Detection and Response
The Economics of XDR
Pulling from recent data and research, security experts discuss the value that organizations have seen from adopting extended detection and response (XDR) solutions.
Save to Folio
Although many organizations are just beginning to adopt XDR solutions and strategies, the seeds of detecting and responding across multiple security layers has been in place for a many years, with the need for visibility across environments stretching back even further. Security analysts use data and customer feedback to measure the value that early XDR-adopters have been experiencing.
XDR goes beyond the SIEM
When asked, “What are the most effective tools you’ve been using for threat detection and response,” organizations named security information and event management (SIEM) most frequently. This is according to recent studies conducted by third-party analyst firm ESG. But 57% of those surveyed also responded that they have struggled with issues connected to their SIEM, citing an overload of data points, high cost of operation, and issues securing the specialized resources required. When interviewing early-adopters of XDR, ESG reported that the interviewees were able to detect a compromise in only a few days or less due to greater visibility. The same report found that eight full-time equivalent people would be needed to replace the automation that they currently have in place since switching to an XDR strategy.
Three areas of value XDR delivers
Speaking with early-adopters, ESG determined the three areas of value XDR provides.
- Security effectiveness. This refers to the general efficacy of the solution in terms of increased security posture.
- Business enablement. XDR helps eliminate the many silos of data utilized in the normal security operations process in order to analyze and investigate attacks. This also helps organizations streamline the operations process due to less ingest processing of data.
- Cost reduction. This includes vendor and product consolidation and more efficient triage station process. Fewer successful attacks means less time spent remediating in incident response activities, which translates to significant savings.
Early XDR-adopter sees dramatic change
While MedImpact Healthcare’s endpoint security products were integrated into the company’s SIEM services, the pharmacy benefit manager service joined the XDR movement earlier than many of its peers. MedImpact found their XDR tool is highly integrated with their current environment, as well as the environments they have deployed. The company found that XDR provided a more comprehensive overview of their infrastructure and network interface and firewalls. This allows their team to immediately make a deduction as to what's has occurred in their environment and to see back to the source of the problem and solve it, saving valuable time and costs.
Want to hear more about how analysts and clients determined the true value of XDR solutions? Watch The Economics of XDR with Senior Analyst at ESG, Dave Gruber, Vice President and CISO at MedImpact Healthcare Corporation, Frank Bunton, and Director of Product Management at Trend Micro, Eric Shulze.
Dave Gruber Hi, everyone. In my role as a cybersecurity analyst at ESG, I've been paying close attention to what solutions are in the marketplace to help organizations with threat detection and response, and as such, I’ve been looking closely at the XDR movement that has evolved over the last couple of years. And in fact, I've been working closely with Trend Micro to help watch the progress of that space, understand what buyer expectations are, and as people begin to adopt solutions in the XDR space to help quantify the results of those solution sets. And so in doing so, I've executed a number of research studies over the last 12 months. And I wanted to just share a little bit about what those were all about in the early part of 2020.
Working together with Trend Micro, I took a close look at what the challenges were in security operations center that are associated with threat detection and response. And put together a benchmark model to understand which companies were most effective, what the characteristics of those companies were, what kind of tools and operations and processes they were utilizing as well and then took a look at how they were adopting and utilize an XDR approach to solve those problems. We also took a look at quantifying the results of those organizations to try to get a sense for how much value really exists, both in terms of security efficacy and the efficiencies associated with XDR for those companies who are utilizing XDR approaches.
And then later, last year in the fall, I executed another research study, this one a little more broadly looking at how much support there was for the XDR movement in the industry at large, taking a look at what people's plans are and progress associated with those plans as well, as they go out and begin to invest in a XDR-type solution sets and also what their implementation strategies look like that were associated with that.
My goal for that was to look for emerging trends and to learn from those organizations that were basically first movers in the utilization of that technology. And then most recently in the winter this year, we took a hard look at Trend Micro Vision One specifically, and we talked to a number of customers that were adopting and utilizing the technology and specifically looked at measuring the value that those organizations were achieving as they were using (Trend Micro) Vision One XDR in their infrastructure.
So I'm going to share data and information from multiple pieces of this research from a little bit from the spring research, a little bit from the fall. But I really want to center in on the value that organizations have seen from Trend Micro Vision One.
