Can XDR Survive Outside of SIEM?
EDR entered the final phase of Rogers’ Diffusion of Innovations Curve last month, five days after CrowdStrike acquired Humio, when George Kurtz described XDR (not EDR) to the US Senate as an essential technology used by “elite defenders.” Keep in mind that five days into any announced acquisition, there’s not going to be any kind of viable integrated product — yet here’s the proverbial 800-lb gorilla of the EDR space describing XDR as the future.
So… What’s Next?
In my journey from EDR startup founder to industry analyst and now, “recovering analyst,” I’ve had a lot of time to think about the evolution of threat detection technologies and how they all fit together. Over the years I’ve introduced this story with the following picture, describing the intersection of XDR and SIEM. The point I try to make with this is that while these engines have come from different places, they end up being a single piece of metal.
Let’s take a look at the current divide, what’s happening in each of these markets, and what the future will hold over the next 5 years:
Why hasn’t SIEM been Effective on Endpoint? SIEM has never done endpoint detection well because the SIEM paradigm has been to aggregate everything and make it searchable. Due to the difficulty of building effective analytics for an environment that’s going to be a big question mark as far as the data you’ll be receiving from it, that work has traditionally been offloaded onto the customer. Note that it’s not that you can’t be effective using SIEM for endpoint detection, but that it’s a full-time job ensuring you have the necessary collection and analytics built to support it.
EDR as the Mini-Fridge of SIEM. EDR solved the problem of endpoint detection (as much as one can I suppose) by leveraging proprietary agents to ensure the right data was being collected for analysis/investigation, and correlating this event data to allow automated reconstruction of process execution and entire process trees. This in turn allowed us to perform detection based on patterns of behavior instead of individual behaviors. Considering the collection and storage of EDR telemetry (logs), I’ve often found it helpful to frame EDR as productizing the management requirements of a SIEM while delivering an endpoint focused “mini-fridge” SIEM solution.
What does XDR Need to Survive?
The XDR market has two major challenges that are going to define what the future looks like. In the short term, we’re entering a foot race between competitors to add and correlate additional log sources to stitch together a holistic view of your environment the same way EDR provided a holistic view of execution on each endpoint. When I defined XDR in 2019, I intentionally included vendor agnosticism because this is what customer environments look like. Think of this first stage as a race to maturity. In the longer term, there’s going to be a downward pressure on this market as XDR vendors are going to have to recoup costs from additional log consumption without having their clients end up paying consumption costs twice (once for SIEM and the second time for XDR). The answer to this is to add compliance use cases to XDR which will allow companies to migrate away from their SIEM by offering “evolved” or “extended” threat detection outcomes while providing equitable capabilities from a compliance perspective. Following this challenge to its logical conclusion, I expect every XDR vendor to have a full SIEM offering 5 years from now. In the meantime, expect a lot of use-case marketing around hybrid XDR-SIEM deployments.
So In The End, Everything is Just SIEM?
An assertion I often hear is that XDR is or will just become SIEM. I find this perspective is popular among people who view SIEM as a giant bit bucket that solves every log analytics problem — and from that perspective they aren’t wrong. But before we buy in, there’s an important lesson in what happened with the traditional AV vendors over the last decade to consider. These traditional vendors largely ignored the emergence of EDR, allowing a second endpoint agent to emerge that would eventually eat their use cases and take over the endpoint security market while they were struggling to catch up with the innovation. Similarly, the SIEM market may have contentedly stood by as EDR was developing an “endpoint” security analytics use case they didn’t view as an immediate threat, but as discussed above, XDR is coming to steal their lunch money. The technology and lessons learned by XDR vendors when building EDR products over the last decade may well provide them an advantage when considering concerted development and potential re-architecture of storage in SIEM back ends to support these XDR capabilities, compared with the challenge of just adding compliance dashboarding (oversimplification to drive home the point). All of this said, I expect any SIEM vendor that hasn’t pivoted before the XDR foot race is done, will be lost — and for them this will be a trainwreck.