Views on the EDR/XDR/MDR market from vendors’ perspectives: Will XDR solutions replace SIEMs? What about competition from Microsoft’s Defender Suite?

We recently had the chance to interview senior business development executives from three vendors in the managed and extended endpoint detection and response market:

  • Sabrina Gastes, Senior Enterprise Account Executive from Sophos
  • Greg Day, Vice President and Global Field CISO from Cybereason; and
  • Rudolf Didszuhn, Senior Alliance Manager – Cloud Consulting & GSIs from Trend Micro.

Sabrina Gastes
Greg Day
Rudolf Didszuhn

Here are their perspectives:

Could you tell us a little bit about your background, and what brought you to the cybersecurity space?

Sabrina Gastes: “In my last position at a regional IT service provider, we could no longer meet customer requirements with all-rounders alone, so a separate department was created. Aside from myself as a sales specialist, two technical specialists dealt solely with security issues. The team expanded quickly and became indispensable. Cybersecurity as a dedicated topic fascinated and excited me from the very beginning. In my opinion, this fast-moving area requires special attention, and so, after nearly four years of working at the system house, the move to a leading IT security vendor was inevitable for me. And even now, after more than three years at Sophos, I never get bored, and I still enjoy this subject area of IT the most.”

Greg Day: “I began in 1990 temping at Dr. Solomon’s Antivirus to fund my skiing career. My father had worked for ICL so from a young age I had access to ZX81 and BBC Micro computers, and I was more interested in programming those days in BASIC rather than gaming. I wanted to understand how the games worked. Dr. Solomon’s sponsored me to complete my computer science degree, for which I wrote my own behavioural anti-virus (although today you would call it an EDR tool) that made copies of key sectors of the disc to monitor for tampering or change that typically occurs from Boot Sector viruses and monitored key files through CRC checking to monitor for file virus infections.”

Rudolf Didszuhn: “Accompanying my physics studies, I worked as a consultant for IT solutions and mainly had companies as clients whose business model needed IT only as a tool; notaries, lawyers, retail, workshops. “Making technology usable” became my trademark, especially for these clients. Finally, I assist my clients in identifying the best technical solution to meet their business objectives. I gained experience on all sides of global IT projects, IT service providers and integrators, and software vendors. Modern business processes necessitate ongoing transformation. My experience in the customer, service provider, and vendor ecosystems was valuable to Trend Micro at the time, because strategic partnerships are the way forward.”

How come that all companies seem to invest more and more into IT security, but the number of successful attacks still appears to increase in parallel?

Greg Day: “This is the cyber time paradox problem. We have more business systems that are being digitised which means more systems to secure and at the same time we’re seeing the complexity of threats growing which requires new methods of detection. Combined, they increase the volume of cyber events to investigate. At the same time, the volume of threats is growing which inherently means there will be more incidents to investigate. In effect we are running at pace to stand still in terms of impact as the complexity in every aspect is growing. As an example, over the years, the Rubik’s Cube has been solved faster and faster due to smarter and better algorithms until we reached the point that humans and the cube itself were limiting factors. Today, we’ve seen robots using AI and purpose built friction-free cubes being solved nearly ten times faster. We need to do the same in cybersecurity to more easily solve the complex network intrusions taking place.”

Rudolf Didszuhn: “For many years, IT security was viewed solely as a defence against external threats. The defence was frequently analogous to a coconut: there is a relatively hard shell, but if the attacker manages to penetrate, there isn’t much left to stop him. Unfortunately, there is no such thing as 100% security in this regard: network penetration is now a fully automated process. Regardless of how many attacks the outward-facing defences repel, an attacker will succeed at some point.”

