Podcast
    Threat Intelligence

    Get Cyber Resilient Ep 96 | The wonderful world of XDR - with Jason Duerden, Regional Director for SentinelOne ANZ

    Jason Duerden, Regional Director for SentinelOne ANZ, joins the podcast this week to lead us through the wonderful world of XDR (extended detection and response).

    CR_podcast_Jason_Duerden.jpg

    Jason takes us through the evolution from Endpoint Antivirus, through EDR to what XDR means today.

    We cover the overlap and the confusion with SIEM and store technologies and where all three fit in the grand scheme of things, and then peer into the crystal ball to understand Jason’s view on the future of XDR.

     

    The Get Cyber Resilient Show Episode #96 Transcript

    Garrett O'Hara: Welcome to the Get Cyber Resilient podcast. I'm Gar O'Hara. Today we cover the wonderful world of XDR with Jason Duerden, the regional director for Australia and New Zealand for SentinelOne. Jason takes us through the evolution from endpoint AV through EDR to what XDR means today. We cover the overlap and the confusion with SIEM and store technologies and where all three fit in the grand scheme of things, and then we round out the conversation with a future view of XDR. Over to the conversation.

    Welcome to the Get Cyber Resilient podcast. I'm Gar O'Hara. Today we are joined by Jason Duerden, the regional director of, uh, SentinelOne for Australia and New Zealand. How you going today, Jason?

    Jason Duerden: Hey Gar. Nice to be... Nice to be back on the podcast. Hope you're well. Thanks for having me.

    Garrett O'Hara: It is fantastic to have you again. Would you believe it was October 2020 the last time you were on, so it's been a little while, but, um, yeah, good to... good to have you on. We're- We- We sorta discussed and we kinda said we would just point people towards your bio from last time around and, you know, for the extended director's cut of the bio. Um, but, uh, yeah, just to catch people up on the last couple of years, what's- what's been going on?

    Jason Duerden: Yeah. I mean, um, like everyone, the craziest two years of your life. I think at least in our generation [laughs]. Um, but you know, very simply joined SentinelOne, uh, almost a year ago now, right? Um, having been in, you know, the security industry for quite some time. It's a really exciting place to- to- to be and, you know, really on the precipice of the evolution of endpoint and EDR, and so obviously what we're talking about with XDR. And, um, I was lucky enough to experience the company's IPO last year, which I think, if your... if you're in our industry on the... on the- the vendor side in whatever role you're in, is a pretty cool experience to go through at some point in time, um, in your career. And it was, uh, you know, obviously a privilege to- to here such a short period of time and for that to happen. But it was, uh, really cool and exciting for all the people who have worked so hard, uh, within the company to achieve the success that we have. So that was... that's been a really cool experience.

    And then we've been, you know, busily building out our presence here in- in Australia and New Zealand, so it's, uh... Yeah, it's been a really, really good couple of years and, um, I think we're coming back to normal a little bit now, so I'm excited for- for getting back to normal, I guess, you know, interactions with people out there in the market with some of the conferences and things that are coming up. So yeah.

    Garrett O'Hara: Yeah, that's- that- that is awesome. My last two jobs, would you believe, I joined literally almost one calender month post-IPO. Couldn't believe it. Um, yeah, both times. I, uh, feel like I, uh, got some magic properties where I just miss the, uh, [laughs] miss the pre-IPO, uh, joining.

    Um, look, you know, today we really wanted to talk about XDR. Obviously that's, you know, SentinelOne's, kinda, sweet spot and what you guys are known for. Um, what I thought we- we could do though was to kinda maybe just step back a little bit and actually go back to EDR and just get a primer on that. You know, kind of what is EDR versus, air quotes, "legacy" endpoint protection. Um, and you said as a, kinda, way into the conversation then on XDR.

    Jason Duerden: Yeah. I mean, it's, uh, it's kinda the market of the three-letter acronyms, right?

    Garrett O'Hara: [laughs]

    Jason Duerden: We- Or sometimes four, depending if you say next gen AV, or EPP, or EDR, XDR. It's pretty confusing. Um, I mean I think the simplest way to explain that is there's really three... there's really three definitions I would... I would view, is... AV is the past, so antivirus is the past, which is really about protection. EDR is the present, which is all about detection, response, and resiliency. And then XDR is the future, right?

