How speakers of Virtual Security Operation Center Summit Budapest defined XDR
March 18 marked an important day for cybersecurity in 2021, as it was the day Virtual Security Operation Center Summit Budapest kicked off. In response to the global pandemic, this year’s summit was organized in the virtual space with participants joining from all around the globe via their webcams. Despite the challenge this unusual set-up imposed, the event was a major success and we can’t wait for the continuation in 2022 set to take place in Budapest – where hopefully we’ll all be attending in person. Naturally, as the golden sponsor of the summit and SOC service provider in the EMEA region, SOCWISE closely followed all sessions of the 2-day event from start to finish.
Let’s define XDR together
We’ve heard some extremely informative presentations and exciting discussions, but one session stood out from the rest: Let’s define XDR together. The roundtable discussion featured experts from security giants weighing in on what XDR meant for their company individually. Sharing their views on the topic were three gentlemen with decades of experience in IT security: Attila Gömbös from Trend Micro, Corné van Rooij from RSA Security, and Jakub Jiricek from Palo Alto Networks. The session was moderated by Mark Simpson, CEO of Quantum Cyber Labs who also acted as a spokesman for the online viewers and asked the participants the questions that were raised by the audience during the discussion.
Following a short introduction of all participants, Mark asked Corné – who had already given a presentation on XDR earlier that day – to briefly introduce the subject as a starting point to the discussion. Corné described XDR as a response to evolving threats where there’s a single SaaS platform in the cloud that collects all your security data such as event data, network data, and endpoint data, and then uses AI or any other mechanism that the given vendor prefers to advise on an incident.
Do vendors specialize in industries?
The first question of the discussion aimed to assess whether SOC vendors have preferred industries that they limit their operations to or if they don’t differentiate between customers based on their areas at all. As it turns out, industry is not an important aspect for them. What all three parties agreed on, however, is that the amount of data a customer has at hand significantly affects the capabilities of an XDR solution.
So much so that Jakub actually said a company that doesn’t have enough endpoints (meaning at least a couple hundred) might actually have insufficient amount of data for Palo Alto’s advanced analyzing algorithms to work with, as these algorithms require a high volume of data to gain relevant results. As for Trend Micro and RSA, data volume seems to be of smaller significance. According to Attila, although XDR does greatly benefit of a huge amount of data, quality overpowers quantity. He argued that as long as there is variety in the data, even a small business can benefit from XDR, as if they have endpoint and mail protection in place, those already bring value to the XDR cloud and data lake and can already be analyzed. And as for the lack of know-how within a small organization, MSSPs are there for small businesses to help them benefit from XDR as well. Corné also added that the more data you have, the more powerful your user behavior analytics will be which will result in a more effective solution, but even if you don’t have enough data to perform proper UBA, XDR can still help fingerprint the type of attacks in SMBs.
XDR in devices without a regular network interface
The next question pointed out that there are certain devices such as X-rays, CAT scans, and a handful of other diagnostic machinery that don’t have a regular network interface but are still vulnerable. So, how exactly could XDR help protect these kinds of devices?
According to Corné, no matter what the target machines are, they have some sort of operating system in them – whether it’s Windows or Linux anything else – so the vulnerability is real, especially if they’re not regularly updated. However, the only way for an attacker to reach these machines is through the network, possibly via an e-mail attack, which will leave a fingerprint on the endpoint. Since hospitals don’t usually have a SOC team that can detect an attack based on these fingerprints, he adds, an XDR solution can do it for them in an automated way.
XDR vs. anti-APT
At this point, a question arrived from the audience inquiring about the differences and similarities between the concepts of XDR and anti-APT which generated a lot of buzz in the industry just a few years ago. Although all three participants agreed that APTs pose a great risk by taking their time to get what they want, strangely, the capabilities of XDR solutions to fend off advanced persistent threats somewhat divided the group.
While Corné said that in his opinion a really good APT can go undetected by an XDR solution if it stays under the radar long enough, Jakub and Attila argued for the superiority of XDR over anti-APT for several reasons. According to Jakub, it’s clear to see that XDR solutions contain traces of old systems from a couple of years ago, such as anti-exploit techniques. As opposed to anti-APT, he continued, XDR is capable of quickly revisiting a huge amount of recorded data from the past based on new information simply because of the evolution of databases. He also added that while it could take some time because of the nature of APTs, if you set up a set of uncommon rules for a common tool, a lot of misuses can be detected by behavior analytics, especially in the case of pre-installed tools used by admins for example. Attila added that the biggest weakness of anti-APT measures implemented by vendors in the past was thinking of them as separate point solutions: they had anti-APT for e-mail, anti-APT for network, anti-APT for endpoints, all without any connection. They might have tried to share some threat intelligence among each other, but SOC analysts definitely didn’t have a real overview on how to interconnect all these anti-APT solutions. However, XDR does.
