Under Pressure: The Benefit of XDR Collection In A Historical Context
In 2014, while I was busy founding an EDR startup, I was regularly challenged with two pieces of critical feedback while speaking to prospects and investors. First, I was told there was no room for a second endpoint agent in an enterprise environment; that organizations simply wouldn’t accept the management overhead. In 2020, we can look upon the pyres of the traditional endpoint players from a decade ago and realize this first challenge has been solved. The second challenge was around performance… even if we were able to convince the market this was the right thing to do, what would be the performance impact on the device, and perhaps more importantly, the network. This is the environment EDR grew up in, and every vendor in the market had to overcome this to get where we are today.
Contrast this with the challenge presented in the SIEM market where organizations regularly receive their bill and start wondering what logging they can turn off to reduce consumption costs. Turning off the wrong log sources can quickly lead to postmortem breach discussions, and there’s frighteningly little information out there about what exactly you should be collecting. This is especially daunting when you consider that every SIEM deployment is essentially a custom deployment due to the tuning that goes into them.
In short, the EDR market has always had an existential motivation to answer this question for you and solved it by collecting what was specifically needed for their analytic models and threat hunters. I’ve often described this as collecting only “security relevant events,” instead of just logging them all and letting your SOC analysts sort them out. The obvious benefit should be the reduction of consumption costs and less need for analysts to be constantly tuning detections.
As we evolve toward XDR, the vendors who have lived with the downward pressure of balancing collection with performance impact should naturally extend this same discipline to other log sources. I expect this same differentiation to become part of GRC platforms as they begin to cut into the regulatory use cases of the SIEM market as well.