    So if we kinda break it down a little... in a little bit more detail, you have, uh, next generation tools which have been very human dependent, and legacy tools which have been very human dependent. So the evolution of that market is moving towards this notion of autonomy, right? Autonomous, sort of, technology, and- and that's really what we bring to the forefront and what we, kinda, talk about at- at SentinelOne.

    But if you look at it over history, it's- it's probably the security market which has been the most ripe for innovation and disruption of all. Right? Because the market was created in, you know, the '80s, came to, sort of, prominence in the '90s, um, and it took until, you know, 2010 or the mid-2000s, kinda, era for- for innovation to really occur. But that was also driven by, um, what was happening in the market in terms of on the adversary side. It was pretty simple to- to stop malware and- and threats when there are only a few hundred that were sorta happening out there in- in cyber world. But today, as you know, there's, you know, millions every single day. Hundreds of thousands of organizations get hit with an incident all the time and it's because of that obsolete approach, right? That obsolete, signature based technology approach. So that's kind of, I guess, the evolution.

    Um, if you kinda fa- then fast forward to where we are today, this part of the market in terms of EDR and XDR really s- I would say, took full flight 2016, 2017. So pretty new, right? Like, it's really-

    Garrett O'Hara: Yeah.

    Jason Duerden: ... really recent, but has totally revolutionized the way that we think about security, and I think across multiple sectors, right? Not just endpoints. Like gateways, email, whatever it may be, where the endpoints really become the central... the central point, right? Because e- especially with COVID, network isn't the ame. The endpoint is the edge, et cetera, et cetera. We know how that's kind of played out over the last few years.

    Um, but if you think about the opposing s-... opposing approach is, you had that AI for prevention. AI for EDR is two separate markets at that point in time, right? You really had a next gen AV market and then the endpoint detection and response market. It's a little bit controversial to say, but you could possibly say EDR back then, in its first inception, was really a fancier version of legacy endpoint. Right? Because EDR for the most part was still driven on known quantities. Right? Indicators of compromise, indicators of attack, uh, you know, tactics, techniques, procedures, TTPs. All of these things are still known. So if you think about traditional EV, you know about a signature, you stop the bad thing. In EDR you know about a behavior or you know about a rule and you stop the bad thing. Right? It kinda just became a fancier version based on some- some better intelligence.

    Um, what I would... what I would preface today is, not all of that has transpired into XDR that is now existing in 2022, right? So not all of it's created equal. And I really think the... You know, not to sell SentinelOne too much for the differentiation point, for us, in changing that model was the behavioral AI capabilities, right? So moving away from that IOA, IOC, TTP model, or signature model, whether you're an AV or an EDR, to context driven detection based on machine learning. Um, and what that does is allows... And this... You know, we do it very well. It's not necessarily totally unique, uh, only to SentinelOne in every cybersecurity realm that ever existed, but it's quite unique to us from an endpoint side.

    And what that does is, when you start to look at it from a context perspective, it removes the dependency on what you could call atomic detections. You know, one or two things individually which maybe seem bad. Which more than likely are false positives, 'cause that's a huge problem in security. A lot of good things look bad and a lot of bad things look good, right? How do make the choices. So one or two things in a sequence isn't probably something you should be concerned about, but three to four to five things in a sequence, that's when you're actually able to make judgment calls based on context, rather than detections based on atomic actions, if that kinda makes sense. So, um, that's really where I've seen the pivot and the shift, and that's- that's really what, you know, kinda, XDR is delivering into the future.

    Inside of that context means that we can start to remove the humans from it. So something that I think we'll talk a bit about today is- as what's the future with XDR, is-

    Garrett O'Hara: Mm-hmm.

    Jason Duerden: ... to try and remove humans from the equation as much as possible. You know? And I remember we talked about this a couple of years ago. You know, by human nature where we're greedy and, you know, we like to feel important and special. And- And we should, right? We are a pretty- pretty amazing, um, species. But the reality is where, you know, we're slow, sometimes we're tired, we make bad choices, we are hung over or we've had a fight with our spouse or whatever it may be. But also, in terms of that response so that our piece, um, it could take minutes, hours, days, months, right? Like, we've seen... we see reports all the time when, you know, IBM security report or something comes out, that the average... the average detection and dwell time is sometimes like 200 days, and crazy things like that. And it's because of humans, right? 'Cause they're so dep-... so much dependency on us just to filter the noise and make the right choices that really the- the promise of XDR, based on that behavioral AI capabilities, the context to remove humans as much as we can, right?

