/Web Summit via Sportsfile/"SD5_7630" by Web Summit is licensed under CC BY 2.0)

Just two months after the August launch of the XDR Alliance — an organization formed to create a uniform framework and architecture for extended detection and response — CrowdStrike at its own October Fal.Con event announced a separate coalition of cyber, SaaS and IT solution providers with the shared goal of creating a "shared schema" for XDR data exchange, while providing users with an XDR platform that features a variety of integrated solutions.

The CrowdXDR Alliance boasts an initial core of members that includes Google Cloud, Okta, ServiceNow, Zscaler, Netskope, Proofpoint, ExtraHop, Mimecast, Claroty and Corelight. Meanwhile, just this week, the XDR Alliance added CyberArk and Recorded Future to its original founding members: Exabeam, Armis, Expel, ExtraHop, Google Cloud Security, Mimecast, Netskope and SentinelOne.

And so it seems that that key players in the infosec vendor community are jockeying for position as XDR emerges as one of the hotter trends in the cyber sector. What remains to be seen is whether the concept — which involves expanding visibility and threat detection all across one’s endpoints, cloud assets and applications — reaches its full potential, is relegated to buzzword status, or falls somewhere in between.

To address these latest developments, SC Media spoke with Mike Sentonas, chief technology officer at CrowdStrike.

CrowdStrike CTO Michael Sentonas, seen here being interviewed by SC Media's Bradley Barth at the 2020 RSA Conference.

Explain the thinking and strategy behind the CrowdXDR Alliance’s formation.

We wanted to announce what we think of as a first-of-its-kind coalition to really bring together best-of-breed solutions that look to create a common XDR language for data sharing between security tools and processes. … So that's the driver behind that — to really to take that next step forward. The customer should not be the systems integrator. These technologies should work together. And that's the goal of what we're trying to do here.

The reason why I say first-of-its-kind is that we talked a lot in our XDR announcement about the need to have a common schema and ontology, so data across different vendors make sense. If you don't do that, effectively, you're a SIEM, you’re a log management tool. And the reason why we wanted to really focus on this alliance was no one was really talking about that. Everybody was talking about getting together and putting detections in one place. But again, that's log management. XDR goes above that. The thing that we wanted to make clear to everybody is that organizations don't need more security alerts. They need insights into the security stack that they have, to make sure that they can derive the best outcome. And that's really what the XDR alliance is about.

The CrowdXDR Alliance announcement refers to lack of standards for data sharing across different security platforms. What have your efforts been so far in terms of establishing a shared schema for data exchange?

For us, it’s about sitting down and talking with everybody around the structure of the framework. We're working through that and having those conversations. ... Many of the launch partners are existing CrowdStrike store partners … so those launch partners already have a very, very good understanding of the CrowdStrike Falcon [endpoint protection] platform and how our telemetry works and how to work with the product.

The goal is to make sure that there's optimized real-time threat detection, the ability to do incident investigation and response, and threat hunting across all the telemetry. … So there's a lot of work that we're doing there to work with those partners to make sure that customers ultimately get defense in depth with shared telemetry. I think that's the goal — to make sure that you've got a standardized XDR schema and the ability to share relevant telemetry. ... It's not trying to bring in all the telemetry from all those vendors. It's the important telemetry that will allow you to accelerate instant response and to be able to have enrich detections.

Extended detection and response seems to be a trendy security concept right now, but the XDR market is in its early stages. Is there any concern that XDR could become an ambiguous buzzword among the vendor community?

Our industry's full of crazy buzzwords. I think one of the concerns that I have with XDR is that you can probably do a little bit of [searching] on Google and you could go and find 10 vendors that did a find and replace on their website and just added the word XDR onto their product. And we got to be a little bit careful about that because it's become a little bit overused and everything has become XDR.

Every endpoint product vendor talks about XDR, but they've done nothing different to the product. The network vendors talk about XDR. The SIEM vendors are worried about the endpoint vendors encroaching into their space. So now SIEM vendors talked about XDR but again, nothing has really changed.

You don't want to have a situation where people throw the word XDR around because you've got network vendors wanting to add some endpoint telemetry to the network, but they haven't really changed or done anything.

We have to avoid that as an industry. Not to get on a soapbox, but our industry is built on trust. And when you do that, you lose that trust very, very quickly. I think there's a temptation to allow XDR to become nothing more than … superficial integrations that the industry has already seen before. … You're trying to manually stitch together data, you've got unusable data. You get platforms that are super-bloated and you can't search against them. That's got nothing to do with XDR.

Any other thoughts on what true XDR should or shouldn’t look like as the market continues to shake out?

One of the challenges in cyber is to not be burdened with too much data. And it's an architectural problem that, if the security vendors are not dealing with it, they're letting their customer suffer as a result. So you need to make sure that you're designing a system that doesn't overwhelm with too much data. And you want to make sure that you have the most valuable information at your fingertips as quickly as possible.

It’s not about the quantity of data. It's the quality of the data, the context that you get from it. … It's about taking relevant telemetry … to enrich the data that we already have.

prestitial ad