XDR MythBusters Panel: FireEye | Mandiant

[Music]

[Music] so welcome everybody my name is jeff hergert i'm i'm an account executive for fireeye and and very excited to moderate a panel discussion focused on xdr in a mythbuster style format and just in the spirit of trying to uh put some energy into the into this session and get a lot of audience participation we are offering up a hundred dollar gift card to that person voted on by the panel who is the most engaging whether it's with questions commentary um whatever have you so uh how can you engage as an audience member um if as we go through the myths in the mythbuster style format uh feel free to comment in the comment section uh raise your hand

um just even jump in and feel free to comment we really want you to weigh in why we think uh these myths can either be um confirmed plausible or busted so um yeah i think we see 23 people on the line hopefully that we get some good commentary but before we begin uh i want to go around the horn and get some introductions from the panel so i don't know who wants to go first if uh see brian you ready yeah absolutely hello good day everyone my name is brian brown i'm an enterprise architect with mcafee enterprise i've been with the organization for about 14 years but i i do have a history in the past

outside the dark side of sales representing a company i was uh an operations manager uh and security information architects uh at a consortium of five hospitals in downtown toronto at one point my career uh really welcome your participation today and thanks for joining us uh name's george zaria i'm a consulting system engineer for fireeye cover the western half of canada uh been with fireeye canada for the last three years been with fireeye for the last eight years and very excited about you know using xdr in different environments so uh definitely want to keep this active you know you're we're going to tell you know mids non-myths you know plausible we'll all have our own decisions and our own

uh insights on it but you know we definitely want to hear from you guys uh you know to add some more flavor you know do you want to invest not invest still need more information i put a poll up you know just to see you know what you guys know about xdr already i'm richard baker the founder and ceo of our solutions a cyber security uh firm out of regina saskatchewan with folks all across canada um been in security over 21 years now first 11 years actually maybe about nine years on the client side of the house a couple years at a big four consulting company and then 11 years running our solution so happy to be here

awesome no thanks folks uh just gonna put up a little bit of material here to keep us uh uh on track here one second see this come up so can everybody see my screen here we're all we're all ready to go yeah so before we get to the myths uh i wanted to talk about why are we talking about xdr i think everybody's gotten probably a thousand emails in their their inbox from vendors about you know you know invest in xdr and here's why but um i think it's important um to walk through some of the challenges that we're hearing from our clients um you know why people are interested in xpr so um we'll just quickly go through four i

don't think you know any of this is really earth shattering but i think it's important to highlight the first is just increased complexity complexity of you know people's environments um and what they're up against right i think there's a lot of organizations that are moving to sas models um people have more and more tools um security controls at their disposal lots of dashboards and reporting and it's hard to get a lot of information uh i guess understand all the information coming at you as a security practitioner the other thing is resource constraints i mean again it's no it's no surprise the workloads as a security professional are increasing um but the resources ability to actually do the work are

um you know not able to keep up so you know i think there's a lot of burnout in this industry and you know we can always get to everything that we'd like to during the day um the changing threat landscape um there's lots of silver bullet tools out there lots of vendors claiming that they can can solve the world's problem but um interestingly enough there's more and more breaches every year um there's more and more ransomware attacks more and more zero days more and more headlines um you know i think speaking with uh uh cio a few days ago um you know he said when you're talking to the board it says we always knew

security was important but you know given the recent headlines it's just it's really at the forefront so uh and then the last one just the the point tools right we're um you know again in reiterating what i said before but there's there's you guys the security practitioners have lots of different tools at your disposal um but uh you know a lot of things are siloed between reporting dashboards and everything else so lots of challenges as a security practitioner um and again before we get to the myths um i just wanted to set a baseline for definitions of xdr and again i think if you were to ask five security practitioners what xdr means you'll probably get six different

answers back but what we've done is we've we've taken some definitions as as defined by some third-party independent um analyst communities so the likes of the like the gardner's idc's and whatnot so two different definitions i'll just roll through just again set a baseline and then we'll get into the myths and um and look to either confirm um either have them as plausible or busted so so the first definition an integrated suite of security products spanning hybrid it architectures uh designed to interoperate and coordinate on threat prevention detection and response unifies control points security telemetry analytics and operations into one enterprise system that's one definition and the second similar but a sas based security threat

detection and instant response tool that natively integrates endpoint network email cloud and third-party security into a cohesive security operations system so is um just checking with the panel any thoughts on those those first definitions you guys are going to be all in agreement there so so jeff i just wanted to comment i looked up xdr this morning on google and it came back with you know 1.2 billion results so you know we're definitely going to help out and clarify and get it down to like one to two but you know this is a great primer okay awesome any comments from brian ritchie you know good levels that jeff i think there's there's uh varying viewpoints