I'll start by just validating some of the pain points that bubbled up to the top as we looked at what people were struggling with in the security operations center. And if you're listening to this the session, then you're likely experiencing these challenges as well. Of course our attack surfaces and in most, every company have expanded quite dramatically or changed a lot, certainly in the last 12 months, in addition to the change for the remote worker, we've also seen a continued acceleration of cloud workloads, continued movement of the diversity of devices as organizations invest in IoT-type technologies.
And so they attack surface itself has been shifting and changing a tremendous amount, which of course requires new approaches to security controls and all those things. At the same time, of course, we continue to experience growing complexity in the actual threat landscape itself. That's not a new trend of course, but certainly one that was exploited heavily, as we all know over the last 12 months, as things change so rapidly, so did the type of attacks and the threats that were coming at us. So much so, in very targeted advanced threat way.
Along with that because we've deployed so many different security controls. We continue to grow more silos of security data. And I feel like I've been saying that now for several years, because it's actually been the case, as we implement more and more controls, we have more security data in our infrastructure, but no shortage of telemetry for the security operations teams to review and analyze and investigate with, but it's been very overwhelming amounts of that data that's emerged as such.
Of course, the cybersecurity skills challenge still plagues us all. And some of us are trying to fix that by hiring a managed services to come in and supplement our resources. Others of us have been just aggressively recruiting, but we're all caught short of the kind of resources that we need, which makes it a big problem because of the amount of alerts that all these security controls are sending our way, and most organizations are struggling to sort of get through those, as part of their daily operational process.
So, as we talk to organizations and we ask them, “what are the most effective tools they've been using for threat detection and response” SIEM, no surprise, bubbled to the top. People felt like for the tools in their toolbox SIEM was the best that they have as of today. But at the same time people were very upfront that they were a number of issues that were so associated with the use of the SIEM and 57% of organizations said, “yes, my SIEM is a good tool, but I struggle with a lot of things involved in it.” Much of those challenges had to do with the noisiness of the SIEM itself. Many complained about the amount of specialized resources that were required to operate it in that their more junior staff had some difficulties utilizing or getting value out of the SIEM, and a very large percentage of people also complained about the cost of their SIEM as they ingested more and more data, as well. 58% said that they could see room for improvement in the data ingest process and organizations said that they continue to invest both people time and technology in building the data ingest process as new security controls and things took place in that environment along the way, and then integrating with the rest of their infrastructure, as well, was an ongoing cost and the challenge for most organizations.
Thus, over 90% of the people we surveyed were very interested in what XDR could do and, as such, have set aside budget to go out and take a look at XDR, potentially invest in it as a supplement to their SIEM. As well, many people also said that they would want to replace their SIEM as part of the process over time. So when we looked at what the real benefits were that were associated with XDR we saw that those people that were utilizing an XDR approach in their organization said they had half, as many successful attacks in the organization.
So pretty dramatic efficacy results. But for those people that were seriously investing here, 60% said that those attacks were less likely to repropagate again, which is great, which means that people were getting back to root cause and shutting down those attacks for the long haul. And then the third benefit is 2.2 times in particular, were able to detect a compromise in only a few days or less versus very long dwell times that were in existence for those people who were not utilizing an XDR approach in their organization.
When we looked at quantifying the actual number of resources, those people that were using an automated XDR environment, people said that, eight full-time equivalent people would be needed to replace the automation that they have in place with XDR and that's of course, across all the components, so that includes the data analysis, data correlation, the investigation process, the automated response process. We took a very broad look at the people requirements that were associated with us. So pretty dramatic, benefits there.
So now let's get back to Trend Micro Vision One specifically. So this winter, we took a hard look at (Trend Micro) Vision One, and, we looked at the guided investigations, processed, the contextually aware response, actions that were there. We looked at the visualization process across endpoint server cloud workloads in particular, the MITRE attack framework mapping, and then the associated documentation that comes along with it, we looked at the communication and the visualization that was associated with attacks as it communicated with command and control, and to suss out lateral movement in the environment and we also took a look at, from an integration perspective, the SIEM and SOAR integrations as well.
And to do that we talked specifically to a number of Trend Micro customers, and we looked at three areas of value. So we call these the economic benefits. The first is around the security effectiveness. And so we looked at the sort of general efficacy of the solution in terms of increased security posture in general and all of the customers that we spoke with said that they felt that their organizations were in, had lowered the risk of security attacks and threats, both from having better visibility to what's happening in their environment, but also from a time-to-detect, standpoint as well because people could see things happening sooner, and stop attacks in process, that we saw better detection.
