Cutting Through the Noise of XDR – Are Service Providers an Answer?

Cutting Through the Noise of XDR – Are Service Providers an Answer?

Show Video

- [Rakesh] All right, good afternoon everybody. So I'm really excited here to talk about cutting through the noise of XDR, are service providers an answer? So I'm gonna introduce myself, I'm Rakesh Shah, AT&T Cybersecurity. (crowd cheering) AT&T in the house, all right.

Let's see. So focus on product strategy across the AT&T managed security operations portfolio. And what we are here to talk about as AT&T Cybersecurity is XDR.

So I remember last year came here to RSA and XDR was a hot topic, we saw it everywhere. In fact, I was staying at the Marriott Marquee, I think right down the street, if you guys are familiar, I was thinking that we were gonna talk about XDR and it was gonna be something hot and exciting. Walked right outside my hotel room, the SentinelOne bus came by and there was a giant like XDR right there. And then you started walking around and you see XDR everywhere.

And I think 2022 was kind of the real introduction of extended detection response and those technologies. I think 2023 is a little bit different, right? We're seeing it kind of move from being new technology to, okay, let's figure out what exactly is this and how do we operationalize that? And that's why we here want to talk about some of the challenges with XDR, some of the confusion, some of the hype, as well as what we're seeing as some ways to just simplify it and make it way more easier to deploy and get the advantages of XDR, and so that's what we're gonna talk about today. So who knows if like Confucius actually said that, but there's this concept of life is simple but we insist on making it complicated, I'll give you a great example of this 'cause it just hit me two days ago.

I'm here traveling, like many of you, San Francisco, I've got my family back home in Austin, Texas, and we have a remote control for our TV, it's actually for our receiver, which honestly has 60 buttons, and you can't figure out which button to use. Anyone here know what I'm talking about? Yeah, yep. And so my wife was doing, she was cooking dinner, doing something and my kids, they're not that young, they're in early teens, could not figure out how to use the TV. Like they just couldn't. So they decided to call me and go, can you help me? We did FaceTime, I got to show them, okay, you gotta push this button to turn this device on, this button to turn this.

And I know there's new things coming out, I haven't adopted the whole Alexa thing, turn on TV, which is kind of freaky, but you can do that. But trying to use like a simple, trying to do something simple, use a remote control, turn on the TV, we made it way more complicated, right? And I think with XDR, there's some parallels in that, look, things are getting complicated from a cybersecurity perspective. You've got the attack surface becoming more complicated, you've got data, the need to monitor everything from cloud endpoints, the network. And so you've got this data that you're trying to get a full picture of.

And then on top of that, what you're looking for is you're looking for those risks and those challenges and those different parts of your attack surface in that environment. And I think for most of us, we kind of view the endpoint as being key, it's a key vector of attack, it's often that initial access point. We know that endpoints are growing, and I think we all know ransomware in the last two or three years has exploded and continues to be a major threat.

And so when you talk to, and this is a survey that we did, you talk across industries, attacks on user and endpoint devices continue to grow. So again, you've got this complex surface, you've got the endpoint, which is the target in many cases, or that entry point for an attack. And then if you look at industries like manufacturing, finance, and retail, all greater than 65%, they really do view the end point as one of the entry points and a real threat or a point that could be exposed for an attack. So you think about kind of that landscape, you think about the complexity and what we're trying to do and why I get to this idea of complexity and trying to simplify that. I think with XDR, the idea is to take what used to be very complex, very disparate, different technologies. Now a lot of this is driven by a lot of the innovation that we see here at RSA.

Like I think if you look out, like just in the last year I heard, I dunno if anyone heard this, 38,000 people are here, is that true? Did somebody hear that? There's a lot of people here at RSA, right? It might have been, a lot more than what I've seen in the last year and then pre-COVID, even before. So you see that explosion of people coming here, and a lot of it is that there's a lot more interest in cybersecurity, there's a lot more vendors, there's a lot more technology. And when you start introducing all this innovation and all these new vendors and all this technology, it's hard to bring it together in a simplified view, complex to manage, too many point products, lack of visibility. So the challenge is you wanna take that remote control, with 50, 60 buttons, really hard to use, and you wanna make it as simple as, Alexa, let's see if that works, nope, doesn't trigger anything. Can you turn on the TV? And that is what the promise of XDR is.