let's put it that way uh so it's it's a good time for us to be coming together and talking about this because there isn't one cohesive agreement about what xdr really is and you know i'm sure richie with his experience he sees things from a different lens on the world and so hopefully everyone's going to get a little bit of a a multiple set of perspectives throughout the throughout the discussion today awesome no thank you brian all right this is where we're we're really hoping for some audience participation here so again uh if there are questions comments let's you know raise your hand um put something in the chat window we really want to hear from

you i'm ready for the first myth bring it on xdr is a replacement of sim and or soar but uh um our solutions i'll hand this over to richie first our solutions you guys do a ton of work in the sim and soar world richie what are your thoughts i'm going to say that no i don't believe xdeer is a replacement of sim and sore in all cases there are many use cases that people have sims for for compliance log retention uh which kind of differ from what the nature of what xdr is supposed to deliver when it comes to the aggregation of data analytics and correlating between the different security controls similarly on the response side um it's

not a sore tool per se and so i don't think it necessarily negates the the need for soar but in some cases where clients you know just want to have better understanding from these multitude and voluminous logs that are coming in about what's important to look at don't have other compliance things could in certain situations have been sure in some but i don't think holistically we can say that xdr is a replacement for sim and soar now selfishly uh i would say is it advantageous to have you know more automation and correlating uh disparate technologies to make socks more efficient absolutely um but as a full replacement i i don't believe it is in a hundred percent of

the cases but in isolated situations maybe okay no great great uh great response so you're saying busted um brian george any any comments any questions from the crowd comments from the audience i i would say you know xdr is a part i mean sim and sore are part of an xtr solution they won't replace it uh if you already have all that data in a sim let's use it you know if it's already gathering there uh using sword to help with the response that xgr finds you know i i would definitely use that to your advantage so i wouldn't say this is 100 busted um i don't say 100 true though yeah go ahead i i was just going to say i i generally

agree with george i think i i think of xdr as a capability of which sim and soar are potentially components of that capability it doesn't mean that you're necessarily going to replace either one of them but you know when you when you look at that lack of consensus about what xdr really is i think there are different perspectives on this but you know can sim augment or help or enrich what you're doing within xdr sure can sim be part of the workflows that you're implementing as part of in a sock environment that you want to build upon with xdr absolutely yeah and i think just looking at a couple of the comments online like kyle

said does that mean next year is limited to sim only no uh not at all uh like xdr is really uh like brian said a set of capabilities of which that you know correlating the disparate uh security trust is just one of i mean the the concept of least privilege instead of a trust but verify verify but trust um and those get implemented in numerous security controls so uh no not definitely uh limited only to to sim however i think we do see a number of vendors out there and everyone has their own opinion about here's my product space xdr uh and you know many of those have been more on the you know correlating side of the house uh but

just similarly you'd have a lot of the you know identity management vendors and um you know micro segmentation vendors and a number of others you know claiming this is their contribution towards xdr okay any other uh comments questions from the the audience before we before we move on there was a question here just like sorry uh angela said do we have any examples of implementing xdr solutions in an ot environment i think if you go back to the xdr is not one technology it is a number of concepts that in some ways yes uh you know micro segmentation network access control many of those technologies have been implemented in ot environments uh even some of the uh you

know escalating uh authorization and identity uh systems are completely compatible so yes parts and pieces but i don't know that any one organization even on corporate side can say we have xdr everywhere because it's not one thing yeah and i think that's a good point richie you know specific to an ot environment there are considerations such as air gapping that come into play and you know other considerations that that make that somewhat unique compared to a traditional corporate i.t uh deployment but that doesn't mean you can't do xdr i mean we have experience with customers who have been running many of the components you'll see in the next year architecture some degree of threat protection

threat intelligence and maybe they're not connecting directly to the outside maybe there's a process to get that data into the ot environment and use it there but hunting and mining for you know ot environment specific indicators looking across the network for you know modbus communication and things like that in a sim and executing a response with a potentially localized version of an edr technology all those things kind of come into play so i think you can make the argument that in a limited way you can have an xdr environment in ot bringing in localized network ips sensors and telemetry and building out that framework that is you know in that ot specific environment it can be done and

i think there are a lot of good examples where organizations have already taken steps in that respect maybe it's not tied in with their corporate it environment it doesn't mean that you can't do xdr there great well guys just in the sake of time we have we have seven more myths to get through so um i'm gonna say this one is plausible just based on on the comments from brian and george and uh and and richie so yeah we'll move on to to number two xdr requires using all security products from a single vendor but as working at fireeye i'd love that to be true if it's you know vendor chooses all fireeye but um

