Brought to you by:
Enterprise Strategy Group | Getting to the Bigger Truth™

ESG WHITE PAPER

XDR: Spawning a Disruptive Modernization of Cybersecurity

By Dave Gruber, ESG Principal Analyst
JUNE 2022

Security Operations Teams are Reaching a Breaking Point

Despite ongoing investment into their security programs, security teams report that security operations have become more challenging over the past two years. When asked why, the rapid growth of their attack surface leads the list, challenging current security controls and creating new opportunities for adversaries to locate vulnerable devices and cloud infrastructure. Recent ESG research shows that the leading entry point for successful ransomware attacks is minimally managed or vulnerable infrastructure. Capitalizing on this growing attack surface, bad actors are upping their game, employing more sophisticated tactics, techniques, and procedures (TTPs) previously associated with nation-state attacks. These low and slow attacks often leverage unknown, vulnerable, or misconfigured assets as an entry point; overprivileged user accounts or workloads to move laterally; and living-off-the-land-style attack strategies that leverage trusted software to carry out malicious activities. These TTPs are now supported by a sizable criminal ecosystem, making sophisticated attack TTPs available to everyday criminals.

As security teams face a diverse number of attack surfaces in a more sophisticated threat landscape, threat detection and response has become more challenging. Adding further complexity is the growing adoption of more siloed security tools, resulting in a massive increase in disconnected security data and alerts, leaving most teams overwhelmed with alert triage, correlation, and investigation. The result is slow or missed detections, longer dwell times, and response activities that are often late in mitigating risk.

SOC Modernization Strategies

Security teams have long recognized that gaining visibility into threat activity requires solution that allow analysts to view signals from multiple attack vectors, including but not limited to network, endpoint, cloud, identity, and email. In an effort to gain this visibility, many security organizations have invested in aggregating security telemetry from their many security controls, utilizing SIEM solutions, custom-built data lakes, and other point tools. Despite these efforts, many organizations still report challenges, including a lack of advanced correlation and analysis capabilities, a lack of data engineering and rules engineering skills, and a need for more advanced security skills to derive value from these vanilla data repositories.

During this same timeframe, endpoint detection and response (EDR) solutions have become widely adopted, laying the groundwork for detection and response automation, with 63% of organizations reporting EDR as a core capability within the endpoint security solution used by their organization. Yet despite broad adoption and use of EDR, rapid and continued attack surface expansion combined with a more sophisticated threat landscape has left most security teams wanting more.

These challenges are motivating 95% of organizations to establish a formal budget to invest in XDR solutions within the next 24 months as a path to provide out-of-the-box capabilities that can aggregate, correlate, and analyze security data from multiple security controls together with rich threat intelligence to automate and speed detection and improve cross-platform response for all types of modern threats.

The Promise of XDR

As XDR solutions evolve in the market, security architects are faced with many choices and definitions of XDR. ESG defines XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.

ESG Defines XDR

ESG research reports that simplified visualization of complex attacks and understanding how they progress across a kill chain as the most appealing XDR solution capabilities (see Figure 1). Organizations further crave efficiency improvements, looking for improved analyst throughput, more efficient alert triage and prioritization, and convergence of multiple existing security operations tools.

Figure 1. Most Appealing XDR Capabilities

Which of the following XDR capabilities are most appealing to your organization? (Percent of respondents, N=339, three responses accepted)

Source: ESG, a division of TechTarget, Inc.

ESG research tells us that endpoint and cloud data lead the list of what security teams believe are most critical to support detection and response. Research further notes that a top priority in early XDR implementations is cloud security data, as many organizations have blind spots in their cloud infrastructure.

ESG believes that the growth and maturity of endpoint detection and response solutions is a key driver supporting the endpoint data priority. While XDR provides a new horizon for the breadth and scope of security operations automation, many of the core capabilities expected in XDR solutions were born from EDR solutions, including automating alignment of threat intelligence, rich visualization of threat paths, automated containment actions, automated recovery, and more.

But while EDR solutions may have paved the way for XDR, these solutions are bringing new levels of automation, visibility, and scalability needed to drive SOC modernization in support of the growing attack surface and escalating adversary activities. But the journey to XDR brings its own new challenges, first and foremost, the need to significantly scale the data ingest and analytic capabilities. XDR solutions require a highly scalable data and analytics layer, supported by an extensible data pipeline, capable of ingesting security data from every aspect of the business together with rich threat intelligence and contextualized risk data.

Further enhancing the XDR agenda is the addition of the identity and access perspective, helping security analysts see and understand credential theft, privilege escalation, and gaps in core identity and access mechanisms, such as Active Directory, a technology used by 9 out of 10 organizations.