    So it's pretty cool. It's great to be a part of the market. And, like, even five years ago, having this conversation would've probably been, uh, a little bit foreign. And I think if I wound myself back to five years before that, having a conversation where antivirus leveraged machine learning was probably a foreign... a foreign conversation. So it's like... it's crazy innovation in the last few years, right?

    Garrett O'Hara: Yeah, it really has. And i- it feels like, uh, we've- we've welL and truly gone past the hype cycle when it comes to technologies like machine learning and- and more broadly AI.

    Jason Duerden: Yeah.

    Garrett O'Hara: Um, and I've made this comment a bunch of times on the pod. You know, we- we definitely got over our our skis as an industry and you- you couldn't go to a talk, you couldn't... you couldn't do anything in cyber without ML, you know, appearing somewhere along the way. And it was... it- it was... it was probably a little bit early, but it does feel like, um, to your point, this complexity in how we operate as businesses, right, the digital interconnection of businesses to each other; everything is digital these days. And the systems that are built on there are incredibly complex in the way that they- they just weren't. You know, that- that's the reality. They just weren't 20 years ago.

    And all those connection points between, you know, company A and company B, C, D, up to, you know, however many companies they are connected to, all the channels we have available to us now, whether that's email or, uh, web apps, web, you know, pure web, um, Slack, Teams, like, there's so many different, sort of, entry points that, uh, I totally agree with you. Like, you hit a point where this just... the- the- the capabilities of, uh, you know, these kind of machines that are based on, you know, carbon ends imperfect, um, days and lack of sleep, to your point, and caffeine. Like, how would you ever expect a human to be able to do that?

    So is that... is that where we're going? Like, 'cause it sort of seems like that's kinda the thrust of your point, is that we're moving from very, kind of, defined lists of, here, if we see this, do this, whereas now we're moving into much more of a, look for the patterns, look for... look for a signal in all this huge amount of sea of noise. And that- that's kind of the evolution that we're gonna continue on.

    Jason Duerden: Yeah. I mean, I think there's always gonna be a place for reputation. Right? There's always gonna be a place-

    Garrett O'Hara: Yup.

    Jason Duerden: ... for black list and reputation, because if you know about it, why wouldn't you stop it that way? Like, it's easy, right? It's really, really simple. And that... like, even, you know, in endpoint, the- the ability to move reputation from the device to the cloud, there's been a huge improvement in performance, right? 'Cause you don't have to have these giant DAC files that sit on... sit on devices and download them every single day. So reputation will- will continue, always continue to exist. Obviously that's, uh, always gonna be reactive, right? So that's why we can't rely on that as the... as the protection mechanisms.

    But certainly the- the notion of moving towards, uh, pattern... uh, I would say patterns in context is really where this comes in. So patterns still... patterns still require known knowledge, right? Like, all of these things, you know, we kinda go through the evolution of signatures to heuristics to basic ML to advanced ML. whatever you decide that means for yourself. Um, but a- all of those things still require some form of training or definition, and- and that- that won't necessarily change. But what- what does change is the way that you consume the information to make the choice. So the context engine is really important about, like, let's say, for example, you're... you know, you're using a device, you open an email, um, you open an attachment and, you know, there's a script that fires off in a... in a macro that's in the document. Or whatever. Like, so the macro runs a script. And it doesn't necessarily do anything. Is that malicious? Maybe. Right? Is it... Is it good? Maybe. If it doesn't do anything, is it some that needs to be concerned about?

    So the context around that is like... there's no actual impact to the device, but just because it looks like it's malicious but hasn't done anything, doesn't make it malicious. If that makes sense. So- But the context of, if that continues to unfold and there's actually a file that's pulled down and then that's a... just a general workstation in a hospital that's a reception desk, or something like that, the context of how that's unfolding makes it bad. Right?

