Announcements Endpoint Security Network Security

Why CISOs Should Prioritize Extended Detection & Response (XDR)

In my role as General Manager of the VMware Security Business Unit, I have the privilege of speaking regularly with many Chief Information Security Officers (CISOs) around the globe. While some face challenges unique to the specific organization over which they provide cyber stewardship, I have commonly heard three strategic imperatives shared during these conversations.

  1. Reducing risk. CISOs continue to face significant challenges in reducing the risk and limiting the scope of disruption to critical business functions that result from cyberattacks. The adversaries that target them are relentless, skilled, persistent, adaptive, and have at their disposal an ever-growing array of increasingly sophisticated, off-the-shelf tools and techniques to deploy. Adversaries hold few, if any, qualms as to who they attack and what information they steal, and they consider the brand damage and financial losses their victims suffer as chips to be wagered as they negotiate ransomware payments. The level of sophistication and persistence that was previously characteristic of attack campaigns conducted by nation-state attackers for the purpose of espionage against the few has become the norm for financially motivated attacks against the many.
  2. Reducing operational costs. CISOs operate under budget constraints while external compliance and reporting requirements ratchet up the pressure. They are focused on the need to optimize operational spending across two domains. First, the costs associated with implementing and operationalizing new security controls, along with the staffing costs associated with running those controls. Second, the costs related to both the increasing premium costs and scope of policy exclusions in the cyber insurance market. CISOs report a materially increased level of additional scrutiny by cyber insurers over their security controls and capabilities, which is driving them to prioritize additional security controls to improve their insurability and reduce the costs of premiums.
  3. Attracting and retaining talent. There is continued concern among CISOs regarding the need for skilled security professionals to fill open roles, along with the challenge of retaining valuable team members they already have on staff. Even in this contracting job market, cyber expertise is a valued and highly fought-over commodity. CISOs have an urgent requirement to improve the Security Operations Center (SOC) analyst experience in order to attract and retain talent.

When I consider potential solutions to these three imperatives, there’s one general theme tying them together – analyst experience. A better analyst experience reduces mean time to detection (MTTD) and mean time to response (MTTR) – thus reducing the risk and scope of an attack; improves the productivity of stretched cyber teams – thus reducing staff turnover and associated hiring and training costs, and provides a demonstrable set of capabilities to satisfy the demands of insurers.

For this reason, I am extremely excited to share that VMware Carbon Black has delivered a unique approach to XDR that will improve the SOC analyst experience, reduce the risk of attack, and shine a light into the previously dark corners of the environment in which adversaries hide.

Today, we announce the general availability of VMware Carbon Black XDR, the only XDR solution that natively combines telemetry from endpoint detection and response (EDR) with network telemetry, intrusion detection system (IDS) observations, and identity intelligence – all without requiring customers to rip and replace existing solutions or to add physical network taps to their infrastructure.

VMware Carbon Black XDR delivers to customers the ability to activate and immediately gain network and identity intelligence, natively combined with Endpoint telemetry. Existing customers of Carbon Black Cloud can activate XDR without any further deployment of new hardware or software, helping avoid the costs, delays, and effort involved in a traditional approach.

SOC analyst effectiveness and productivity may be enhanced. SOC Analysts use the same, familiar VMware Carbon Black console which, with XDR, provides them the additional insights into Endpoint and Network data natively combined and correlated. This will help customers reduce MTTD and MTTR, the important metrics by which we measure the speed and accuracy of threat detection and response.

The activation of VMware Carbon Black XDR transforms a customer’s endpoints into a distributed mesh of network sensors, providing network intelligence to VMware Carbon Black Cloud that covers both the ingress/egress network traffic (North/South), and the lateral traffic (East/West) related to machine-to-machine communications occurring within the customer’s environment. This is in marked contrast to many hardware-based network detection systems that are limited to having visibility of only North/South traffic and remain blind to traffic moving laterally within the network.

Commissioned research conducted by Forrester Consulting on behalf of VMware1 finds that 79% of respondents not currently using XDR identify the need to reduce MTTD/MTTR rates. This same research also found that of the users that have already adopted XDR, improved speed and accuracy of threat detection was one of their top five drivers for doing so.

VMware Carbon Black XDR helps improve the SOC analyst experience as we negate the need to switch consoles and rely on other teams to complete their alert triage and investigations. Endpoint, workload, network, and identity intelligence are all available in the same, familiar console with enrichment and analysis automatically performed at scale in the VMware Contexa threat intelligence cloud.

With the general availability of VMware Carbon Black XDR, we also address a CISO’s need to control costs. The same Forrester Consulting study found that 75% of XDR adopters found increased ROI to be the top business benefit of XDR. XDR adopters also reported a 13.9% improvement in ROI as a result of adoption, with that number increasing as adoption matures and is operationalized. Because VMware Carbon Black XDR requires no network taps or changes to infrastructure, customers can benefit from a more cost-effective approach, and one that deploys instantly, and helps speed the effective operationalization of new capabilities. Both outcomes deliver for CISOs under budgetary pressures.

Over time, we expect the deployment and effective operationalization of XDR to be recognized as a key leading indicator of an organization’s level of cyber maturity by cyber insurers. There is a current–near-ubiquitous–demand from cyber insurers for effective endpoint and workload EDR and preventative security controls to have been deployed and operationalized in their customer’s environments. In the future, we forecast that the ability of XDR to further extend those EDR core capabilities will have a beneficial flow-on effect regarding cyber insurance premiums offered to customers who have adopted XDR.

VMware Carbon Black XDR redefines detection and response and rebalances the scales toward the defender’s advantage. By delivering the ability to further reduce risk, cut costs, and improve ROI, VMware is better positioning our customers for the increasing demands of the regulatory and compliance markets.


  1. A commissioned study conducted by Forrester Consulting on behalf of VMware, July 2022
    Methodology: In this study, Forrester conducted an online survey of 1,291 IT, networking, and security decision-makers at organizations globally to evaluate XDR adoption and readiness. Survey participants included decision-makers responsible for security and network strategy and their organizations. Questions provided to the participants asked about security strategy and XDR. The study was completed in July 2022.