Under Pressure: The Benefit of XDR Collection In A Historical Context

An image of pressure gages entitled “Under Pressure” which aligns to the title and article.
“Under Pressure” by Éole is licensed under CC BY-NC-SA 2.0

In 2014, while I was busy founding an EDR startup, I was regularly challenged with two pieces of critical feedback while speaking to prospects and investors. First, I was told there was no room for a second endpoint agent in an enterprise environment; that organizations simply wouldn’t accept the management overhead. In 2020, we can look upon the pyres of the traditional endpoint players from a decade ago and realize this first challenge has been solved. The second challenge was around performance… even if we were able to convince the market this was the right thing to do, what would be the performance impact on the device, and perhaps more importantly, the network. This is the environment EDR grew up in, and every vendor in the market had to overcome this to get where we are today.

Contrast this with the challenge presented in the SIEM market where organizations regularly receive their bill and start wondering what logging they can turn off to reduce consumption costs. Turning off the wrong log sources can quickly lead to postmortem breach discussions, and there’s frighteningly little information out there about what exactly you should be collecting. This is especially daunting when you consider that every SIEM deployment is essentially a custom deployment due to the tuning that goes into them.

In short, the EDR market has always had an existential motivation to answer this question for you and solved it by collecting what was specifically needed for their analytic models and threat hunters. I’ve often described this as collecting only “security relevant events,” instead of just logging them all and letting your SOC analysts sort them out. The obvious benefit should be the reduction of consumption costs and less need for analysts to be constantly tuning detections.

As we evolve toward XDR, the vendors who have lived with the downward pressure of balancing collection with performance impact should naturally extend this same discipline to other log sources. I expect this same differentiation to become part of GRC platforms as they begin to cut into the regulatory use cases of the SIEM market as well.




Perspectives on how people, processes, and technology come together for effective threat mitigation, by a recovering cybersecurity industry analyst.

Recommended from Medium

Understanding the life of software

A New look at the increased performance in Machine Control!

Production-Ready Serverless: Lambda API with C#

The Case For OOP In Creative Programming

Upcoming Strategic Plans & Developments

PyBay2021 — Outdoors at SF’s coolest food truck park — Saturday, Oct 9

Android Build Variants

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josh Zelonis

Josh Zelonis

Josh Zelonis is a Director of Security Strategy for Palo Alto Networks, a former Forrester analyst and cybersecurity tech founder.

More from Medium

[Some Interesting] Cloud ‘n Sec news: 22th Apr 22

The MITRE ATT&CK Evaluation Needs To Evolve

Tractor driving into the sunset.

Bypassing Access Mask Auditing Strategies