    So what that allows to do is it takes away the need for the human to have to create the context. So you know yourself, when you go and you talk to organizations about security, you're always talking about context in- in the... in the design principles of their business. Right? So what's important for the context of how you operate. Because developers inside of a certain company or receptionists or accounting people or finance, all their systems act a little bit differently based on the context of how they do the job. So that's what we're really talking about, it being able to make not only accurate decisions, but context driven decisions so that when the human is interacting with the output, the signal, the actual noise ratio is- is pretty well... not [laughs]... it's never gonna be gone completely, but at least the signal that's coming through, you have a higher level of confidence because you know it's being driven from a context or analytical decision making process.

    Garrett O'Hara: Yeah. Yeah, that makes sense. We- With- As you talk about context, where my head goes on that is, there's- there's probably... I mean, the- this context of the type of organization, I think you mentioned, like, a healthcare, say a hospital.

    Jason Duerden: Mm-hmm.

    Garrett O'Hara: And, you know, many hospitals will operate the same. Like, the context for them as a, sort of, vertical, the communication pairs, the systems they would use, would be sort of similar. Same in, you know, fintech. You know, there's- there's organization types where you- you... Is it fair to say you could start to pull super patterns? Or I don't know what you... what you would even call them. But, like, you know, patterns for something higher than the indivi-... you know, the organization or even the individual. You know, as you're talking there, I'm thinking there's probably a type of person which is a doctor, there's a type of person which is a [inaudible 00:16:33], um, admin, there's a type of person that's, say, an accountant and a programmer and they- they would have, sort of, operating parameters that you would expect within some sort of sense that would you operate similarly? Or is that, you know, sort of not realistic?

    Jason Duerden: No, I think that's realistic for future- future development in... you know, in- in machine learning. I don't think it's c-... we're quite at that level yet. But the example of that today would be, like, taking static machine learning for malware detection, right? Like, e- every organization in the world uses Windows, Mac or Linux operating system in one- some way, shape or form, right? Windows being the dominant... the dominant version of that. And there are hundreds of millions of files for all of those. Well, Windows probably. Mac and Linux a little bit less. But there's a lot of data- data points that's available for those types of operating systems.

    Now, there's specific applications for health or finance or critical infrastructure or whatever, like, based on the needs and use cases of those environments, but at the end of the day they're still functionally running on a particular type of foundation or operating system.

    So if you look at static machine learning, static machine learning is able to generically learn about malware and files and executables and documents and all those sorts of things, to make a decision between good and bad. But the refinement of machine learning does take into account the customization of applications which are written for specific use cases. Like in health, you know, you might have custom apps or apps that are built by-

    Garrett O'Hara: Yeah.

    Jason Duerden: ... providers that aren't necessarily built in the best way. And, you know, machine learning would probably say that there's some issues with that, but we kinda train and develop machine learning to understand the context of that particular application applied in that particular environment.

    Now, um, you know, how that transpires into a person, I think we'll see over the next few years as that technology develops. But on the behavioral side you move from looking at operating system and file structures to- to the ho- a- a- holistically the device, right? And the way that n- the device is interacting. And there's examples of- of a behavioral models working on the network level as well, right? Looking at, you know, east, west kinda traffic and normal patterns and normal connections. So that is already kinda happening from a... from a non-profile based, or from an asset based viewpoint. But I think moving into the human element of that is- is probably on the next frontier. Like, that will be pretty- pretty close to come through. So-

    Garrett O'Hara: Yeah, definitely. When- When XDR is a- as... is a topic, and, you know, I've heard this quite a few times, gets mentions, um, one of the- the sort of first questions that pops into many people's heads is in, like, sort of a version of a SIEM. You know, you're taking... you're taking telemetry from a place. Um, and you know, is there overlap there in terms of utility? Um, like, what's- what's- what are the big differences? Clearly, I mean, a see... a SIEM is not a... is not gonna do what an XDR, uh, approach would, but it would be good to, kinda, get that one out of the way. Like, you're- you know, w- what is the delta, what's the difference between a- a SIEM, um, and XDR?

    Jason Duerden: Yeah. I mean, you're definitely right [inaudible 00:20:04] that's usually the first question, is- right? Is, like, how... You know, is this... is this replacing my SIEM or is this a SIEM? And, like, kinda, what is a... what does that look like? There's probably... I mean, there's a sh-... there's a short and a controversial answer. So I like being a little bit controversial, so I'll give you both.