Sabrina Gastes: “Unfortunately, many companies still take the traditional approach of trying to slay security with technology alone. As already mentioned, however, human hackers know only too well how to circumvent automated detection technologies – keyword system tools. And it’s worth it for hackers because of the potential profits, such as ransomware or data theft including extortion. People must actively operate the increasingly comprehensive security tools in businesses 24 hours a day, seven days a week. Most of the time, IT is unable to do so, and as a result, hackers continue to be far too successful because, while new barriers are constantly being erected, they are frequently not “high” enough and are easily jumped over. And this despite apparently large IT security budgets that, in many cases, are still invested incorrectly based on the outmoded “best-of-breed” approach. As a result, the figures are concerning. In the current State of Ransomware Report from Sophos, 66% of the companies surveyed state that they have been affected by a ransomware attack in 2021, compared to ‘only’ 37% a year earlier. The average recovery costs are around 1.2 million euros.”

What are technological developments in cybersecurity that you think are interesting?

Rudolf Didszuhn: “The top developments in recent years include XDR (Extended Detection & Response) as a technology and Zero Trust as a strategy. In addition, cyber risk management and managed security services are becoming increasingly important. Vendors who add value to their customers’ value chain will advance.”

Greg Day: “Having been in the industry for more than 30 years, I typically look at 3 aspects: (1) I’m most excited to see change is infrastructurally, i.e. using cloud computing to open new doors in terms of compute capabilities and speed, which will enable big data graphing to empower faster and more accurate detections; (2) technology itself and the reuse of old threat techniques in new technology platforms, be that DOS to Windows, PC to mobile or cloud, etc.; and (3) the new algorithms being developed to discover cyber attacks, and how big data and AI play a key role. There have also been new ways to identify threats looking more at behaviours rather than specific attributes.” 

Sabrina Gastes: “Very interesting advances are currently taking place at two levels, both of which will contribute to cybersecurity becoming much more effective and powerful. On the one hand, the combination of telemetry data from various technologies that previously operated independently allows for a significant improvement in attack detection. XDR ecosystems (CoR: Extended Detection & Response as an extended version of Endpoint Detection & Response) are emerging in this space, allowing us to screen telemetry data from a variety of areas for anomalies as part of a centralised analysis and in correlation with AI and machine learning technologies. This enables IT security teams to detect attackers in the early stages of network infiltration, which now often occurs by simulating everyday work processes under the radar of traditional defences. Simultaneously, intelligent cybersecurity ecosystems realise the automatic response to incidents, or the rapid handover of suspicious events pre-sorted by AI to a team of experts. This brings us to the second major change that is driving the cybersecurity market right now. Expert knowledge is almost indispensable for defending against modern attacks such as ransomware – the cybercriminals now know all too well how to hide by using legitimate tools or hijacking accounts. In contrast, however, there is the major problem that very many companies simply cannot afford their own Security Operations Centre, which is available around the clock. As a result, we are seeing an increasing trend towards external cybersecurity teams that can respond to the customer’s requirements with customised service packages.“

How does business development for a cybersecurity vendor work in practice? How does your typical day look like?

Rudolf Didszuhn: “My role has many facets, including technologist, lobbyist, architect, facilitator, and salesperson, that makes every day challenging and exciting. First, I secure the support of the consulting firm’s management for a co-creation initiative. After I achieve this, we will collaborate to develop solutions and managed services that include Trend Micro modules. In addition, I collaborate closely with the project-oriented solution architects, who have significant impact on the design. “Selling together is the goal, which leads to a pipeline of projects”.

Sabrina Gastes: “The most important thing is to keep our customers and interested parties up to date. Although most of us are aware of the threat situation, we frequently lack a practical plan for dealing with it. We train our partners on a regular basis and, of course, have direct contact with our customers on a daily basis in order to best convey this information and the development of our solutions. Personal on-site appointments are still important to me in the sales force and simply cannot be replaced by a web session. The dialogue and feedback I receive are an essential part of my work.”

