If you’re confused about cybersecurity tools and product categories, join the club. Security market confusion is a major side effect of years of increasingly sophisticated security threats and vendor innovation designed to prevent and respond to them. Add to that the growing use of AI and machine learning by both attackers and defenders and you have what can look like a vendor free-for-all. When the dust settles, organizations still have the same questions:
- What tools do we need to protect ourselves against threats that haven’t yet been invented?
- What tools can we replace?
Category sprawl makes evaluating new solutions difficult. When evaluating solutions, especially in emerging markets, you want to compare apples to apples. But increasingly, cyber solutions look like papples, pluots and other fruit hybrids.
Case in point: the market for extended detection and response (XDR) solutions. Here’s a look at some false dualities that are currently clouding the understanding of what is or isn’t an XDR – and whether that matters.
XDR vs. next-gen SIEM
It’s ironic that the market for XDR solutions is noisy. A primary appeal of an XDR is its ability to reduce the noise caused by the barrage of nuisance alerts and false positives coming out of legacy security information and event management systems (SIEMs) that the average security operations center (SOC) team must deal with. When introduced in 2018, the XDR was defined as extending the capabilities of endpoint detection and response (EDR) solutions to cloud communications. But the technology has rapidly evolved since then, and the “X” in XDR no longer stands for EDR extension alone.
To meet the needs of modern enterprises, EDRs must also touch operational technology (OT), Internet of Things (IoT), Internet of Medical Things (IoMT) and other unmanaged devices that can’t be agented. Legacy SIEMs weren’t designed to handle today’s heterogeneous networks.
Often, SIEM modernization is the compelling use case for buying an XDR, which in this case may be pitched as a next-generation SIEM. If your pain involves too many alerts, complex configuration, and high costs for log storage, does it matter whether you buy something called an XDR or a next-gen SIEM?
Closed vs. open XDR
XDRs are often split into two categories:
- Closed, or native, systems require the use of the vendor’s tech stack (including EDR, network and cloud) to collect the telemetry used to detect and correlate threats to analyze and response to, as needed.
- Open, or hybrid, XDR solutions rely on integrations with third parties to collect telemetry across the entire attack surface and execute response actions based on its synthesis.
This duality comes down to strategy: you’re weighing vendor consolidation (lock-in) with the ability to leverage what you already have, including best-of-breed solutions. What isn’t clear, however, is why some evaluators still suggest that open XDRs are somehow inferior to closed XDRs that stem from EDRs. Isn’t it the amount of telemetry collected and how the solution distills it down to true, actionable threats that matters? And isn’t an open XDR more likely to be capable of ingesting more telemetry from more sources?
Like the entire Forescout Platform, Forescout XDR is vendor agnostic. In addition to integrating with a dozen leading EDRs, it can ingest data from any managed or unmanaged connected devices and supports more than 180 vendor data sources. Once a true threat is detected, the platform can orchestrate an automated response across all managed and unmanaged assets using your existing security tools.
Forescout XDR ranked as an Innovator in 2023 GigaOm Radar for XDR
The 2023 GigaOm Radar for XDR evaluates both open and closed XDRs. Forescout is positioned as one of only two fast-movers in the Innovation/Platform Play quadrant and sits just outside the Leaders circle. (The GigaOm Radar is unique in that it synthesizes the analysis of key criteria and plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value.)
The report highlights Forescout’s open XDR approach that focuses on unifying data ingested from every source and leveraging the security tools you already have, including EDR:
This solution takes a vendor-neutral stance on EDR, integrating seamlessly with a wide range of solutions from the leading EDR vendors, including SentinelOne, CrowdStrike, Microsoft, VMware Carbon Black, Trend Micro, Cisco, McAfee, Sophos, Symantec, and ESET. This is a trend that is becoming more common in the XDR space as vendors focus on the unification of data instead of developing their own EDR solutions.1
GigaOm also rates Forescout XDR as Exceptional (+++) for its cloud deployment model; device discovery, case management and data ingestion capabilities; and scalability, extensibility and depth of endpoint telemetry.
If it walks like an XDR and talks like an XDR…
The duck test is an oft-invoked form of abductive reasoning. If it walks like a duck and talks like a duck, then it probably is a duck. That’s a good test to use when evaluating what threat detection and response capabilities you need. Start by defining what problems you’re trying to solve and pick the solution that fits best with your environment.
- Alert fatigue: Your SOC analysts can’t keep pace with the volume of alerts they are flooded with every day.
- False positives: Your SIEM generates too many false positives or low fidelity alerts and cannot focus on real threats/attacks.
- Speed: Your mean time to detect (MTTD), investigate (MTTI) or respond (MTTR) is too long because the tools you use aren’t integrated, intuitive or effective at detection, investigation and response).
- Efficiency: Your L1 analysts spend too much time identifying and investigating threats, using too many point products that aren’t integrated, with too little automation across the end-to-end process.
- Unmanaged, unagentable devices: Your current approach doesn’t ingest data from OT, IoT, IoMT, cloud or other data sources that it needs to.
- Cost: From onboarding new data sources to creating and tuning rules to log storage, your current approach is too expensive.
If you’re feeling turned about by market noise, bring us your top threat detection and incident response use cases and we’ll take you for a spin.
1 GigaOm Radar for Extended Detection and Response (XDR), April 2023, Chris Ray