Bringing this new level of scale, extensibility, analytics, and automation to security operations has the potential to redefine and modernize the SecOps function and the core operating infrastructure that supports it. This quantum leap in capabilities and scale is driving enormous momentum behind the XDR movement.

Cloud + XDR

The accelerated move to the cloud has massively expanded the attack surface for most security teams. However, this particular part of the attack surface, varies from traditional targets, in that:

• Security is a shared responsibility, with some aspects owned by the cloud service provider and others owned by the customer (see AWS Shared Responsibility Model).

• Application development teams now deploy workloads and configure cloud infrastructure through code.

• Increasingly containerized workloads orchestrated by Kubernetes facilitates business agility, further accelerating the pace of change.

• The volume and fidelity of cloud infrastructure telemetry can be exponentially larger than other security controls and cloud service providers make it cost-prohibitive to transfer these logs outside their boundaries.

New application development and deployment models are enabling net-new business capabilities to be introduced through applications and infrastructure in unprecedented timeframes. However, at the same time, these accelerated development and deployment models have left many with vulnerable cloud software and/or configuration, creating a prime entry point for attackers.

Gaps in Cloud Visibility

Gaps in cloud visibility are motivating 43% of organizations to begin a net-new XDR project by implementing a solution with threat detection and response capabilities for cloud-based workloads and SaaS with the hope that XDR could help close the visibility gap.

ESG research reports that security teams are struggling to keep up with cloud infrastructure and application deployment, leaving many with significant visibility gaps in their cloud application and operating infrastructure. Correlating cloud service provider logs with telemetry from endpoint, network, and other controls is challenging for most. Understanding attack strategies and specific TTPs leveraging cloud resources further requires a new level of threat intelligence and analytics that goes beyond traditional device and workload analytics. These gaps cause 43% of organizations to begin a net-new XDR project by implementing a solution with threat detection and response capabilities for cloud-based workloads and SaaS with the hope that XDR will help close the visibility gap.

XDR Strategies

The XDR movement has motivated many security vendors to introduce new XDR offerings, while others are rebranding existing offerings to align with the XDR movement. Without an industry-wide, consensual definition of XDR and with an array of varying solution capabilities labeled as XDR, significant confusion exists within the market about what XDR is and what it can do. Further confusion has come from industry analysts with overlapping or conflicting definitions of what lives within the scope of XDR, SIEM, and other security operations automation tools.

While individual security solution providers contribute to the overall XDR movement, each provider brings its own specialized center of expertise, often anchored by core security controls or functions, including endpoint, network, cloud, or analytics. ESG believes that XDR is not a one-size-fits-all solution category and that different XDR solutions can provide better support for specific security strategies depending on the needs of an individual organization.

ESG takes a broad perspective on XDR, focusing on a core set of processes and outcomes associated with threat detection and response. ESG sees XDR as an outgrowth of the broader security operations and analytics platform architecture (SOAPA) (see Figure 2).

Figure 2. SOAPA: Security Operations and Analytics Platform Reference Architecture

Source: ESG, a division of TechTarget, Inc.

Because individual XDR solutions are focused on delivering various aspects of SOAPA, ESG also classifies XDR solutions into the following three categories based on what they support:

Full-stack XDR. This includes multiple preventative controls, plus detection and response.
Overlay XDR (often referred to as Open XDR). This is an analytics-only detection and response solution that overlays onto existing preventative controls.
Alliance-driven XDR. Solutions anchored by one or more core controls with formal partnerships that enable full threat-vector coverage, plus detection and response. Since these solutions often use an open approach, they are frequently positioned as Open XDR solutions.

Choosing the Right XDR Solution

Choosing the right XDR solution will depend on individual security objectives and strategies. For many, convergence is a key objective, looking to minimize the number of tools and favoring platforms over niche functional requirements. For some, cloud investments may drive XDR solutions that can help quickly close gaps in cloud visibility. And for others, migrating from existing endpoint detection and response or network detection and response (NDR) investments may motivate organizations to first look to existing security vendors to provide XDR solutions. ESG research proves this out, with 56% of organizations currently working with their EDR provider to evaluate their XDR offering, while 41% have plans to work with their current EDR provider to evaluate their XDR offering.

When thinking about leveraging an XDR solution to improve security operations and, more specifically, to improve detection and response, organizations should consider the following factors:

• First and foremost, XDR is about improving threat detection and response. While there are many third-party assessments available for various security solutions, ESG believes that MITRE EDR detection testing has emerged as the most credible, unbiased measure of attack detection capabilities, and therefore recommends that security teams prioritize recent MITRE testing results in the tools selection process.