So both higher levels of detection and lower or a reduction in meantime to detect as well. And interesting. I added a, just a quote in here and it said, “the reduction in complexity of the process.” So there's, there's a complexity element as well, which translates into human caused errors, which I thought that was interesting. It's not actually a subject we've dug into much in our core research but because there were less human errors involved in the investigation process that people felt that they had a better or faster detection and remediation time utilizing more of the automated capabilities.
And we'll actually explore that in a little bit because we are lucky enough to have a guest with us who was part of that conversation.
In terms of business enablement and, think in this case, the business operations, so, XDR helps eliminate the many silos of data that we utilize in the normal security operations process to analyze and investigate attacks.
It helped us streamline the operations process as well, because now there's less ingest processing of all that data and synchronization processing that's associated with that da, as well. And then, people translated that into sort of lower risk overall, which was, and that comes specifically from people's ability to invest in net new capabilities, so new functions, new partnerships, and other things, because people felt like they had a better handle on their security posture, that they were more willing to invest in net new capabilities for the organization, enabling the business to move forward more rapidly. So by lowering the risk, providing higher visibility, I'm okay investing in net new things in a more rapid pace so that there was just a terrific outcome from this as well.
And then on the cost reduction side of the house, a number of areas specifically tied to costs, one, around vendor and product consolidation. So this is taking multiple tools, multiple analytics engines, rolling it into one common environment with (Trend Micro) Vision One. More efficient triage station process. So that's literally translates into people time along the way, and then, low, fewer successful attacks, means less time spent, remediating in incident response activities as well. And that those translated into, very much into hard costs as well.
And I, I brought with me a model that will sort of help demonstrate that a bit. So we took that costs translation data, and we modeled it out here and we saw that there's a 63% savings from what people were previously doing with a fully, cobbled together manual, plus some level of automated, capabilities at when they move to Trend Micro (Trend Micro) Vision One. So that's. A big number, almost two thirds savings there. And then, interestingly for those organizations that engaged, Trend Micro’s Managed XDR service as well, saw additional savings as part of the process.
And I don't know if that's intuitive for everybody or not, because sometimes you think about, “well, if I'm engaging in a service provider that might, actually, translate into a higher cost.” But, but as we looked closely at this, we saw that those people engaged. In the managed XDR service from Trend Micro, they also saw a further cost reduction. So down to 79%, savings overall, between all the different characteristics that we tracked along the way.
Okay. So enough about my research, let's get real with the conversation and I'm fortunate enough to have with me today, Frank Bunton, 12-year veteran and vice president and CISO from MedImpact Healthcare. Frank was kind enough to share some of his experiences with us at ESG, so we could put together some of our economic impact. So that's kind of what happened here.
Frank, I'll start out by letting you introduce yourself a little bit more about MedImpact Healthcare, and then we'll get into some conversation about Trend Micro Vision One.
Frank Bunton Hi, my name is Frank Bunton. I'm Vice President and Chief Information Security Officer at MedImpact Healthcare Corporation. I've been there quite a while and I've been in the CISO role for 12 years now. MedImpact is a pharmacy benefit management group and as such, we deal with a lot of, issues in healthcare and the associated businesses that go around with that.
And, it's a busy world in healthcare today.
Dave Boy is it ever? Wow, healthcare is one of the industries that I focus on as well in my practice. And, it's amazing to see one how vulnerable various healthcare organizations are, but just what a target healthcare is right now for the adversary.
So great, Frank, so let's start with a really basic question. So in your role as the CISO of the organizations, what are some of the goals specifically in terms of adopting XDR and the Trend Micro Vision One platform.
Frank in terms of goals, my team now provides services for both MedImpact and its subsidiaries. This has expanded our vision, so to speak, and has created problems. The primary of which is integration of remote security events into a single pane of glass. The XDR tool and the (Trend Micro) Vision One endpoint management tool assisted us with this by allowing that expansion to occur seamlessly within our environment.
Dave So, great. So can you just expand slightly on some of the, like, what were the pain points that caused you to engage in this, in looking at this?
Frank The basics pain point was the fact that we had endpoints. We had lots of them. We did not have a good endpoint management system. And when we first brought Trend Micro in, they solved the problem of the Monday morning blues, which is chasing malware down the network and losing that race.
So once we saw that, as the product grew into both (Trend Micro) Apex One™ and then into the (Trend Micro) Vision One that now exists, as it expanded, we were able to take advantage of those features, including the XDR feature. And this allowed us to basically eliminate those types of problems. And in the event that you do get a problem that you need to review, the XDR basically takes that, gives you faster detection, faster response and eliminates the packet captures or looking around through DNS, et. cetera, and turns that into something you can manage in a given amount of time, a short period of time and improves your overall responsiveness to the business.