Take all of that, provide visibility across the attack surface, better, faster threat detection and response. So it's this concept of taking complexity and trying to make it simple is the heart of XDR. Now we're doing this because we have this incomplete picture. And I think the other part of that is, we know this is a challenge, it's been around for a while. Again, last year, 2023 was the year that XDR started becoming more of a topic of conversation, we started seeing a little bit of that hype.

And I think because of that now, there is some confusion, right? And I think about some of the hype technologies out there, like an Oculus, I dunno how many of people here own an Oculus? Just curious, VR, a few people. You guys use it a lot? Because I tried it with my kids and I used it for like Christmas day. And after that, I just, it's just a pain, right? Hard to use, my opinion, some of you may be real fans of the Oculus, but very challenging.

But I think the hype was there, bought one, and ended up really not getting any value, and there was a lot of confusion with that. And I think that XDR is kind of in a similar path where there has been a lot of hype and there is some confusion. And so kind of a question to the audience and I would like a show of hands, I'm gonna give you two options, option one and option two, okay? And I would like you to raise your hand on each one and wait till I say both of 'em, and then please raise your hand.

Kind of informal poll around, is XDR number one, extension of EDR, or number two, a product suite from a single vendor? And so that's the question, I guess number one, how many people view it as an extension to EDR? I see a good number of hands. And then the second answer is product suite from a single vendor. I see a few, maybe a little bit less there. So it kind of mirrors what we heard when there was a survey that was done, this is actually not our survey, but I think came from IDC. And what we learned was that 55% of respondents, I think pretty much parallel to what I saw in this room, there might be a little bit higher here, view XDR as an extension to EDR. The other, less than half view it as a product suite from a single vendor or an open integrated architecture.

And so there is some confusion in the market, there is confusion in the analyst community. I think depending on which analyst you talk to, you hear different perspectives, right? I think if you talk to Forrester, they're very clear, born out of the EDR market. If you talk to folks like ESG, Gartner and others, and they're really testing the market, they're talking to folks, they are saying, hey, it's a little bit more nuanced and maybe it's more of what's on the right here, when you talk about being kind of a product suite or an open integrated security architecture.

But I think the important part here, and what we also saw in that survey is it doesn't matter, right? With XDR, it gets back to that complexity, trying to make it simple. What they're trying to do is they're trying to focus, and I think like many of the folks in this room, on security outcomes, right? And so by using XDR to supplement the existing technologies, existing investments, that's where they see the value if it leads to security outcomes. So that's really the key here, again, is trying to simplify some of the confusion here, some of the hype, and I think with XDR, we're not there yet, right? I think there's two kind of parallel stories, one born out of EDR, the endpoint detection and response, the CrowdStrikes, SentinelOnes.

Some of it born from, I think legacy SIEMs and folks that are approaching it differently like Splunk, like Sumo Logic and others, and like AT&T Cybersecurity, we're kind of coming at it from that perspective. And so I think that there is that confusion and right now the focus is how do we try to simplify that? So with the confusion, you would think that you'd get less traction. But I think as I mentioned with XDR, 2022 kind of got, the hype was go out there, people were talking about it. I think it's really transitioning to being more of like, okay, how do we use it, and what's that technology? Again, trying to cut through some of that noise.

And so XDR is growing and part of it is that number one, it's about extending telemetry and getting that centralized visibility, getting that complete picture of the attack surface, understanding where threats are coming from, whether they come from the network, the cloud, the endpoint, trying to understand that is absolutely the first pillar I think of any XDR, whether it's from the endpoint, whether it's a more broad open view. Number two is integrating threat intelligence and having security analytics, A lot of it driven by machine learning, AI capabilities. It's a huge part of it.

