Gartner recently shared a new report on “Innovation Insight for Extended Detection and Response.” XDR (as our industry loves acronyms) is the first of nine top 2020 trends1. If you’re a security and risk management leader, it’s a must-read, so download the Gartner XDR research right now.
What is innovation and what triggers it?
I recently watched Tim Kastelle, a thought leader on innovation, give a TedTalk. He describes innovation as needing (1) a new idea (2) that adds value and (3) actually happens (i.e. becomes real). In security, we have many tools that are real and add value today. But as our IT environment changes and the old ways of security stop working (as well as before), three innovation triggers arise:
- Fantasy, if we think of a new idea and buyers say it’d add value, but we haven’t figured out how to make it real.
- Frustration, if we already made a new idea real, but not many adopt it — perhaps due to insufficient added value.
- Or fear, if buyers are valuing other sellers’ innovations, and we don’t have a new idea yet to address this threat.
Is XDR a new idea?
Pulitzer-nominated author, W. Brian Arthur, defines innovation in his book “The Nature of Technology”. He states, “Technologies […] share common ancestries, and combine, morph, and combine again, to create further technologies.” And according to Tim, some of the biggest innovation mistakes is focusing only on brand new ideas for every problem. So, often the best innovation combines old knowledge with a new approach! We’ve gained a lot of knowledge by developing cloud-native Endpoint Detection and Response (EDR) as well as Network Detection and Response (NDR) technologies over the last decade. One such example of innovation is natively integrating them together along with other control points (e.g. email and cloud security) with a new platform approach, which possesses a true understanding of the underlying data from each source. We believe Gartner agrees, as they say that “Major component parts of security infrastructure protection are reaching feature maturity, and a number of vendors offer broad portfolios. Integrating them is a natural next step. Concurrently, cloud big data storage and analytics and machine learning capability are enabling more centralized approaches to security.” But Cisco also introduces many brand-new ideas that enables our XDR innovation to stand apart from others – some examples are explained at the end.
Will XDR cause fear or frustration in other technologies?
Per our view, Gartner devotes a significant portion of this research comparing and contrasting the new XDR idea to the mature SIEM (Security Information and Event Management) and newer SOAR (Security Orchestration, Automation and Response) ideas. Many SIEM sellers may be experiencing fear as Gartner acknowledges that “While the SIEM market is mature, many organizations have not deployed SIEM tools, have failed or incomplete implementations, or only use SIEM for log storage and compliance.” And many SOAR sellers may be frustrated by low adoption over the last several years; Gartner says “Newer SOAR tools are designed to provide integration across multiple components, but are hobbled with a lack of available APIs, data merging issues and a workflow that is disconnected from the detection activity that can efficiently launch response activities.” The innovation trigger that sets XDR apart from SIEM and SOAR is the level of integration of their products at deployment, which is why “XDR products will be appealing to more pragmatic organizations that are overwhelmed by security complexity and the lack of skilled security operations staff.” Yet our understanding when Gartner says that “XDRs are not a replacement for all SIEM use cases, such as generic log storage or compliance.” is that XDR will complement SIEM (and even SOAR) tools that customers have already invested in.
Does XDR add value?
Absolutely! We believe Gartner’s 2020 Hype Cycle for Security Operations2 says XDR will unlock a “high benefit” for customers selecting a security solution provider with a portfolio of infrastructure protection products. For comparison, our understanding is that SIEM and SOAR tools will just provide a “moderate benefit”. The second key finding in Gartner’s Innovation Insight is that “XDR products are beginning to have real value in improving security operations productivity with alert and incident correlation, as well as built-in automation.” While XDR is early in its development and adoption, Gartner says that “Most organizations already have blind spots so XDRs can add value even if they are not 100% integrated.”
Is XDR still a fantasy or is it real?
We already quoted Gartner above saying that XDR is providing “real value” plus they say that “Being newer to the market, XDR has not just the promise, but also the reality of having APIs built in right from the start.” Yet, it’s true that many vendors get stuck in the fantasy of their great idea that never fully gets executed. And we believe that Gartner acknowledges these risks when they say “if the pioneering XDR vendors deliver too little security or productivity value, or solution providers simply do not deliver on their roadmaps, or XDR products end up needing the same level of integration work as modern SIEM tools, then it is likely that XDR will die in the Trough of Disillusionment.” But solving the technical problem is only the first step. Tim notes that you need the right business model to go with it. And this could cause some XDR tools to die, because if the upfront cost and time to start using it is too high, the idea will never spread from early adopters to the mainstream.
That’s why since 2018, Cisco has included XDR capabilities — starting with SecureX threat response — as part of each security products’ existing subscription. It’s very real as over 11,000 customers has adopted SecureX as part of their daily security operations to be more productive. And the on-going improvements and validation for our cloud-native platform approach with analytics and automation built in is why we already deliver the industry’s broadest XDR.
Mature technologies are combined with cutting-edge innovation
In June, we launched the SecureX ribbon, which simplifies breach defense by natively connecting detection to response with capabilities integrated within each other products’ consoles — rather than always forcing teams to pivot into yet another bolted-on tool. This ribbon is a consistent user interface located at the bottom of each products’ console, which can be minimized or expanded. Capabilities from one product, such as live endpoint queries, are turned into ribbon apps and accessible by your network, email and cloud security products. Incident management and casebooks that centralize, normalize, and correlate alert context and enable cross-team collaboration is maintained in a consistent location. These built-in extensions work across the broadest portfolio. And soon, using a browser extension, the ribbon will work across your entire infrastructure, including third-party security tools or even a blog you rely on today.
Our mature NDR and EDR technologies have been natively integrated before XDR was even coined. They identify and contain up to 70% more malicious intent and risk exposure, more accurately, by connecting many types of machine learning-enhanced analytics across the most data sources. We speed up decision making with improved coverage of MITRE ATT&CK matrix by mapping IOCs per incident. We reduce detection time by up to 95% with proactive threat hunting and vulnerability management or by identifying subtle or hidden attacks via insider, unknown, or encrypted threats that point products miss. We improve compliance posture by detecting regulatory, zero trust, and custom policy violations. And we monitor and understand user and entity behaviors whether on-prem or not, managed or not. We reduce threat dwell time by up to 85% by pinpointing root cause with visual investigation and by connecting playbook-driven automation across the most control points. You can quickly control outbreaks to minimize the impact of a breach with improved coverage of, and automated, MITRE ATT&CK mitigations.
More intelligent detections result in more productive security operations. More confident responses result in more effective security. And by reading issue 1 of this Gartner newsletter on XDR, you can learn why.
Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
1. Gartner, Top 9 Security and Risk Trends for 2020, 17 September 2020
2. Gartner, Hype Cycle for Security Operations, 2020, Pete Shoard, 23 June 2020