brian what what are your thoughts on this one yeah it's a great question because i think there are a lot of uh different perspectives on this but from from my viewpoint uh is there potentially value of having a a good set of technologies from one vendor probably there is i'd like to think that vendors know their technologies well and they've done a good job of making them work in an integrated and cohesive fashion but you know look let's be honest about this uh security's a team sport and there are always processes that are going to be touched by xdr whether we're talking just the detection response or whether we're talking about the actual incident response post that that are likely going

to include things that are not in every vendor's portfolio so i don't think you can you could have something in xdr ultimately that is reliant a hundred percent on one vendor i think there's a key aspect of some degree of openness and whether that's through api connectivity or other native integration methods you know we won't discuss that here i i think you can look to a vendor for a value prop that has a lot of components but i think you're probably going to want to look at things that also have a degree of openness to them as well oh great great response richie uh george any other further comments so jeff you took my answer uh

you know for being on the sales side yes i like it to be all one but you know somebody comes to you and you know as brian says it's a capability you know so if you're buying an xdr solution you want to make sure that you know it works with stuff already in your current environment uh you know multiple vendors uh you know and just going forward if it's only one vendor i do not know a vendor out there that covers every single aspect of a network for protection uh so since that since there isn't a vendor that does that you know i would have to say you know you have to go multi-vendor okay

well i think we can easily say this one is busted so let's uh let's move on to number three here using xdr will increase the effectiveness of your security staff i know george you work with uh with many security operation teams across western canada what are your thoughts here you know so by whenever you add a tool or a capability to your security stack hopefully it makes it better you know if it doesn't make it better it's a bad tool uh or a bad product you know so using xdr you know what does xdr gives you a view of everything that's happening in your environment so i would have to say yes it would increase the

effectiveness just because you're now seeing you know a better picture of your environment i i gotta add i'm gonna say yes but only if configured properly and working as designed i mean the effectiveness and increasing the effectiveness i mean that was the uh the promise of soar uh that's the promise of a well-configured sim platform that has correlations across you know disparate tool sets um so i think to be honest with you conceptually and that's actually kind of what it's built for sure but i think you have to take into consideration is it actually uh configured properly and implemented right for your environment and regardless of what vendors include in uh you know for the pre-built stuff these

all take investments there's no silver bullet uh to a lot of this uh and so it does take that tuning and configuring the system relative to your environment which often means you have to understand your environment in the first place uh to a degree that you can actually tune these systems relevant for yourself so i'm going to say my final answer is yes like but with those caveats brian anything to add yeah and you know look ultimately this is the desire or one of the desirable outcomes from xdr is to increase your visibility your detection response capability to shorten dwell time to shorten time cycles to make things easier make processes easier so hopefully you know i agree with

richie that this is the ultimate outcome uh or one of them certainly from from xdr but i do think that uh you know it takes a lot of thought to be able to get to that end state and you know whether an organization decides to implement xdr themselves or you know like many you turn to an or to a company like what our solutions offers uh you know there's some degree of looking at what is a realistic capability for the staff and and making that evaluation about where xdr is actually going to help so that it it is effective too many tools can also increase complexity as everybody is well aware of and you know you jeff you hit upon that

resource crunch in security that we're all very familiar with it has to be done in the right way to get to that level of effectiveness and then it will deliver on the goal for you but brian you touched on a really good point there because when you look at the breadth of tools that you know xdr is kind of encompassing of you know we look at the identity the network the micro segmentation all the things on the control side of the house before detection and response happens that does add a lot of complexity and so when something doesn't work how do you figure out why it's not working and so in some ways it is adding complexity in

multiple other parts of the network before you can even get to the efficiency side of the detection response the hope is that by putting these other controls in we also uh reduce the attack surface and make it harder for incidents to happen in the first place uh but yeah there is a there is that uh that weigh scale between complexity and efficiency and you know then manageability and detection capabilities yeah and some great questions that i see coming up in the chat you know one from angelo are we including programmers and developers and and greg points out greg asks you know is it is exterior's effectiveness limited by the organization's cyber security uh maturity and competencies and i think

that's you know those two really hit upon one of the major concerns that that we hear around xdr right if we think about this as a sock-centric capability again not just the technology but a capability and you you look at detection response well that response especially uh is an area where you might have to involve multiple teams you might have to go back to the development team who was pushing out code into your cloud environment in their ci cd pipeline and they become integral to that r part of xdr and the so you know both of those questions really speak to who is involved in xdr and i think that has expanded the scope of what we see