So if all you're doing is taking the data, putting it into some repository, data lake, that in itself may give you more telemetry and give you a picture, but it doesn't give you that ability to really understand what the threats are. That's why threat intelligence, security analytics, ML, being able to find the real threat by pulling in all that telemetry is key, it's why XDR is important, it's more than just the legacy SIEM, it's the ability to pull that all together and then automate, orchestrate the workflows and the process. And so you take those three pillars, the ability to take the telemetry, integrate the threat intelligence, put novel ways, again, ML, AI, another hot topic here at this RSA, being able to use that to understand what the threats are. From there, you have an automated, orchestrated process, workflows to then address that threat. The end goal of all of this is to increase the efficiency of security operations and analysts to make their lives easier, right? Taking those disparate tools, putting 'em all together, correlating threat intelligence, analytics, and then giving you that workflow.

And again, with XDR, like a lot of this you can do with EDR, if EDR is your foundation, you can do that and that's great, right? But I think you need the cloud, you need the network, you need all the other telemetry, even assets, vulnerabilities, understanding the attack landscape, all coming together to give you that single picture. And so that's why I think XDR continues to grow, continues to become more and more of a tool set, and again, supplementing technologies that are out there. We talked about the hype, we talked about some of the confusion, and I think a lot of us who've come from the vendor space do think that a lot of times technology is the easy button. Those of you who are familiar with this, I know it's been around, it's been a few years, but there was that, was it Office Max or one of them, had the big easy button and you hit the button and I guess, reams and reams of paper are sent your way, really exciting stuff. But the easy button for security has never been there, right? And I think this is key with XDR.

So the technology promises there, a little bit of confusion, but then trying to make it really easy is the goal of XDR. And that's not going to happen very easily. If you kind of think about it, with XDR you gotta take a step back, right? The technologies, the integrations in XDR are complex. This is not taking just log data, sending it somewhere, putting in a repository and calling it a day, right? That's not, that's easy, right? And I think we all have technologies, those of your security practitioners, you have ways to get log data, to store it, to get that intelligence, you can even get threat intel, you can get all that, put it in one place, but I think that's not really going to give you the solution, right? And when you start thinking about the XDR technology, which is extending some of that, and so it's not just the basic log data, it's not just that simple, getting the threat intelligence, the IOCs, all that data in there, and putting it as a single unified view, I think that's a step, right? And so I think a lot of us, if you're coming from the security vendor side, think that technology's always gonna be the answer. And I think that's where, if you think about it, there's the other two kind of parts of the triangle, right? So we talk about in security, we talk about, I think it's the CIA triad, is part one of the big triads. The other triad I love is people, process and technology, I think all of you guys are familiar with that on security side.

On the vendor side, we focus a lot, sometimes exclusively, on the product side, on the technology. And that's great, right? There's lots of innovations that are coming there, I'd say most of the vendors who are out here at RSA, and I think we're guilty of it too, we kind of focus on all the cool tech, right? AI, ML, hey, there's some interesting things around zero trust that are happening. Hey, let's talk about some of the new attack surface management technologies are out there. Let's talk about all these new like technologies that we're throwing out and it's interesting and a lot of it's cool, and we wanna talk about technology.

But when you start looking at the different elements and you start saying, okay, here's technology, but what about people and process, right? Just as critical, and sometimes, I think, for a lot of security practitioners, that's what they focus on and that's where a lot of the gaps are, right? So the technology is absolutely hard, the integrations are hard, but you need the expertise, you need the experience that often you don't have in-house, and a lot of times it's challenging to build the integrations, to manage all the solutions, setting up the rules, fine tuning alarms, creating playbooks, planning an incident response. And I think that we at AT&T Cybersecurity, we're very lucky, right? We have a large SOC, we have some of the folks here run the SOC who are here. And it's not just putting the technology out there, it's working to make sure you have the understanding of, okay, where's the data coming from? What do you wanna monitor? Managing those advanced solutions, setting up the rules, fine tuning them, again, getting all that work done so you can actually deal with an incident, and I think companies struggle with that. And that's where you have to take the technology and you have to layer in the people and you have to layer in the process. So that's the idea.

