A founding group of eight cybersecurity solution providers have formed a new organization designed to create a uniform framework and architecture for extended detection and response (XDR) solutions, while bringing a sense of collaboration and integration to what’s become a fragmented corner of the cyber industry.
Security analytics and intelligence company Exabeam is spearheading the effort, dubbed the XDR Alliance, alongside founding members Armis, Expel, ExtraHop, Google Cloud Security, Mimecast, Netskope and SentinelOne.
As succinctly explained here by Check Point Software Technologies, endpoint detection and response (EDR) solutions are known for protecting endpoint devices through enhanced visibility and threat identification, while XDR further integrates the solution landscape across multiple endpoints, cloud computing, email and other solutions found within your hybrid environment.
Though it has not formally met yet or named its offers or board of directors, the Alliance was officially launched today in conjunction with the 2021 Black Hat conference in Las Vegas. According to its press release, the Alliance has already developed a three-tier model composed of the core components of the XDR technology stack. These include data sources and control points, including any tooling that generates telemetry logs and alerts; the XDR engine, which ingests data and executes threat, detection, investigation and response; and pre-packaged content and workflows.
Prior to the announcement, SC Media spoke with Gorka Sadowski, chief strategy officer at Exabeam and founder of the XDR Alliance, as well as Jules Martin, vice president ecosystem and alliances at email security company Mimecast.
What was the motivation for founding the Alliance?
Gorka Sadowski (GS): It started when we all realized that the cybersecurity industry right now is in a state of dismay, and… very fragmented. It looks like people are sometimes more interested in competition than collaboration. And I think that's one of the reasons why we are where we are today, and we are sometimes feeling that we are losing the battle with the enemy.
It takes a village to solve cybersecurity issues, [and this] is really the first realization that it is also this village that needs to come together and collaborate on defining solutions.
In addition to all of the problems in the cyber industry, there is this new-ish technology called XDR... and we said, “How about we start by putting together and defining an XDR Alliance, and inviting thought-leading organizations to participate in this alliance?”
I think XDR is almost more of an ethos. It's a philosophy, it's an approach, it's a way of thinking... It's about really understanding: What are the outcomes that we're looking for? What are we looking to be protected against? What type of use cases? And again, it takes a village, and I think it’s only through being open and collaborative and inclusive, that we can together have a good opportunity to solve that problem.
Jules Martin (JM): To me, XDR is… a methodology, not just a solution. While we’re not an XDR player, we've been integrating with other solutions for many years... [It’s part of our] growth in… looking to integrate solutions together, and to then start to share potential threats and malicious identified threats, etc… So, XDR is a perfect coming together of all those worlds – but it is a community defense that we need to actually look at here, and coming together and collaborating as vendors, as opposed to individual solutions.
What went on behind the scenes to create this new organization?
GS: It was maybe two, three months ago where we started approaching the different vendors… So the first phase was to approach partners with whom we have already worked in the past, and vendors that are thought leaders in their respective fields, in their respective domains, and organizations that we knew were really thinking the same.
Right now, there hasn't [yet] been a full blitz where we all meet together… We [plan] to have a board of advisors and a board of directors, but that's further down the road. For now, it's just a statement of intent from a bunch of different vendors that are already all working together, and going to market. And then there's going to be awareness activities, there's going to be co-marketing activities, there's going to be integration activities…
JM: It's bringing together like-minded vendors – people who share the same vision. People who, when things come through the gateway, say, “Why can't we just share this out?” And customers that have joint solutions and approach it in that way, as opposed to single point solutions working independently.
What are the challenges currently associated with XDR adoption?
GS: To be a CISO and thinking I need a detection and response tool and solution and approach for my organization across the extended stack… the first challenge is one of confusion.
I wrote a blog yesterday called “Dazed and Confused by the XDR Telenovela?” I probably would be [confused]... Every day, there’s a new definition that, if I was a CISO, I'd be in a holding pattern right now. I'd be in a holding pattern because it's just too confusing.
That’s the danger in some of this: the analysis paralysis for a lot of the decision-makers and a lot of the organizations to move ahead to go ahead and go for an XDR project at this point.
I think the other issue and the other impediment to this is the vendors can sometimes have very wild claims, and I think we need to all again work together to make sure that we raise the right expectations… [and not] overpromise, underdeliver and let our customers down.
What do you foresee as some of the initial goals of the Alliance?
GS: The Alliance has defined a three-tier architecture, if you will, for what defines an XDR... And it's really saying these are the structural components of an XDR is, and it's only together that we can achieve the value proposition for that…
We are revisiting the API framework that Exabeam is doing. One of the achievements I’d love is having the XDR Alliance members help us influence what that looks like, then potentially [holding our] user conference and having members come…
On the process angle, I think it's also helping the SOC better look at how to define detection and response. What are the phases inside of that detection and response? You have the preparation and collection of the different telemetry points in the different data sources, you have the detection, you have the investigation, you have the triage, you have the initial response.
A lot of SOCs don't have the maturity to really properly [apply] the different tools that they have inside of their process, and there's no best practices emerging around the SOC. Well, is there anything that we collectively can… [do] to help the SOC get an efficient detection and response?
And finally… it's about education, it's about awareness, it's about helping the people.
JM: We see this very much as trying to bridge the gap between business operations and security operations. If you look, there’s login, there’s analytics, there’s remediation, and then response… As a community defense approach, we need to give users… the ability to view these threats in the tools of their choice. If you’re in a SOC, you don't need to see the email gateway, but if you're an email gateway manager, you don't necessarily need to see what the SIEM and SOAR capabilities are.
How would you communicate the value proposition of XDR? Especially for those companies working in complex, hybrid network environments?
GS: I think it's about offering a very simple definition and approach to XDR, [including] being driven by outcomes and… having very good time to value, having a great operational cost and being very easy to use.
One of the problems in the industry is that it’s too much of a tool-centric ingest-first type of problem. Meaning: These are my tools, these are the telemetry points, these are the logs, this is what I have available. What type of insight can I generate with that? And unfortunately, that is, and will always be, a losing proposition… Hopefully XDR, because it is outcome driven… [can] participate in solving that.
It's about saying, “Okay, I'm the SOC. I'm the security organization. What are the threats that I need to help my organization with?” You actually start with the end. You start with what are the threats and what are the attacks and what are the instruments that you want resilience against? And based on those, then you work backwards and say, “If I want protection against phishing, what do I need?” And then you say… “These are the data points that I need in order to generate… I need to perform on these data points in order to detect that phishing.”
So, yes, endpoints are very important and so is the network, but so is email… You need email data, you need email telemetry, you need alerts, and you need the email solution provider… to come to the XDR table… And then on the response side, wouldn't it be great if, once we have detected [an email threat], wouldn’t it be great to reach back to that same email solution provider and say, “Hey, let's work together, I need you to… remove emails from particular mailboxes”? So, let’s start with the use case and the scenario we want to be protected against, and then based on that, then we will know what are the data sources in the telemetry and the analytics we need to perform on that.
JM: That’s a really good point because the ability to bilaterally share information is key… This is the whole thing about XDR. This is why it's so critically important to get right, so we can all work on this together...
What does success look like to you?
JM: For now, Exabeam has been driving this organization, a lot. I think success will be achieved when we will be just yet another member. To bootstrap, you always need a driver, and I'm happy that it’s Exabeam. I'm happy that Mimecast was there very early on, pushing and encouraging. And I think the success will come when this becomes a true peer-to peer-distributed [collaboration] with other Alliance members, and when this takes on a life of its own. Because at that point then we will probably be ready to flip the switch and make this a true nonprofit, and that's when all the other pieces are going to fall into place.