Greg Day: “I see two key challenges. Firstly, we have to help organisations see that the world is changing at pace. What may have saved their bacon years ago, may no longer be fit for purpose. As humans, it can be hard to give up something that has saved you in the past. In cyber security we have too many comfort blankets, i.e., tools that have saved us before that we don’t want to let go of. The second development of today is the voluminous amount of content available, and in the cybersecurity industry, many companies are using messaging that looks, feels, and sounds exactly the same. As such, the challenge is being able to prove quickly and easily to customers that your approach is truly different and as such worth their time.  All too often in this phase of testing criterias aren’t closely aligned enough to real world value assessments. As an example, years ago, I worked with an organisation that evaluated several security solutions. Surprisingly, the team concluded that the solutions essentially did the same thing. However, what they didn’t test was the efficiency of the testing process, as during the testing process, 10 times more staff were involved than would be when the solutions were deployed.”

A recent study showed that about 40% of revenues of cybersecurity vendors are spent on marketing and sales. Distributors and resellers all want to take their share as well. In your opinion, is there a way to make this more efficient in the future?

Sabrina Gastes: “We are constantly striving to optimise our launches and partnerships. Both the IT security industry and the channel offer a very dynamic environment that is constantly changing and evolving. We need our own sales force, as well as our partner channel to deliver solutions and services.”

Greg Day: “Distributors, resellers, or partners are always looking to expand their market share. If you want to increase market share, make sure the sales and marketing teams are on the same page working as one as it’s the most important aspect of surpassing your goals.”

Rudolf Didszuhn: “This kind of investment in sales and marketing is common in highly dynamic industries. In our world, cybercriminals and nation-state actors are constantly changing their techniques and approaches. This often forces us to keep our clients informed of new developments, especially since we rarely have client-specific information to determine, for example, how vulnerable a company is to the latest threat. However, due to the accelerating pace of development, the industry is increasingly moving away from this “market shouter” mentality and is increasingly trying to enter partnerships to jointly address the issues. In the future, technical solutions will directly feed in current threats and countermeasures, alerting businesses or their service providers to the need for immediate action. However, such a concept can only work if a large part of the necessary company-specific sensor technology is mapped and controlled centrally, as it works in the XDR concept, for example.  Integrated platforms are an effective approach. They minimise the effort required for integration and allow efficient work. This reduces the complexity of the technology that vendors must explain to users and customers. Distribution costs go down, and the customer can see the benefits of the technology more quickly.”

From your point of view, will XDR slowly replace SIEMs, and managed SOCs become MDR service providers?

Sabrina Gastes: “Yes, the development is clearly moving away from SIEM solutions to XDR services. The highly enriched XDR data enables much better attack detection than classic SIEM systems. Figuratively speaking, SIEM means looking for the needle in the haystack, while XDR picks out the sharpest, i.e., most dangerous, needles and presents them on the pin cushion. This enables much more effective threat hunting. Sophos is currently expanding its XDR solution so that events not only from Sophos solutions, but also from many of the largest providers in the endpoint, firewall, cloud sec, email sec, identity, and MDR sectors can be included in the analysis. The most difficult challenge for companies and partners is to keep the XDR tools running around the clock, including threat hunting, analysis, the use of threat feeds, and timely incident response in the event of a threat. Sophos MDR already protects over 11,000 customers, who are monitored around the clock by our threat hunting experts. Enterprise SOCs and MSSPs can benefit from having Sophos specialists assist them with any or all aspects of detection, analysis, and response around the clock. In this way, they can gain expertise and gradually take on tasks while still having Sophos’ absolute specialists at their disposal. Alternatively, they can permanently outsource these tasks to Sophos because running their own SOC is inefficient.”

Rudolf Didszuhn: “XDR and MDR do not claim to replace SIEM and SOC, but to support them. However, it is also a fact that very few companies can afford a fully functional SOC as well as the optimised operation of a SIEM. Here, XDR/MDR already offer a high degree of coverage of the required functionality, such as 24×7 monitoring for cyberattacks as well as immediate handling emergencies by specialists. We therefore recommend that companies start with XDR/MDR, which can be rolled out in just a few hours at the smallest scale, and then expand as needed. In the past, you had to establish a complex SIEM solution for the most comprehensive cyber protection possible, because there were no integrated platforms yet. This is different today; both the client and the service provider can proceed more efficiently.”

