Roland Stritt, Vice President Central EMEA at SentinelOne about XDR and MDR

We spoke to Roland Stritt, Vice President Central EMEA at SentinelOne about XDR and MDR.

Dear Roland Stritt, could you tell us a little bit about your background, and what brought you to the cybersecurity space?

As my father was working in a special department of the Police that was also dealing with industrial espionage, I got in touch with several interesting technical ways to gather information from different actors. This created my interest in everything related on how to stop these kinds of activities. In parallel at the same time my favorite movie was WarGames. So, I got already attracted by the cybersecurity space 40 years ago.

Roland Stritt, Vice President Central EMEA at SentinelOne
What are technological developments in cybersecurity that you think are interesting?
  • AI/ML:  is a game changer in cyber security – just if you read the latest articles and opinions about ChatGPT, it will be interesting to see where this leads us.
  • Consolidation: The sheer number of cyber-security products covering different surfaces and use cases means that customers are looking to consolidate when and where possible. Many companies are working on and with platform approaches.
  • Vendor Collaboration: as much as we expect consolidation, customers will always end up using more than one vendor. We’re already seeing security teams demand more integration and more value from the collaborations between vendors. Gone are the days when a “technological alliance” could mean little more than a shared video. In 2023 this will range from a demand for integration across more types of use-cases and standardization of data models to a very legitimate expectation that every new vendor will not only provide value on its own but also help extract more value from the existing products in the security stack.
  • XDR: or Extended Detection and Response, is the next step in the evolution of Endpoint Detection and Response (EDR): A group of tools or capabilities focusing on the detection of suspicious activities on endpoints. Sometimes referred to as “Cross-Layered” or “Any Data Source” detection and response, XDR solutions extend beyond these endpoints and make decisions based on data from a variety of sources. They take action across an organization’s entire stack, including E-Mail, network, identity, and beyond and optimize threat detection, investigation, response, and hunting in real-time. XDR solutions unify security-relevant endpoint detection with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more.

How come that all companies seem to invest more and more into IT security, but the number of successful attacks still appears to increase in parallel?

Companies tried to answer the increasing number of attacks with more and more tools. These tools create more and more alerts – this leads to the situation that we see alert fatigue and also the challenge for the security staff in companies that they need to deal with too many alerts the same time, with the ever-increasing volume of data it is getting harder and harder to find the “needle in the haystack” and focus on the alerts that matter and the security teams should take care off. Unfortunately, this gives attackers the opportunity to be successful.

How does business development for a strong and well-known player work in practice? How does your typical day look like?

The start for every opportunity in business development is a lead – we are creating leads via our awareness campaigns with PR, Events, our inside sales teams calling prospects, our partners introducing us to new customers. Very often existing customers recommend us, and one key source for sure is our Account Team using their network and working very close with our channel partners and MSSP to identify the right prospects.

My typical day looks like the following: regular calls with my team to sync up on opportunities, calls with customers and partners to understand their needs and challenges, and working with the broader team to understand where we can best deliver value to customers and partners with our portfolio.

A recent study showed that about 40% of revenues of cybersecurity vendors are spent on marketing and sales. Distributors and resellers all want to take their share as well. In your opinion, is there a way to make this more efficient in the future?

I think it is already much more efficient than it was in the past. This is because investors and analysts investigate into FCF and profit of vendors. Also, if you take a look at the margin of distributors and resellers – they are lower than they have been in the past – today they make their margin more and more with value added services they provide to customers. The vendor products are just a tool for the total offering, and they do not put a big margin as in the past on vendor product sales anymore.

SentinelOne offers XDR and MDR. From your point of view, will XDR slowly replace SIEMs, and managed SOCs become MDR service providers?