the the sock kind of touch points and and the recognition that we have to reach out to other or other parts of the organization who might not be directly responsible for what we see in the stock but maybe they're part of the entire value chain that we're trying to address and yeah do we need a maturity model well regardless of whether or not an organization has a maturity model i think it's a question of building up that capability over time so that we do hit those right the right people at the right point in the workflow when we're doing things like a response so it's it's not a one size fits all it's it's working it into existing

processes and being very cognizant of where the who the who in the response is actually going to be responsible for executing that response action yeah just to respond to greg's question about the maturity as well too i think one of the things that uh um we've implemented hundreds of sim uh systems for clients across north america and i don't think xtr is any different so your your question about you know does the level of maturity of the client matter well in the aspect of what is the controls that are feeding the xdr or sim platforms if you have a and i'm not going to say any names but if you have an endpoint tool that

doesn't send any logs because it doesn't detect anything it doesn't matter what your xdr or sim is because it doesn't have the data it needs to actually even evaluate um and so the maturity is at least required that the you know network endpoint email and other parts of the environment that are critical have the appropriate security control so that they have logs and data to send to any one of these systems should be the focus and priority first before sims and xdr so from that level of maturity uh absolutely there is kind of a an order of precedence that makes sense uh putting xdr in before you have those other things down is definitely a

important to take care of and to kyle how is this different from sim uh i i would say it this way and then and trust me i've thought about this lots because i think a well-configured sim tool would have elements of xdr in it already based on the searches um but somebody had explained was to me xtr you can look at xdr is in some one version of looking at it is take the hundred questions you would ask of any data uh and even being able to ask those hundred questions on every piece of data that comes in not just when you know you've got an event or something else um and so it's taking all of that knowledge which may

be multiple groups so in i saw and this was vendor you know they took one xdr kind of finding and said how many searches would it have taken in the sim to get the result and they figured it was about 128 searches well obviously there's a time to do that and it's very difficult to automate that in that scale most sim platforms couldn't handle that on every piece of data coming in and so that's where xdr is kind of taking a different approach using some of you know the marketing terms machine learning and modeling and everything else to try and do this effectively at scale so elements of simmer in there uh but i think it's definitely an evolution uh

from just sim but once again most of the time in most organizations i look at this as an addition or an enhancement to sim not a replacement to sim for the mid to large enterprises okay i i love the questions coming in and and keep them coming but just in the sake of time we're gonna keep keep going on because we got five more myths to get through but um yeah i think we should confirm but with some caveats as to uh that's richie's comments here myth 4 xdr will provide visibility across multiple threat vectors um let's see who wants to go first on this one

well since nobody's jumping up i guess i will you know uh one of the main things that xtr does give you is that visibility you know it starts correlating between your endpoint your email your network uh so i would say definitely it would provide visibility across multiple vectors no makes sense i think i think this is probably one of the easier ones right i mean i think you know xdr is an evolution of you know edr xdr x stands for extended so i think we're i think we're pretty safe to say this one's confirmed guys agreed myth 5 xdr requires intelligence feeds to be effective and uh you know george you've been working with the mandiant

group for what six seven plus years now um you know manny's home for uh some of the best intelligence out there uh what are your thoughts here so you need some intelligence i mean if you just look at a regular log file with no intelligence it's just text on the screen you know no matter what type of tools you put at it uh the more intelligence you have uh the better data you're gonna get out you know the old adage garbage in garbage out so if you don't have any good intelligence or don't have any intelligence you're not going to get valuable stuff on the other end of it you know so adding additional feeds will

definitely make it a lot more effective yeah and i'll just uh add to what george was saying look i don't think any security program is going to be effective without some degree of intelligence feeds and obviously that's going to vary it's going to vary based on the size of the staff it's going to based it's going to vary based on the tooling that's used in the sock or the sock-like environment it might be just one person who's managing security and so it you know it's critical to have the outside perspective to have threat intel as part of your security program i don't think there's really much dispute that you need that this is really a bigger question of

how does it play into the effectiveness of detection and response and can it be you know consumable in such a way that you can add your own feeds you can add other intelligent sources rather than just what one vendor provides and gain additional context that that to me is where the capability of xdr uh i i think overlaps very much with uh with intelligence in general and i take the perspective that more is better but it has to be intelligence does also have to be managed it has to be curated it has to make sense in the context of your org intelligence for just intelligence sake doesn't add a lot of value uh in good or effective xdr