Greg Day: “XDR and SIEMS both have a role to play. However, what I see changing over the years is the scope of each of their roles. Today, all too often, every bit of data is pumped into a SIEM, and to get value from it, requires normalizing and correlation which requires new rules and time consuming queries. XDR is the right solution to be able to gather normalized, correlated cyber security data into outcomes and malicious operations. However, SIEMs can do many other things very well, including playing a key role in Governance and Compliance. In addition, they also have the ability to correlate non-security data with security data. In summary, XDR solutions will enable much faster cybersecurity data aggregation and correlation into actionable outcomes, which will reduce the data that has to be passed to a SIEM. In trying to evaluate managed SOCs versus MDR service providers, the challenge is that both terms mean different things to different people. MDR can be some security or all security capabilities and typically its focus is on Detecting and Responding, but it may or may not include IR services. Most companies today run a hybrid model, and I see it continuing to be the optimal choice in the coming years.”

What are some non-obvious aspects when purchasing XDR and/or MDR that you think are worth considering, but are sometimes neglected?

Rudolf Didszuhn: “The gold is in the process: While most issues can be technically mapped, many organisational questions must also be addressed. For example, should an important system be isolated in the event of an attack? What if such issues arise outside normal office hours? The question of responsibilities and competencies should not be underestimated.“

Sabrina Gastes: “Customers absolutely need to see the complete picture! Until recently, EDR/MDR technology was mostly used on endpoints and servers. The result is limited visibility and poorer response capabilities. Therefore, it is extremely important that a modern XDR ecosystem includes all sources in the enterprise and that MDR services can also use them for analysis and response. The keyword here is once again the adaptive cybersecurity ecosystem with intercommunicating devices, synchronised automation, and central management.”

Many customers are migrating to M365 E3 or E5 licenses incl. the Defender products. What are some thoughts on whether a separate XDR still makes sense for them?

Sabrina Gastes: “We know that customers use MS Defender for cost reasons. For this reason, we offer both XDR and MDR with a Sophos XDR agent running on endpoints and servers protected with MS or other endpoint solutions, making Sophos protection available to customers with other endpoint security solutions. All other technologies deployed at the customer site can also be consolidated and correlated in the Sophos XDR ecosystem, giving the Sophos MDR team visibility into potential hacking activity and the ability to respond and/or inform the customer accordingly.”

Greg Day: “First, I’m not a fan of having the same team both building and securing. There is a reason in the financial world you have two different teams for cyber, one the day-to-day threat hunting and monitoring and the second team doing the oversight. Increasingly, we are seeing growing diversity, driven by cloud and SaaS applications, and with this, organisations are looking for security tools that solve cloud risks and risks caused by legacy products.”

Rudolf Didszuhn: “XDR requires the use of sensors to collect and analyse data and is primarily directed against attacks that get through the initial defence; the goal is to detect lateral movements. Most of these sensors not only react, but also provide proactive protection mechanisms, that are also automatically adjusted to individual attack methods. For example, our cloud app security solution with XDR connectivity regularly detects and blocks attacks that have been able to overcome the integrated security functions.”

Can you share your view of the MITRE ATT&CK evaluations of EDR solutions. Is there something in the test setup that should be changed from your perspective?

Sabrina Gastes: “These tests focus on the evaluation of EDR systems, i.e., exclusively the detection and not the stopping of threats. There is no focus on the protective effect of an endpoint product. This, in our opinion, contradicts companies’ desire to detect and, more importantly, stop an attack as soon as possible. Currently, according to my information, the findings from other sources of a current XDR system, such as network, email, mobile, or cloud, are not included. In our opinion, this should definitely be adapted.“

Greg Day: “The key is making the testing as real as possible. Using simulation tools, or broken parts of attacks simply isn’t the same. It’s key with any test that the testers are transparent in what they tested and how they completed that testing. This allows the audience to make their own judgements on the efficacy of the testing. Finally, I would add that testing needs to be consistently repeated as threats and security tools evolve. From my experience, MITRE has adhered to all of these principals.”