• Second, XDR solutions and the data engines that serve as their foundation must be scalable. At the heart of XDR is data ingestion, correlation, and analysis, so organizations need to consider the size and scale of their attack surface and the associated security data generated from it, as well as other various sources of context such as threat intelligence, to ensure that an XDR solution can support current and future needs. Organizations should consider the number of existing security tools in use, the number of customizations required, and the growth expected in the coming three to five years. Ideally ingested data resides in a single data lake without duplication, is accessed via one interface, is usable without undue lag, and is architected in a way that a long, retrospective view is both accessible and affordable for both compliance and investigative reasons.

• Third, an XDR solution must align with the composition, scale, and complexity of an organization’s IT infrastructure and attack surfaces. Device diversity, cloud adoption and diversity, network complexity, and application complexity all factor into XDR solution fit. Security teams can maximize existing security investments with more open approaches to XDR.

• Fourth, staffing and skills availability need to be factored into the decision. Organizations with larger, more skilled security teams may desire XDR solutions that are more customizable and offer more expert functional capabilities. Organizations with less available staffing and skills will likely seek out solutions that are more automated and that provide out-of-the-box integrations with other security tools. Offerings with integrated managed detection and response services may also be attractive. As operator fatigue is a real industry problem, automation and consolidation (dare we say simplification), are noble and achievable goals.

• A fifth and final consideration is the sophistication of the rest of the security stack. Integrated security solutions both increase efficacy and reduce complexity, leading to more efficient security operations.

Introducing the SentinelOne Singularity Platform

SentinelOne provides a comprehensive XDR platform, offering a single-agent approach to prevention, detection and response, and hunting across endpoint, cloud, network, and identity coupled with critical automations. Underlying the platform is a scalable data management architecture capable of ingesting and analyzing massive data volumes and making this analysis available for long periods of time to meet compliance and investigatory requirements.

The recent acquisition of Attivo Networks adds identity threat detection and response to XDR to halt the misuse of identity infrastructure, and further supports growing zero trust initiatives.

SentinelOne Storyline stitches together attack sequencing, providing security analysts with a clear line of sight into active threats while supporting rapid threat investigation and response. Also included is a native query language, helping to simplify threat hunting and investigation activities. Automated Storyline Active Response (STAR) custom detection rules help analysts keep a constant watch for noteworthy and suspicious situations needing a deeper look and can automatically block or contain threats matching specific behavioral patterns. Remote Script Orchestration (RSO) provides fully customizable interactions with all major OSes at scale.

Helping to accelerate response activities, the platform offers automated and one-click, easy-to-use response actions to help simplify remediation without requiring scripting.

And finally, Singularity XDR enables enterprises to leverage existing security investments with an open architecture that integrates with various best-of-breed ecosystem partners to deliver extended protection across the entire enterprise security estate.

The Bigger Truth

IT modernization, world events, and the rapid move to the cloud are challenging security teams to operationalize effective detection and response programs capable of keeping up with a rapidly expanding attack surface and a progressively more complex threat landscape. As adversaries amp up attack strategies involving multiple aspects of IT infrastructure centered around device and cloud, a new level of multi-vector visibility and analysis is needed to flesh out sophisticated attacks. SOC modernization is required.

The XDR movement is accelerating new automated SOC offerings designed to address the current gaps in detection and response solution strategies. The security industry has embraced the need for XDR solutions, with most vendors offering some level of XDR support. As XDR continues to evolve and take shape, early demand for cloud visibility and threat detection is leading many organizations to focus on solutions that bring specialized cloud data, intelligence, and correlation that offer clarity around attacks involving both device and cloud.

For organizations that have significant investments in both device surfaces and cloud surfaces, ESG recommends security solutions that can correlate and analyze these two critical security data sets. ESG recommends organizations explore solutions like SentinelOne Singularity XDR from SentinelOne that prioritize cross-surface visibility and context alongside integrations across an organization’s technology stack.

LEARN MORE

DOWNLOAD PDF REPORT

This ESG White Paper was commissioned by SentinelOne and is distributed under license from TechTarget, Inc.

All product names, logos, brands, and trademarks are the property of their respective owners. Information contained in this publication has been obtained by sources TechTarget, Inc. considers to be reliable but is not warranted by TechTarget, Inc. This publication may contain opinions of TechTarget, Inc., which are subject to change. This publication may include forecasts, projections, and other predictive statements that represent TechTarget, Inc.’s assumptions and expectations in light of currently available information. These forecasts are based on industry trends and involve variables and uncertainties. Consequently, TechTarget, Inc. makes no warranty as to the accuracy of specific forecasts, projections or predictive statements contained herein.

This publication is copyrighted by TechTarget, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of TechTarget, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact Client Relations at cr@esg-global.com.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.