XDR has emerged in the industry because of the problem left unaddressed by SIEM. XDR focusses on Threat Detection and Response use cases and it’s a threat focused platform. On the other hand, SIEM focusses on compliance, risk, traceability, log management and threat detection but threat detection is just one of the use cases. In its current form and focus, XDR will not be able to replace SIEM. However, gradually as XDR Data Lake becomes the de-facto data storage for all the security and non-security data coming from Security tools, applications, DevOps, etc. SIEMs will get consolidated into XDR in the wake of vendor consolidation, operational efficiency, and cost optimization initiatives.

What are some non-obvious aspects when purchasing XDR and/or MDR that you think are worth considering, but are sometimes neglected?

XDR is not a solution that you can buy off the shelf, it’s a journey to optimize and improve your security operations to increase your cyber resilience. The effectiveness of your XDR will also depend on the process you put in and the number of digital surfaces and telemetry you connect. The breadth of deployment should be done with the end goal in mind.

Many customers are migrating to M365 E3 or E5 licenses incl. the Defender products. What are some thoughts on whether a separate XDR still makes sense for them?

Microsoft Defender suite of products will only give you visibility across Microsoft products and it will be blind to other non-Microsoft Security tools in an organization. For an effective XDR deployment to improve SecOps and reduce TCO, the XDR must integrate with existing sets of products from different vendors across digital attack surfaces. This is the reason why a separate XDR will be required to provide visibility and integrated workflow across Microsoft and non-Microsoft capabilities.

Can you share your view of the MITRE ATT&CK evaluations of EDR solutions? Is there something in the test setup that should be changed from your perspective? 

MITRE ATT&CK evaluations do a great job at evaluating the product detection and protection capabilities against real life attacks, threat actors and publishing a transparent result than a ranking. However, the tests are conducted in an ideal or noise free environment and don’t include the response and remediation speed and effectiveness. For an XDR/ EDR tool to be effective in a SOC, investigation and response capabilities are as important as timely detection of an incident.

What is your view on analyst organizations like Gartner or KuppingerCole? Are they really independent from vendor’s influence?

Research Analysts firms and reports are trusted and credible sources in the market who help in defining and analyzing the current and future direction of the market. They are perceived as a credible source because they are independent bodies and perform factual analysis.  However, not all the analyst organizations are equal, and the credibility of the analyst firm should be evaluated first before consuming the reports and analysis published by them. Additionally, the reports and graphics should not be consumed on its face value without understanding of the evaluation criteria, target market/ audience and without evaluating the fitment of the solution by conducting the proof of value (POC/POV) in your environment.

What are some misconceptions or wrong statements you see repeated in the cybersecurity community?

Cybersecurity industry is filled with myths and misconceptions. Ransomware is a threat which is evolving with every passing month, and it is still commonly believed that ‘Backups will protect you against Ransomware’. It is also a common myth that MacOS is inherently secure, and you don’t need to implement security for mac, but now with the increase in adoption of macOS in the corporate environment, threat actors have been increasingly targeting mac endpoints.  Another big myth which is doing more damage is ‘Cyber Threats won’t target us’ and because of this myth, organizations never prepare for a security incident which ends up increasing the business loss and time to recover from the incident.

If you could send a message to all CIOs and CISOs, what would it be?

Before deploying a new technology or product, first look at maximizing the value out of your existing security investments by doing a health checkup and connecting them together.  Take a Defense in Depth and layered approach but still prepare for a security incident. Security incidents and ransomware attacks are inevitable, you should prepare for it. It’s not admitting defeat but preparing for success. Establish a security aware culture and implement a ‘if you see something, say something’ approach.

Thanks to Roland Stritt for his time!

In our day-to-day business, as your independent partner we analyze customer requirements towards cybersecurity and identify suitable providers of products and services. Therefore, we have collected a significant number of interesting provider and solution profiles. Of course, this does not include any recommendations for products or providers. Also be sure that we do not receive any advertisement payments for the interviews. If you are interested in an interview with us, please s

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.

Days
Hours
Minutes
Cyber Summit - Bridging IT & OT Security
18. April 2024 | 08:30 AM - 12:15 PM | Virtual Event
231219_BoschCC_Logo_White