    Garrett O'Hara: Of course. [laughs]

    Jason Duerden: I mean, it feels... [laughs] That's always fun.

    Garrett O'Hara: We- We'll just edit it out so only the controversial answer's there.

    Jason Duerden: Yeah.

    Garrett O'Hara: [laughs]

    Jason Duerden: Well, the short answer's simple. The short answer is, no, it's not a SIEM. Um-

    Garrett O'Hara: Yeah.

    Jason Duerden: But the controversial, like... If you think about SIEM in itself, there's a really strong argument to say that SIEM's not really ever really delivered what it was supposed to. Right? Like, what it was promised to be, the savior of all things security. Right? Because, you know, you centralize your data, you run some magic over it, you kind of enable your SOC teams to make better choices based on multiple- multiple entry points. Um, which is true in a sense. Like, there is, sort of, that capability, but it's become so complex, costly and overwhelming that even at the very top end of enterprise, it's- it's not delivering the outcome, I think, that it was really profess. And I think most security professionals, if they're honest with themselves, will have a level of agreement with- with that statement.

    Um, where I go a little bit further to say is, SIEM also tends to lack the analytical things that are required, so data analytics, intelligence and automation. Because if you think about a SIEM, in essence a SIEM's pulling in logs that are created from the logic of another system. So you're not actually looking at raw data or telemetry for the most part. So you pu-... if you're pulling in, say, firewall logs, endpoint logs, you know, email, CASB, e- gateway, whatever it may be, your SIEM's only as good as the other technology's detection structures are. So if you've got products which are kinda lacking in antivirus or email gateway, or whatever it may be, you're already on the back foot, because you're only seeing what the signal is providing to you. So back to, kinda, that conversation a little bit earlier about that noise to signal... to signal ratio. You don't have any control over that. And your SIEM doesn't enhance that, it's just showing you what's already- already in your environment.

    So if you think about XDR kinda playing in a similar space but offering a different experience, and the view is a better outcome, it really delivers all those things faster, better, smarter. Right? So XDR will be a source for really anything. So log information from, you know, the systems that they- you have in place today, and/or raw telemetry. Right?

    So what that means is that the analytics engines and the detection engines that are built into XDR are built on machine learning, not built on rules. So if you think about it in a SIEM, SIEM is all rule correlation, right? You're basically building sequences and things that, if this happens then that. Which is like a... it's like a first wave of EDR, IOAs, IOCs, TTPs or signature based AV, right? So XDR brings that machine learning to the raw tele- telemetry and the data analytics. And what that means is that the signal is provided from XDR from both the external sources, but also from the analytics on the raw telemetry. And that's really, if you're gonna think of anything in terms of the difference between SIEM and... SIEM and XDR, is- is the analytics piece, right? Because we're able to ingest that- that raw telemetry.

    The next part to that is then the context. Right? So we c- always come back to the context. So when you're able to collect the telemetry plus the log sources and kinda have that data lake underpinning your- your- your... I guess your view pane, the analytics that then make the determination of there's something bad happening, also then are able to provide the story. Right? To say, "Hey, XDR's determined that there's something bad going on in your environment. Here are all the things in your ecosystem that are affected: web gateway, endpoint, identity, this, that, this, that," and stitch it together in a really nice viewed, uh, story essentially, right? So then the analyst can make some- some really quick decisions about how they're gonna handle that.

    So I hope that ex-... kind of explain the viewpoint of- of how we see it.

    Garrett O'Hara: E- It does. And I might have this wrong. Like, some of the... some of the flavor I get for, like, SIEM versus XDR is that SIEM is really a lot of log storage, some correlation, as you say, kind of, fairly static, you know, rules based approach to i- in theory, you know, um, surfacing events that needs attention.

    Jason Duerden: Mm-hmm.

    Garrett O'Hara: And it- it feels like that's a longer term storage of lots of logs, potentially, whereas XDR is a little bit more, um... and I hate to use the word agile, 'cause it gets [laughs] used in so many different contexts, but it's- it's- it's got a- a better and potentially smaller, but smaller in a useful way, sort of, data that it's looking at and then overlaying, as you say, the ML approach to give that- that, sorta, okay, what's going on here that humans can really get to. But it feels like XDR is more immediate, more... like, it's a tool for using right now for responding, versus a we gotta go in here with a magnifying glass and go looking for the stuff.