Dave That's great. Frank. So, I assume that you got time back to your analyst team. Now you're able to redeploy those analysts to do other things.
Frank And that was required, right? Because with all the new subsidiaries, that task is daunting. Let me tell you, you run one company, try running a dozen, it's not easy.
Dave Hmm, I'll bet. Hey, so what do you think is different about, the Trend Micro XDR approach than some of the other approaches you've seen in the marketplace?
Frank The XDR tool is highly integrated with not only our current environment, but with the environments that we have deployed leading up to where we are now and it provides very quick response.
And it provides a more comprehensive overview of our infrastructure and our network interface, our firewalls, we can see so much information that has been gathered with regards to any type of incident that we respond to, that we can, you know, almost immediately make a deduction as to what's gone on where's the problem? And we're able to see back to the source of the problem and solve it. And that's critical in this business because they're just as much time to mess around.
Dave That's great. And so I'll, I'll take from that, that you believe that Trend is doing just fundamentally a better job on putting the data together and delivering it to you in a way where you can understand what's happening.
Frank Correct. It's basically the ability to take, if you work with networks, that data's pretty primitive, right? And it takes special people to basically be able to break it down. Their products do that for you and allows your network engineers to do networking, it allows your security engineers to focus on the problem and remediate the issue, right? And that's critical. It's just important to have that.
Dave Yeah, I was still going to ask you about that. But you would said a couple of times in our earlier conversations, that that was a special part of why you enjoy working with Trend and the solution. There's something special about Trend as a partner. Can you expand on that?
Frank I went to one of their bigger conferences in Vancouver a few years back. And Eva Chen presented there and I was just astonished at some of the insights she has to the customer. As to how to take care of the customer, how to make sure that the customer gets the service and the attention they need. And that has been passed down to her, her subordinates, you know, her staff. And then that has gone all the way down to the support personnel at Trend. And the support personnel, they are the best I've ever seen, the best I've ever seen. We are never left hanging with those guys. So they are just a great partner. Wish I had a lot more like them, I could some, I’ll tell ya.
Dave That's fantastic. Frank, thank you so much for being candid with us about both your experiences with Trend Micro, who, sounds like a terrific partner, and specifically about the impact of (Trend Micro) Vision One on your organization. I'll look forward to chatting more as you continue your journey and learning more about your experiences along the way.
Frank Sounds good, Dave. Always good talking to you.
Dave Thank you so very much. Alright everyone, that concludes the conversation, at least for today. There's more information available from Trend Micro on the various research topics that we covered here today. So if you're looking for more information, reach out to Trend Micro.
Eric Shulze Hello everyone and welcome to this session. Trend Micro Vision One contains a number of different layers that each add value to the overall threat detection and response story. Let's take a look at what each individual layer contributes to this, the overall picture, to help complete the poll.
First the endpoint. Most attacks ultimately involve the user's devices. Either the user clicked on something or the endpoint got compromised via a drive-by download, et cetera. But ultimately the question you want to be able to answer is what happened on that endpoint and how did it. But you also have endpoints that are unmanaged, that you can't install an agent on maybe their legacy.
Maybe they're a third-party contractor that has to plug into your network that you don't own and control, or maybe you have IoT or OT devices that you can't install the agent because it would put them out of a vendor compliance. Ultimately you need visibility into how the attacker is moving across the organization, and is there things like CNC communication or data exfiltration.
You need to be able to see exactly what's going on the network. And ultimately if things are being stolen, they have to be stolen over a network connect. Email is another key value layer or a few layer that provides a lot of value, specifically because email is the number one attack vector.
One key question is who else received this email? Did it go to everyone in the organization or just this one specific executive? Are there compromised accounts sending internal emails? Did someone, did an attacker get access to one account and then use that as a trusted source to spread the malware internally?
And then finally, cloud and workload security, which is a business-critical applications, which ultimately is where most organizations have their gold stored. You need to be able to correlate the data for more than just EDR and just from the servers, because we have things like containers and serverless that don't have the persistence that a traditional VM or workload would have.
And you have to have visibility across those to complete the puzzle completely. Now let's take a look at what this looks like from the demo perspective in the console. So if we look at an endpoint example before we had EDR, where we just had detection, or the prevention layer, here we can see the Trend Micro dashboard and we can see that we have a detection for a specific file. In this case, the PDF that was masquerading as a link file.