UBA in companies with high employee turnover rates
The discussion clearly attracted a lot of engaged viewers as demonstrated by the number of questions from the audience. The next one was about the efficiency of user behavior analytics in companies with high employee turnover rates. This time there was a complete agreement among the participants on that the data collected from an employee can still be used in XDR to find correlations in strange behaviors on the network even after they leave the company. Corné also pointed out that UBA will be able to identify the user switch and recognize it as normal behavior and Jakub added that XDR can be integrated with the company’s identity management system so the algorithms can see if a user is an admin or a regular user with limited rights and also take this factor into account.
To sum it up, Mark also weighed in saying that it’s not baseline behaviors such as checking e-mails or using Microsoft Word that XDR is interested in – it’s when a user starts demonstrating behavior that goes against their access rights, such as going through finance even though their role has nothing to do with it, that’s what XDR is tracking.
Can vendor attacks such as Sunburst be prevented?
The next question was probably the most thought-provoking one of the session: how can vendors ensure that their XDR solution will not be infiltrated and used as a gateway to their customers’ systems? The reason this question had extreme relevance is that the Sunburst attack demonstrated that even the very software that’s supposed to protect companies against breaches can be hacked, and customers are rightfully asking vendors what they’re doing to prevent that.
With RSA Security having been breached some 10 years ago, Corné voluntarily jumped in to share his personal experiences and honest views on the matter. According to him, if an attacker knows exactly the target that the XDR solution protects and manages to remove alarms to be undetected, then they will be able to get in. He claimed that every security and network interface company knows this and therefore they do a lot more in the area of protection in development and reporting and they also get certificates such as SOC Type 2, but they can never actually do enough to keep every bad guy out. As grim as his statement is, Corné ended his chain of thought on a lighter note saying that maybe small start-ups need to mature in this aspect, but the big players like the vendors at the roundtable are all taking measures as a common practice nowadays.
Mark agreed that taking measurements is vital, because if vendors can’t defend themselves against breaches, then it makes everyone in the cybersecurity industry look bad. He argued that no system in the world is hack-proof, and that the best vendors can do is detect hacks quicker to minimize the damage. As he put it: “your best day of being secure was yesterday if you didn’t get a breach”.
Is XDR better for enterprises or MSSPs?
The next question came from the audience again and aimed to assess whether XDR products are better suited for enterprises or MSSPs. As it turns out, there’s no winner and loser in this situation – both types of customers can benefit from an XDR solution, albeit vendors might have different approaches on how to assist them.
For example, Trend Micro uses the same data lake and the same methods in the background for both sectors, but they offer enterprises and MSSPs different products. For enterprises, they have a full-blown XDR solution called Vision 1, and for MSSPs and SMBs, they created a simplified interface that their customers can deploy for endpoint and mail protection more easily. In addition, Trend Micro also started a project with MSSPs called co-managed XDR, where they provide first-level support for their MSSP partners, meaning they notify them if they discover an incident, and then it’s the partner’s responsibility to take care of their customers. According to Attila, it’s beneficial for MSSPs as they will have much better understanding of their customers’ business processes and crown jewels, and they can also decide whether an attack is relevant for them more easily.
We also learnt that Paolo Alto doesn’t make such distinctions. They offer enterprise and MSSP customers the same products with only one difference: they give their MSSP customers multi-tenancy ability so they can manage their customers in completely isolated instances.
Cloud-based vs. in-house XDR
The next question on the agenda sparked a lively discussion among the roundtable’s participants: although they all fully agreed that cloud-based solutions were superior to in-house ones, everybody added their own views, which showed the complexity of the topic. For starters, we learnt that Palo Alto completely ditched in-house XDR 2 years ago because of its lack of scalability. Jakub added that although only using cloud-based solutions may have cost them a few customers, it not only solves their scalability issues perfectly and gives them the possibility to run updates almost continuously, but it also lets them keep adding new algorithms and capabilities to the whole platform, which is an even bigger benefit of the cloud. As it turns out, this wouldn’t be possible on premise unless the customer were ready to dig deep into their pocket to for the cost of staff and equipment.
Although Attila completely agreed with the issue of scalability, he argued that some organizations including government customers simply aren’t allowed to go to the cloud, and therefore Trend Micro has kept and will keep its on-premise components. He did admit, however, that as opposed SaaS, where maintaining a data lake can easily be done in an agile way, doing it on premise is nearly impossible, therefore in-house XDR solutions are inherently lightweight and cannot compete with the capabilities of cloud-based ones. As a final thought on the topic, he added that on-premise customers continue to need to be supported, but security-wise they’ll always be 3-4 months behind and might even put other organizations at risk.