    Jason Duerden: Well, there's gonna be both, right? So-

    Garrett O'Hara: Okay.

    Jason Duerden: ... XDR is absolutely real time. Right? Like, that- that's- that's because XDR is an evolution of EDR and EDR is real time. Right? So that 100% is there. But- And this is... this is kind of the confusing thing with the XDR market, because you've really got native, hybrid and open. So it depends on what type of XDR provider you are as to-

    Garrett O'Hara: Yup.

    Jason Duerden: ... as to what this conversation would look like. Because if you don't have the ability to consume raw telemetry and an... and run analytics over the back of that, this conversation wouldn't really occur with that provider. Um, because some XDR strategies are- are, you know, kind of glorified SIEM technologies, but they're still just log ingestion, right? It's just logs from systems. It's not actually raw telemetry. Whereas if you do have the ability to ingest raw telemetry plus logs... So you kinda get all three. You got your native sources from... you know, in our world it's our sentinels, so our agents that go out and deploy, you get your hybrid sources from your integrations with, you know... that's to say an email gateway like Mimecast, or web gateway like Netskope or Zscaler for example. You get the log sources and information that they're coming back. But then the last piece is that open, so the ability to ingest anything. Whether it's security information or non-security information.

    Now, that ingestion, it's- it's- it doesn't have a... it doesn't have a lifespan, right?

    Garrett O'Hara: Okay.

    Jason Duerden: So it-

    Garrett O'Hara: Yup.

    Jason Duerden: ... it's collected for however the... however long the customer obviously needs, but it can be stored to three months, 12 months, whatever that ends of, kind of, being and can be retrospectively looked at if it needs to. But the value of having that storage under XDR is you have the machine learning analytics that are constantly analyzing it. Right?

    So back to your... So you made a good point earlier where SIEM is quite static. Right? Based on rules and based on, kind of, point in time of how you design that, XDR becomes active. It's always analyzing the telemetry, because you're running machine learning models over the top of the data. So-

    Garrett O'Hara: Yeah. That's good- good clarification. I definitely had the... ha- you know, how I visualized it, wasn't correct based on what you just said there. So, uh, yeah, appreciate the- the clarification on that.

    Look, the- the last part I wanna kinda, like, touch on is, um, obviously your... it's gonna... the response [inaudible 00:28:22]

    Jason Duerden: Mm-hmm.

    Garrett O'Hara: And, you know, seeing we've talked about a lot, uh, SOAR's the other big te- technology or automation in general. You know, some sort of automated response with a view to getting lower mean time to detect and then ultimately respond. Which is, you know, what I'm keen to talk about now.

    Um, from- from your perspective, like, if somebody's looking at a pure play SOAR platform versus, kinda, going with an XDR philosophy or architecture, uh, what- what are the- the sort of pros and cons with- with that?

    Jason Duerden: Yeah. I mean, there's- there's potentially overlap. Right? Um, I think it really depends on how- how the operating model is set up within the environment, right? And quite frankly, someone looking at SOAR is usually a quite sophisticated environment, right? Like, you wouldn't necessarily buy a SOAR if you didn't have people who understood what they were doing, right? It's kinda like-

    Garrett O'Hara: Yeah.

    Jason Duerden: ... you wouldn't buy EDR if you didn't have someone who understands what threat hunting is all about, right? You would kinda buy a service to consume that essentially. So it's very similar in that sense. I mean, SOAR could still govern your playbooks and it could still take feeds from an XDR like SentinelOne. Um, because you could use that as- as- as kinda like your incident aggregation point. Right? So sometimes there's still gonna be use cases, um, for that to be... to be separate, especially if you've got, you know, XDR operated by SOC environments but not necessarily operated by incident response groups, or, you know, they might have different- different access requirements or different tooling that's required essentially. Right? So there's still-

    Garrett O'Hara: Yup.

    Jason Duerden: ... potentially some overlap and there's still- still potentially that coexistence that- that would exist. Um, I think the... I think the- the, kind of, biggest point will... It really comes down to budget. So-

    Garrett O'Hara: Yup.