Now this detection shows, you can see what user, what system, but you really can't see much more beyond from that set of data alone. Now let's take a look at what this looks like when we add an EDR data. So collecting all the telemetry from the endpoint, like the network connections, the process, telemetry, et cetera.
And suddenly this picture becomes a lot more complete. We see the original event, which was that detection, but now we see it also had some uncommon PowerShell parameters and also had a rarely access web domain. So now we can see that the puzzle is starting to come together that while yes, there was a file that was detected, it also was using PowerShell to communicate with some rare and unseen domains.
Well, let's go back and add some more layers now. Let's add email, the network, the cloud workload visibility, and suddenly now the picture actually becomes complete. We see the possible spearphishing link that came in at the start. We can see the subject line for it and see who all received it. But then we also have all the data that we saw before.
So we have that detection event where it was clicked on and executed. We have the PowerShell commands that were executed, and then we have the domain and the network traffic that's been enriched by the network sensor, to be able to see additional details about it, including additional IPS, et cetera.
So ultimately what happened is by adding each of these new layers, we added more correlation opportunity, we added faster detection because of all those different steps, and ultimately we had the broadest visibility across all the different tactics and techniques that were used in this specific example attack to see exactly what happened. But each layer while it helps with the detection story, ultimately helps with the response story as well, because obviously the “R” in XDR is the “response”.
So if we go back to our puzzle and we look at the different layers, again, the endpoint, for example, contributes remote shell, being able to interrogate the endpoint and run commands on it and pull additional information. You can collect the file from the endpoint for deeper analysis through a malware automation tools or sandboxing technologies.
Endpoints isolation, to get that endpoint off the environment, or off the network, while you're investigating it on.
Email, you have the ability to quarantine and delete an email block, the sender so that you don't get email from that malicious user anymore.
At the network layer, we can block hashes. We can block IP addresses and domain names. And then on the cloud workloads, we can have the capabilities like remote shell and collecting file without impacting the revenue generating applications.
If we go back to our demo console, here, you can see the incident view, and this was introduced about a month ago, so if this looks new to some of you, to our existing customers, this did come out about a month ago. And what this does is this takes multiple workbenches and correlates them one level higher into an incident. So here you can see all the techniques and tactics, you can see all of the different workbench IDs that are associated that have all been correlated into this one larger single attack.
And if we go to the top, we can click on different tabs to see the incident timeline. So we can see each individual event. We can see the impact scope. So what systems servers, users were all involved. And then we can also see all the highlighted objects here. And if you haven't seen this screen before, it may look like there's a lot of text on here, a lot of random text, but actually, if you look close, that is an encoded PowerShell command being run. So actually seeing that, to me, is actually something that I may want to drill down further into. Cause clearly, you know, while not necessarily malicious in coding things in PowerShell, is something that definitely should be looked at a little closer when it has this other information around it. And in this case, the incident, designation by the platform.
But if you scroll down on this list, you can see it's not just process data. We also see file paths. We see IP is a registry entries, all in one view. So if we go back to the alert tab next, and we actually drill down into a workbench, now we can see that on the workbench specifically, this one for credential dumping, we have response actions that vary based on what we clicked on.
So if we right click on the creeper endpoint, for example, we will see we have the ability to do a remote shell. If we right click on the wrench.exe, we can collect that file. If we right click on a URL or an IP in this case, we have the ability to add it to this suspicious objects lists, where it can then be blocked or logged going forward.
Now we can also go back and look at another workbench. In this case, we'll look at the one labeled possible APT attack. This one contains additional items in this case; email and network data. If we right click on the email, we have the ability to quarantine the message or delete it.
If we right click on the URL we have the ability to add it to the block list. And then when we click on another endpoint, we have the ability to isolate it. So what you can see here is, depending on what type of item you're interacting with or what node you're interacting with, we have a contextually aware menu that lets you take specific response actions based on what exactly you're clicking on.
And ultimately we know customers need more than just response actions. They need the ability to track the status of these incidents. So we support that with a Simple flagging system that is fully API integrated, as well as a notes capability like you see here. So I can add notes as I'm handing this off to another analyst, this can also be completely interacted with via your ticketing system. So if you want to push a note into (Trend Micro) Vision One via API, you can. And if you want to pull that note out and sync it with your ticketing system, you can via API today.
And with that, I hope you have seen that each layer adds additional detection, as well as response capabilities, to ultimately help you see more and respond faster.
And with that, I'd like to return it back to our hosts.