The first SOC I toured was that of a major US bank, circa 2000. That SOC, and the many others I’ve stepped foot in since relied heavily on a SIEM to play the twin roles of centralized data collection and correlation. Later SOAR platforms were developed as richer and more capable automation engines, based on the SIEM data set.
However, being log-driven SIEM/SOARs are wholly reliant on an upstream control (firewall, etc.) reliably detecting anomalous activity and logging an event to the SIEM. Attackers focus keenly on avoiding such detection. Visibility gaps are all too common, and through those gaps and blind spots, attackers slip to steal, disrupt, and destroy. It has become increasingly obvious that SIEMs are reliable platforms for the sort of information called for by compliance requirements, but are sadly lacking as a primary, front-line tool for threat detection and threat hunting.
Enter EDR
The only constant in security is change; attackers research and employ new TTPs while defenders develop deeper skills, new processes, and better tools. One such game-changing tool developed to provide defenders with a far richer telemetry set than defenders ever enjoyed before was EDR. Carbon Black invented and shipped to market the first commercial EDR even before Gartner Analyst Anton Chuvakin “named” the market segment back in 2013. EDR shone a light into the details of what attackers were attempting to do on an endpoint and server, eliminating a dangerous blind spot where 40% of attacks start and end.
EDR’s place as a foundation for the modern SOC is now almost universally recognized, and its ability to gather and analyze detailed telemetry to detect anomalous behavior on endpoints has been modeled and applied to the realms of the network and identity. It is not unusual to find in more mature SOCs network detection (typically standalone NDR and PCAP tools), and identity analysis (usually UEBA) deployed alongside EDR (and the still ubiquitous SIEM/SOAR).
The challenge though for the typical SOC is twofold: firstly that until now capture and analysis of network traffic typically required expensive hardware in the form of packet brokers and network taps; and secondly the burden of bringing together three different and disparate data sources (EDR, network, and identity) and effectively using them to detect and respond to an attack early and accurately fell on the shoulders of the SOC Analyst, leading to stress, burnout, and missed signals.
Together endpoint, network, and identity telemetry provide a powerful detective triad for SOC Analysts to use to find attacks, but defenders need a better way than to rely on standalone EDR, NDR, and UEBA.
Enter XDR
XDR (Extended Detection & Response) provides the means to combine endpoint, network, and identity data. XDR is the logical next step from EDR and delivers enrichment of captured data by mapping it to the MITRE ATT&CK framework of TTPs and adding appropriate meta-data tags, the correlation across the three data types, and automatic response to an alert. XDR also provides a deep, broad, and forensically useful data trail useful for root cause analysis of an attack.
Like any new tool introduced by our industry, XDR is often “different things to different people” and there remains some confusion as to what XDR is and is not. Let’s clear that up.
XDR does not replace the SIEM/SOAR, which remains useful as a central data store for compliance reporting and for some forensic activities. Organizations have typically invested significant time, effort, and money in the operationalization of SIEM and SOAR. It is unreasonable to expect that they will rip and replace the SIEM and SOAR to achieve XDR.
Nor should XDR require the addition of yet more disparate tools. A shocking statistic is that on average a typical organization has 47 security tools deployed, and 70% have added five tools in the last twelve months. Considering that trend it ought not be surprising that 95% of attacks involve a vulnerability or blind spot available to the attacker to exploit due to misconfiguration and misalignment between the many controls 2. Further, I would argue that anyone new security control needs to replace two or more existing controls; we need to simplify and improve the SOC Analyst experience, not add to the confusion and the management burden.
In delivering VMware Carbon Black XDR to market we have built on our legacy as a pioneer in EDR. Carbon Black XDR transforms a fleet of endpoints into a distributed mesh of network sensors, each collecting endpoint, network, and identity telemetry, streaming that to the Carbon Black Cloud where we natively correlate, enrich, and analyze these three data sources. All without network configuration changes, without the need for expensive network taps and packet brokers, both of which are architecturally unsuited for the post-COVID, distributed workforce, and multi-cloud world we now live in.
Carbon Black XDR provides the SOC Analyst more visibility. Our approach to XDR adds network and identity telemetry to the existing EDR data, providing the means to identify hidden & highly sophisticated attacks. Carbon Black XDR speeds Mean Time To Detect and Respond (MTTD/MTTR) and allows the SOC to better track and understand attacks that target multiple systems. Importantly, Carbon Black XDR is by design an open ecosystem; integrating with and adding value to the existing SIEM and SOAR, and follows a design philosophy that there will be third-party tools and additional data sources that will further extend XDR.
In summary; XDR builds on and is a natural and logical extension to EDR. It neither replaces SIEM/SOAR nor should require you to add yet more disparate tools. In fact, the idea of relying on hardware tap-based approaches to capturing network traffic just doesn’t work today, given our approach to production workload architecture and to the way end users connect from anywhere.
You may hear varying definitions of XDR over the coming months as this industry sector gains prominence. To cut through all that just keep asking the same two questions: “Will I be required to add more complexity and burden to my SOC by adding more tools?”; and “Am I being asked to rip and replace trusted tools that I have already invested so much in?”.
Improving the SOC Analyst experience requires an evolution from EDR to XDR, but at VMware Carbon Black we don’t believe it should require a change to everything you do.