    Jason Duerden: I think for 99% of the market, SIEM, SOAR and XDR will be the same thing and it will be an XDR. Because you get not only all the detection and protection and prevention and remediation and all that sort of stuff, you'll get the- the hybrid integration into the other systems as we've sort of talked about with web and email and whatever may- else it may be, plus you can ingest anything. Right? And, you know, it- within our XDR for example, you can have security and non-security use cases that you might wanna view. So I think 99% of the market will- will move to that.

    And then I think you'll have the 1% of the market that will still diversify. It's kinda like diversification of risk, but it's like diversification of tooling in a way. Where XDR will end up becoming the find- foundational information center, I guess, of- of-

    Garrett O'Hara: Yup.

    Jason Duerden: ... of security, and then you might have little bits of tools that do certain functions that you need for certain teams. So-

    Garrett O'Hara: Yeah. No, that- that absolutely makes sense. What- What's the future here? So, you know, you kinda made the joke at the start, thinking of the three-letter acronyms and, you know, we seem to just kinda cycle through- through the letters in front of DR. Um, a- as- as happens in- in, sorta, other parts of cybersecurity.

    But what- what do you see is the future here? You've talked a little bit about, um, that at the start of the conversation, but I'd love to, kinda, finish out with that. Like, where- where are we going with, um, the, you know, underscore DR [inaudible 00:31:52]

    Jason Duerden: I mean, the reality is XDR is extended, so it's kinda limitless in a way. Right? I mean, it's whatever... it's whatever you will have the ability to consume, is how this is gonna play out. So I don't necessarily know if there's another letter that would come in front of DR, but I think we're just at the tip of the iceberg of what XDR actually is. Right? And we've talked about the few different markets already today where, you know, we saw the convergence of AV and EPP and EDR and- a- and all those sort of functions into now what is called primarily XDR from being an evolution of EDR. And now there's a conversation about, okay, XDR is this. How does SIEM and SOAR and all these other tools kinda fall into it? And I think we're just at the tip of defining that market right now, right? So I think there's a lot of collapse and convergence to come. Um, but the reality is, XDR's the foundational platform. So as I sorta said, being the information center, XDR becomes the foundation. So all of your threat management, all of your analytics, all of your storage, all of your telemetry, all of your hunting kinda sits within an XDR technology.

    So as we implement the controls and policy elements, such as, you know, email gateways, SASE, DLP, you know, it's access, identity, all those sorts of things, XDR's like the governor. Sits over the top of that as threat management to make sure that all the telemetry and interaction with all those systems is what it's supposed to be doing.

    Um, and what that drives is resiliency. So if you think about, well, business resiliency. So if you think about, like, antivirus was... or next gen antivirus was very much about device protection. Right? Let's make sure that the individual device didn't get hit with ransomware. Right? Or didn't get impacted. EDR was really focused on incident. Right? So okay, we have an incident that may have impacted multiple systems and we're getting the intelligence to say that, okay, it's not just impacted this device, it's that device and this server and that and this and that. And we can kind of manage that as an incident. XDR allows you to do that across the whole business. Right? So it really gives you that- that business resiliency outcome, is a- at least the strategy that- that we're working towards. So...

    Garrett O'Hara: Fantastic. Uh, Jason, thank you so much for- for joining today. Um, really, uh, love these conversations. There's definitely some things that are clearer in my mind around, uh, XDR. I suspect I'm not the only one who finds, uh, the- the overlap and the toast, I think that happens on the, sorta, different sorta functional areas of cybersecurity confusing sometimes. So really appreciate, uh, that. I- I definitely learned something, um, and I appreciate your time. Thanks for joining us a- again. And, um, yeah, who knows, maybe two years from now we'll- we'll get t- to- to [laughs] talk for the third time round.

    Jason Duerden: [laughs] No, I hope so. Thanks Gar, I really appreciate it.

    Garrett O'Hara: Thanks so much to Jason for joining us. And as always, thank you for listening to the Get Cyber Resilient podcast. Jump into our back catalog of episodes and like, subscribe, and please do leave us a review. For now, stay safe and I look forward to catching you on the next episode.

    Haut de la page