So it's not easy, there's never gonna be a technology panacea. You always have to look at people and process. And I think that's why, based on some of the anecdotal data that we've gotten, companies are struggling to deploy XDR technologies, even with all their promise of simplicity on their own.

So one of the ways that you can simplify this is using a managed security service provider, an MSSP. MSSPs can help you deploy, manage, even just understand, does XDR make sense in my environment, right? Technology promise is great, but is there a way I can get some help to do this even better? And that's where if you pull in an expert, someone who really understands this across many, many customers, and you can bring the people and the process together, what they can do for you is they can free up resources. That's key, right? We didn't talk about the security talent gap, but I think we all understand that it's huge and it's growing. I think I've heard, like even in the US, there's like a 100,000 some crazy number of like, maybe like 50,000 or something in terms of the gap, in terms of the roles that are out there and what needs to be filled, right? And so just a significant gap, huge number. And so being able to work with organizations, with MSSPs, who can help you there, that's huge.

Alleviate some of the cost and complexity by kind of showing you a simpler path, giving you the guidance, help you integrate it, these solutions in a smarter way. Training, knowledge, experience, bridging those gaps, becoming extensions of your team rather than, hey, I think there's a little bit of this idea that when you look at an MSSP, it's like, maybe I'm outsourcing the work that I want to do and it's not outsourcing. I think anyone who has a very successful relationship with an MSSP absolutely goes into it viewing it as a partnership, it's co-managed.

How do we do this together, better? And that's a lot of, I think the theme in security, it's the RSA theme actually this year, is stronger together, how do we do that? And I think that's a big part of it. And so you start going down that wheel and you say, hey, I need some help with support, I can't support it, maybe I can do it partly in-house, nine to five. But then if I want to have off hour coverage or weekend, maybe I'll talk to an MSSP, see if they can help me with that. They bring the technology expertise, they'll understand the different XDR technologies. And I think this is, you take all that, and I think the most important thing that a service provider can bring when you're having the XDR conversation is they're a trusted advisor, right? So you're looking at the technology, you need the help with the people, you need the help with the process. Take that all away.

In the end, I think having a trusted advisor is probably the most critical thing in terms of having a successful XDR deployment. So again, stepping back here, we've got the challenges, the confusion, we know that there's a lot going on to bring all these disparate technologies and all this promise of all this great innovation together. XDR is meant to be that solution. The challenge is it's hard to do it. There's no easy button.

So I think finding ways to do it in a more intelligent way, stronger, smarter, kind of getting the MSSP to assist you, kind of seems like a no-brainer, there's a lot of value there. So now we're gonna talk a little bit about what can you do in terms of how do you engage a managed security service provider? What should you be asking? what are some of the questions you should be asking them, what are some of the things you should be thinking about as you evaluate them? I think the most important thing, and I think, again, we think a lot of it in terms of technology, but I think for you as a security practitioner, technology is about getting to an end goal. So I think the number one thing you do is you have to be selfish. And what we mean by being selfish is start about like, what are your security outcomes? What are you trying to do? Are you trying to reduce your risk exposure? Are you trying to communicate risk? And I was talking to a few customers a few weeks ago, and it was a really interesting discussion because we talked about a lot of the risk reporting and stuff that's out there. And what this person who's director of information security at a pretty large healthcare company told me, it's great, a lot of the reporting we have is about, here are the vulnerabilities that we found, here's the ones that we remediated, here's the alerts that we went ahead and addressed, and here's potentially something significant we found, great. What that person told me is that they put these charts together for all of their peer organizations, the first thing that happens as they put that information up, everybody's eyes just glaze over, right? If you're not in like technology and security, you don't care, you don't care about assets, you don't care about vulnerabilities, you don't care about your risk, sorry, you don't care about the alarms that you found.,

you care about your risk exposure and understanding that. And that's where I think there's some real opportunities to change the conversation. And I think focusing on what are your security outcomes is the number one thing. So many of you, especially if you're in an information security organization, or an IT organization, that's why you're working with all of these technology vendors. XDR is just a technology.