Rudolf Didszuhn: “MITRE ATT&CK works with vendors and security specialists from the industry to achieve optimal testing conditions. In our experience, input is taken seriously and implemented where appropriate. Ultimately, however, MITRE is also a laboratory test that can never represent all aspects of a real cyber attack. EDR, as a defence technology, is also, by definition limited in its mode of action to the endpoint. This combination can only produce a limited result, which is primarily relevant for vendors to optimise their technology. The informative value for customers, on the other hand, is lower. However, this is a general problem with all laboratory tests, regardless of the organisation carrying them out.”

What are some misconceptions or wrong statements you see repeated in the cybersecurity community?

Rudolf Didszuhn: “One of the most serious misconceptions in my opinion is that the employee who clicks on a malicious link is responsible for a cyber campaign’s success. Of course, attacks by mail are still starting points for cyberattacks. But sensible IT security must never be based on people not making mistakes. Training measures can only reduce the likelihood of occurrence. IT security must assume that attackers succeed in overcoming human barriers and have corresponding concepts. The other aspect is that people often rely solely on the effectiveness of a technology or a solution. However, the technology must be integrated into the business processes.”

Sabrina Gastes: “I can only repeat myself here: focusing on individual “magic” technologies is not effective. Companies that say “our solution X or our artificial intelligence makes all other security technologies superfluous and expert knowledge is not necessary” will have no chance against modern hacker attacks. Cybersecurity today only works through teamwork.”

Greg Day: “One of the misconceptions is that all cybersecurity professionals don’t understand how attacks and intrusions affect the bottom line of the business. What I’ve learned over the years is that just about every aspect of any business has its own lingo, and it’s a two way street to learn others’ lingo. Most cyber security professionals I meet are ambitious and keen to get closer to their business and board, but some struggle to get the airtime or support needed to learn it well enough. This is compounded because there is rarely any downtime in cyber because every day is just as busy as the last one, and just when you think you can come up for air after one risk is mitigated, another pops up immediately.”

If you could send a message to all CIOs and CISOs, what would it be?

Greg Day: “In a world where it seems everything is being commoditised, consider what parts of cyber security do you really need to own and run and what should you take as a service, an outcome.  Our world is becoming more complex, and we are going to have to rely on more services to keep pace and scale with the business. Be ruthless in the continual assessment of what’s helping you meet your goals and what is inhibiting it. We have to keep cutting away the fat that slows cyber security down. A customer recently told me that for every new security capability he embraces, he removes two others.”

Rudolf Didszuhn: “Cybersecurity is a team sport. People, processes, and technology must be orchestrated to successfully stabilise the company’s value creation. If cybersecurity is laid as a net over the company’s IT infrastructure, then modern risk management will also succeed. From this perspective, the corresponding helpful measures can then be derived. In this way, one can also see which measures can be set up and operated by oneself or which service providers are helpful. Anyone who still thinks in terms of antivirus nowadays is acting grossly negligent. If the company is ruined by a cyber attack, the employees may be out of a job. Do they want to bear that responsibility?”

Sabrina Gastes: “What if you didn’t have to worry about your company’s ability to produce tomorrow because of a cyber attack? Then you should think about an MDR service, where highly qualified specialists protect your company around the clock and automatically take all necessary measures.”

Sabrina Gastes, Greg Day and Rudolf Didszuhn, thanks a lot for your time, and for sharing your valuable experience, views and insights with the community!

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.

Cyber Summit - Bridging IT & OT Security
18. April 2024 | 08:30 AM - 12:15 PM | Virtual Event