According to Corné, however, even if some organizations refuse to go to the cloud, if they have the necessary manpower and resources, they can add a combination of elements like network detection response, endpoint detection, log detection, UBA, AI, and thread feed to an XDR service (like RSA does for example), and they won’t be months behind. He also added that for detection, the delay would be half a day at most, and even in the worst case scenario, where a customer needs an upgrade because of a certain kind of attack, they would be involved directly and the incident would be solved in just a couple of days. However, Corné admitted that smaller organizations like local government agencies who don’t regularly upgrade or have a team monitoring their operations 24/7 should definitely choose cloud. To sum up, it all comes down to the customer and its resources.
Hybrid XDR – endpoint and cloud detection
Another question from the viewers inquired about how much of the detection logic of different vendors’ XDR solutions is implemented in the endpoint agent and how much is implemented in the cloud. It seems that RSA Security and Trend Micro are in complete agreement on deploying a hybrid approach: both companies build detection and response capabilities into the endpoint products thus allowing them to take action in certain cases, but they need to be connected to the cloud as only the XDR platform can see the big picture and find correlations. And as for Palo Alto, Jakub added that even though they do everything in the cloud, they also recognize that disconnected agents can do quite a lot to prevent certain incidents, and as soon as the connection is restored, the collected data will be uploaded to the cloud immediately so algorithms can start searching for hidden threats.
Which XDR is the fairest of them all?
Mark’s next question aimed to find out how different vendors assess their customers’ needs and decide what XDR solutions to offer. Interestingly, none of the participants had the same suggestions, but they all made extremely valuable points.
Corné argued that since XDR solutions are not generic, there is no such thing as ‘best XDR’, or at least not at the moment. In his opinion, before buying, each company should closely examine what they need to protect, and then assess the capabilities of different XDR solutions.
Jakub took a more practical approach, and said four questions that business should ask themselves before choosing a solution:
- How many old agents already deployed on your endpoints can be replaced by the new XDR system?
- How many threats different XDR systems can detect and stop?
- How many platforms and older OSs can the agent be deployed on?
- What are the agent’s system requirements?
According to Jakub, if the customer can answer these four questions properly, Palo Alto can shortlist the possibilities to 3-5 offerings.
We also learnt that Trend Micro doesn’t look at XDR as a product, but as a strategic decision that needs to take a lot of factors into consideration, such as the data that will be delivered to the XDR data lake, the sensors that will deliver the data, and integration with the vendor’s solutions. Attila added that a good XDR solution should be an ecosystem where everything works together perfectly but it’s also important to note that no security vendor in the market can cover everything, so each business needs to pick the right components that feed their XDR.
Lightning round – will vendors ever cooperate?
The last question to the experts was a quick and straight-forward one: will there ever be a point in time when vendors will share certain behaviors with each other to protect all customers? Thankfully, the participants’ answers gave us nothing but hope:
Jakub: I hope it will happen.
Corne: In a way with MITRE. it’s already happening.
Attila: I hope so, too.
The moral of the story
As a last round, each participant had a chance to say whatever was on their mind as a sort of take-away for the viewers.
Jakub emphasized the importance of quality data from variable sources, good cooperation with different firewall types, and possibly quality machine learning algorithms. In his words, if you have all these, you’re already halfway to having a fast and efficient system against incidents.
Corné encouraged organizations not to rush into a decision that might get them things that are overdone, too complicated for them, or even unnecessary. Instead, he recommends businesses to their time to figure out what they need, what protection is expected of them, and where their risks are.
Attila’s advice was a rather practical one: if you want to convince the board or the CEO that your business needs an XDR platform, don’t concentrate on the security features, but talk about how many FTEs and resources it could save, and it will resonate with them.
And to wrap things up, Mark concluded that XDR is a value-added part of the business that helps companies mitigate risks, and thus protect themselves and their customers. He assured the audience that XDR will be with us in the future and that it will keep evolving because our threats get more sophisticated by the day.
Without a doubt, Let’s define XDR together was an informative and thought-provoking roundtable discussion that we at SOCWISE thought was a gap filler. We’d like to thank Attila, Corné, and Jakub for their time and efforts during the session – we’ve heard some excellent points and gained interesting insights to how security giants like Trend Micro, RSA, and Palo Alto think about XDR and make it work. There may be few areas where security vendors have different views or practices, but there is one thing we all agree on: every business, no matter the size, needs XDR to be safe, because cybercrime does not rest and neither should cybersecurity.
Watch how we handled a targeted attack on one of our customers