And that's where the MSSP can come in and say, okay, let me figure out, based on your security outcomes, what we can do to help you. Again, go back to that wheel we just showed you, it's pretty simple. Understanding what you're trying to solve for, communicating risk, maybe reducing your risk, understanding that. Number one, start with that. Number two, and we're gonna talk a little bit about security stack, right? And this is where the confusion around XDR is coming from.

With XDR, you've got two ways to approach it. One is native XDR, which is, let's look at all the technologies from one vendor that are very well stitched together. This is where XDR was born from.

Folks like CrowdStrike, folks like Cisco Talos, just introduced or making a big splash with their Talos XDR, It's great, right? I think there is some real value in putting together all of that technology in one wrapper from one vendor and it's a useful suite of technologies. You don't need to purchase and integrate the technologies from other providers, you might wanna move it all into that. But the first time you're going in for a renewal, you're locked into their ecosystem.

And maybe that's okay, you're a shop where you're like, we're a Cisco shop, we're a Fortinet shop, we're, go through the list, Palo Alto, and you see the value of making it simple and working with them. And that's something you can discuss with your managed security services provider. They can help you with that. The other challenge though, with, or the challenge with the native XDR solution, is they may be missing pieces of the puzzle, right? And sure, they'll be acquiring it, they'll be partnering, but they may not have the best in breed API protection, they may not have the best in breed email protection, they may not even have any sort of fill in the blank. So there's a lot of innovation out there, can the native XDR stacks that are out there keep the momentum going and get all those technologies in there? That's a hard thing to do.

So that's number one. The other kind of side of the equation is Open XDR. Open XDR is a little bit different, it's like looking at your existing security investments and stitching it together, there's no need to do the rip and replace. You have that ability to put all those pieces together and get that same value of a native XDR, but you can only do it up to a certain point.

That's gonna be hard to do via APIs, via all that. The one thing I will say that's just absolutely amazing in 2023 versus 2013 is how much the APIs have opened up in vendor ecosystems. So they're using the APIs to build a native XDR, but they're also using the APIs to allow anyone to integrate with them. We have a great partnership with SentinelOne, so we'll call out SentinelOne.

And the work that we do at AT&T Cybersecurity with them and their API is just phenomenal. In fact, if you wanna rebuild parts of SentinelOne, you probably could because of the depth and the breadth of their API. And that's a new trend in cybersecurity. And I think with Open XDR, you have the ability to leverage that trend and take advantage of that.

Pluses and minuses. In the end, Open XDR will never be as stitched together as a native XDR solution. So if you're all in on like Cisco, go look at Cisco Talos XDR, it makes sense, but I think for many folks who have multiple solutions, have already invested, it makes a lot of sense to look at can we stitch these together in a very strong, integrated fashion using Open XDR? So that's the promise of that. So you don't have to do it all on your own, Talk to your managed security service provider, see if they can help you, trusted advisor is key. They'll give you some guidance to look at what you have, start with that.

I think the other thing you wanna look at, as you're starting to look at this, you're talking to the MSSP who can help you with this, is go talk to the vendors and understand their roadmaps. If you're going all in on an XDR strategy with fill in the blank vendor, whether it be a CrowdStrike or a Palo Alto, and that's great, go do that if that's your decision, but go deep and understand the vendor integration roadmap, understand what they're gonna be pulling into their XDR platform. And you can absolutely work with your managed security service provider to help bridge that conversation.

And there's some real value there. So again, work with them. And then lastly, and I think a lot of times we think of the managed security service provider as focused on this, but I think they're much more than that, support for deployment and management, that's part of it. But again, I think when you're working with them, especially with complex technologies trying to solve these problems, think of 'em as a trusted advisor first, then think about management, think about what it takes to support it, think about that, that comes second. When you are talking to your managed service provider to help you on your journey with XDR, some of the things that you wanna look at, some of the things you want to ask them are what's their experience with evolving threats? The threat landscape is changing dramatically.

