Data Expertise Is the Foundation of Good Threat Detection

Jul 13, 2022
4 minutes
... views

The extended detection and response (XDR) space has exploded over the past two years. Competitors from both the endpoint detection and response (EDR), as well as the security incident and event monitoring (SIEM) spaces are seeking to capture a market designed to provide threat detection and response capabilities across your security infrastructure.

One of the primary differentiators we see in these XDR offerings is when log data is aggregated:

  • Traditional EDR vendors seem to be gravitating toward a security orchestration automation and response (SOAR) capability to aggregate data in response to an alert.
  • SIEM vendors aggregate data ahead of time for a number of use cases, but don’t have endpoint agents. They struggle to do more than post-alert correlation themselves.

While both of these approaches are able to provide environmental context to alerts, where the technology began will have a direct impact on where these solutions can go from here.

The Importance of Expertise

A majority of cybersecurity companies sell point solutions as a consequence of how innovation occurs. Someone comes up with a product idea, gathers funding, builds said product, and hopes to get rich through acquisition or IPO. Most single product vendors moving into the XDR space don’t have the native expertise to build a true extended detection and response capability because these companies aren’t equipped to perform detections better than the point solutions they are aggregating from.

This, more than anything, is why we’re seeing EDR vendors architecting their XDR solutions around post-alert aggregation instead of developing a comprehensive security analytics solution that would be able to provide a detection capability beyond the sum of your security infrastructure parts. Similarly, SIEM vendors generally don’t have the endpoint or the network expertise, which is why this segment performs poorly in endpoint evaluations, such as MITRE ATT&CK Evaluation.

Network Expertise Is an Important Edge

Endpoint detection is great when it works, but it is very likely that there are unmanaged assets you may not even know about yet. The only way to get full visibility into your infrastructure and provide environmental context is to include network data to not only improve your asset management capabilities, but improve threat detection. For over a decade, Palo Alto Networks has been building Layer 7 devices that have allowed us to understand behavioral activity across the network from Layer 2 on up. This expertise isn’t something we believe our competitors could easily obtain, even through acquisition.

To reinforce this point, building Cortex XDR required a multi-year journey that was the product of three different acquisitions (Cyvera, LightCyber and SecDo). We are very proud of how well Cortex XDR performs as an EDR solution. Even looking favorably at how our competitors keep score in the annual MITRE ATT&CK Evaluation, it’s clear Cortex XDR is a leader in the EDR market. What endpoint vendor could say the same from a network perspective?

The Benefit of a New Architecture and What This Means For You

XDR as a market segment isn’t the end-all. XDR and SIEM are on a collision course, if for no other reason than organizations just can’t afford to be sending logs to multiple locations to satisfy multiple use cases.

From a SOC strategy perspective, it’s critical to build toward an end goal, especially with the lock-in you experience with multi-year contracts and other initiatives you need to fund to mature your security capabilities. This is why it’s so important that Cortex XDR is a purpose-built solution, leveraging a data lake designed to improve upon customer outcomes in both the XDR and SIEM markets.

The vision for a unified security operations capability that combines both XDR and SIEM capabilities is something we call XSIAM. There’s more to it than that, but focusing on where you’re sending your data, the Cortex Data Lake offers one platform for your entire customer journey. If you just want to send your endpoint data, we can do EDR things for you. As your needs evolve to needing XDR and eventually migrating all your logging into XSIAM, your data is in one place, making this customer journey about the person that matters most… the customer.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.