And you walked around the RSA floor, right? If you have, it's crazy, there's just so many new technologies out there, there's so much that's changing. It's hard to stay when you've got a day-to-day job and you're trying to keep your organization safe and running, that is a really hard thing to do. So I think understanding that, from a service provider is key, to see if they're keeping track of that, if they're on top of it. What's their expertise across the security tools? What are they doing to stitch it together? It's pretty amazing what some MSSPs are doing to simplify that and bring those solutions together and make it easy for the end customer, for the enterprise, for the organization, for the S&B. So I think it's important to ask your service provider partner that you're evaluating, what's their expertise? Do they collect threat data from single sources? Do they just trust one? Do they have a broad set of threat intelligence? Do they really understand what's happening in the threat landscape? That ties back to number one, threat landscape is changing pretty dramatically. They need to have not only the expertise around tools, but understand what the threats are.

And I think this is probably pretty straightforward, but a lot of times you're using them to augment your security organization. Do they offer a 24.7, 365 support? Pretty straightforward, but ask 'em that.

Do they do holidays? So go through that, these are just some simple things, you can go a lot deeper in each one of these categories. If you want to talk about their expertise around security tools, go into subcategories and go deeper. But I think, again, MSSPs can help you on the journey, can help you take advantage of the promise of XDR, but you have to evaluate them and figure out which is the right one for you. The role of XDR is key, right? More efficient, more effective, let's streamline the chaos that's out there of all these threats, the chaos of all the tools that are out there, simplify it.

I think the promise of XDR is not gonna disappear. It may turn into something totally different, they'll take the X, put something else next to it, you never know. Like we put the managed XDR, but I mean, everybody's got the acronyms here in security, right? So it's gonna be changing. But the promise and what it's trying to do to streamline security operations is not gonna change. It's gonna always be there, but it's gonna be complex, it's gonna take resources, it's gonna take investment. And I think the key, the reason why we think there's this marrying of the XDR complex technology with cutting edge managed security service providers is being that bridge and helping you unlock that value.

The end goal is security, operational outcomes. Before you do any of this with an MSSP, know what you want, at least have an idea of what you want. Go to them as a trusted advisor, start the conversation there, then you can unlock the promise of XDR, and really get value out of the MSSP that you decide to partner with, or the MSSPs you decide to partner with. But again, I think being selfish is important here. Make sure you know what you want first before you go ask someone for help. So kind of to wrap things up here, we want to apply what you've learned today.

So I think that being selfish is key. Identifying your key stakeholders in your organization, determine what are your security outcomes, that's number one. From there, the next thing you can do in the first three months is understand your security stack, we talked about technology, potential data sources, start that conversation around open and native approaches. I think that's key, having those conversations. And this is all just very high level.

From there, start talking to some of the managed security service providers. You probably already have some you're working with. Go deep into that conversation, understand that, put some of your requirements based on what you look at your technology stack is, as well as more importantly, what your security outcomes are, and try to then talk to them as we just mentioned, and then evaluate the proposals and find the best ones for you.

It's pretty simple. We're trying to take a complex technology that has a lot of problems, will solve a lot of our problems, whether it's native, whether it's open, and you're getting the assistance you need to make that successful. And that's the marriage of XDR and MSSPs and we think there's gonna be a lot of value as we unlock that. We have time now for any questions and please go to the mic and we'll go ahead and answer 'em. There's gotta be one question.

Softball, come on. Someone's tempted. A question here, yes. - [Audience Member] Hi.

(unclear) So one thing I am a bit confused about when we talk about XDR, if it is a extended version of EDR or consolidating all the logs and then doing further better correlation of all threat management. No one talks about NDR as a component, which would also feed somehow either into XDR or eventually also come into the picture. We talk about EDR being extended to XDR, but probably we lost NDR in between because we also want to understand the (unclear), until of course, the end point is impacted, which we will get through with an EDR solution, but to detect that we need another kind of solution.

Now, NDR is one, someone calls NDR, maybe tomorrow it is MNDR, whatever, I don't know, but how do you deal with that? - [Rakesh] Yeah, I think the question's around network detection and response or cloud detection response, and I think that's a absolutely great question to ask, and I think that's a huge part of the long term XDR strategy, right? I think there's a lot of other things that are kind of getting pulled into XDR, whether it's identity, whether it's again, cloud data or what we're seeing here with packets and the network. And I think in the end XDR will need to pull all that in, I think you're absolutely right. And that's why I think the more open architecture is probably the better approach in the long run.

But that's a good point on NDR. Yeah. Any other questions? - [Audience Member] Once you've selected an MSSP, what do you suggest the path forward is in terms of accountability for roles and responsibilities, engagement with the MSSP going forward, to evolve your solution? Like you've had a great presentation that leads up to the selection of the MSSP, but like then what? - [Rakesh] I see a number of folks here, including the person who runs at least at AT&T, our SOC and and has the engagement there. I think it's a great question. And then kind of in the day two and what happens next, and I think, a lot of things to look at, and we can go deep, whether it's when you're working with the operations folks, what are the rules of engagement? What's the response process if something, if the proverbial stuff hits the fan, do you have it documented? Do you know what you're exactly gonna get from your provider? I think having the touchpoints with the folks that are more on the commercial side, right? Understanding like not just the operations team, but understanding that and then understanding the technologies.

I think it's key also get the updates, continue to have the conversations with them. So I think continued touchpoints, there's different operational models, but take it in different dimensions. But yeah, it's a great question. Any more questions? - [Audience Member] Hello, do you think XDR is a good way to solve the issue or challenge that EDR has, the false positive rate, high false positive rate? - [Rakesh] Yes, absolutely. I think a lot of the value of, and I think with EDR, we have to be really careful there because there is a lot of things that the EDR or Next Gen Antivirus Solutions can catch really well, and I think that that's something that they can do and certain types of malware, they can catch it, they can remediate it like that. There's some more complex threats that are out there, more persistent ones, that you need The broader set of data, network, cloud, we talked about some of the other ways you pull in the identity data to truly understand and get that detailed view into what that threat is and to be able to then address it.

So I think that that is a big part of it. But then I think on the XDR side, the investment that vendors are making is to make that smart, automated, using ML, so that it's not a manual process, right? This is being done through threat intelligence, through machine learning models, to simplify it and to put all those pieces together. And the end goal is absolutely to reduce the number of false positives. Yeah.

One more question here. - [Audience Member] Hi. For a company who have deployed, let's say, some sort of managed solution already, where we integrated SentinelOne EDR, we managed to put together same product based on Microsoft Sentinel and we currently use BlueVoyant for MSSP, where does AT&T position themselves as a XDR vendor? I mean obviously I need to go check out your booth, but do you have a platform that aggregate all this pieces, that may replace some of it, or may integrate some of it? So I just want to hear what you guys provide.

- [Rakesh] Yeah, and I swear you don't work for AT&T, so I appreciate the plant there. No, that's a good question. I think philosophically we do believe in the open XDR strategy, working with various vendors, whether it's a SentinelOne, whether it's even folks on the network detection side, vulnerability management vendors that are out there. And we do have a platform that we've built, it's based on the AlienVault acquisition in 2018, where we put all those pieces together and give that single view, provide the analytics, and the threat intel, and then the ability to respond. So just to do the plug here, yeah, that's a technology that we've invested in and we continue to invest in and I think a lot of the MSSPs either are themselves or they're partnering with folks.

But I think for the most part, if you're gonna be a true MSSP in 2023, you have to have a platform, you have to have your own way of doing that, I think that's kind of the future. That's a good question. All right, thank you everybody for your time.

2023-06-16 17:11

Show Video

Other news