capability will use intelligence that is locally relevant and and is going to make the tool or make the capability more effective for sure so brian i want to add to one thing you brought up something terrific there you know if you have an xdr solution and you have every single intelligent feed that's out there coming in there you're just going to overwhelm your staff you know i would say add the intelligent feeds that you know kind of fit the maturity level of your uh sock or your security team because if you give them too much information they're i mean they might be very intrigued by it and you know just go down that rat hole and go oh what

what is this and you know their effectiveness you know goes out the door but you know i would add the feeds as your sock matures as they can handle the the better stuff to help them you know just don't overwhelm them because we already know they got a couple fire hoses already we don't need to give them another one yeah yeah and i wanted to comment too uh angela you had a question on how do you report the value um that's a very good question because there's a couple ways of looking at it one you can see how much more free time you know your security staff has uh you can look at the you know how fast are we

able to correlate you know if you're able to currently in a couple of minutes using xdr compared to hours uh that uh and security analysts would take i would be looking at the amount of time in the number of incidents or alerts that a person could go through to start measuring you know xdr or or you know even how quickly can we execute a response has the xdr capability given us the the the ability to say look we went from manual processes where you know the sock had to call somebody up and say you know what do you see on your console how can you action a response okay get back to me once this is done if we can make that

capability be part of the workflow in the tool and measure the time from you know the response action being initiated to closure and maybe that includes a ticketing system for you know an itsm environment as well then we can actually measure something out that gives bad metrics back that say you know manual process it took us 24 hours to do this before and now it only takes us you know hopefully a lot shorter period of time whatever that is cool yeah i i i was just that in the return on investment is always it's most one of the most difficult things in security because even with when we take a look at exterior specifically part of the goal of xdr is to find

things that others didn't see because you're bringing other pieces of data together so in that way it's partly intended to actually identify things that a singular uh security control isn't able to identify um but just like the others have said mean time to resolution um the time it takes you know in different incident types uh when it comes to the response side uh measuring how much is automated from even the data enrichment and case enrichment versus what would have had manually all can be used to report you know an roi on making a next year investment you know some great questions um any other questions or comments before we move on okay so myth five is confirmed

myth 6 xdr is a made-up term by vendors to sell more products i love this one i'd actually love to to hear from the audience before before we throw it over to uh maybe to richie richie hears from he speaks to vendors all sorts of vendors um on the regular basis but i'd love to hear uh the audience's feedback any comments

i'll give it to richie richie what do you think you talked to all sorts of vendors what do you think this is uh do you think this is legit yeah i don't know if they made it up but usually academia tends to you know define the terms and then eventually vendors pick up and you know uh now whether they make a brand new product or whether they retool some existing products that they have uh i think you can find uh when you search for xdr you can find a number of different vendors that say they have xdr some net news i'm not you know and going back to even what some of the commentary was before some of the

vendors that offered platform solutions were doing elements of xdr already when things are acting and actually working together and different parts of the security controls but have the vendors picked up on xdr and figure that they can sell a product with it yes i'm sure you're going to have xdr flavored iced tea or lemonade here right away that somebody's going to try and sell so yes i do think the vendors pick it up as a marketing term and exploit it but do i think there's some real value into the concept behind xdr uh yeah yeah and you know kyle in the comments uh or the chat brought up you know it seems more of a marketing than a brand

new innovations uh just a bottle of way of saying the same thing and you know what look uh even representing a vendor as i do is it a term that's made up by vendors or made up by the industry uh you know probably yes let's just be transparent about this uh and i agree with kyle's assessment that you know it's a bundling and when you think of any capability that spans you know multiple technologies multiple products multiple different parts of your environment exactly that it is a bundling but that's why i think of it as that capability is the industry capitalizing on this thing as xdr yeah but you know what to me that's the evolution of security right

and as we go on in time and and things begin to work better together more effectively one of the good things or or thing positions that i hope everyone in the audience really takes is that if we can actually define to some degree what xdr is and the values that it's it's shooting for then you know what it gives you it gives those people a metric to be able to measure and understand whether or not something is going to work better for them right it might help with vendor selection it might help with capability it helps you determine whether or not it's something that's really going to be useful for you because you know as as we

all of us have said just throwing out technology is not necessarily going to make it effective it has to work for you

did we lose brian just in that process i think it's a you know i think it's going to be ultimately beneficial

yeah i think i think brian's having a little communication problem okay you're cutting it out a bit brian but that's all right sorry about the connection there everybody no problem um george richie if you guys want to comment on this but i i brian just some great comments great questions the last thing i'll say is to me xdr i almost look at it as the automation of what a good stock and security analysts have been trying to do manually and with their their brains and intelligence it's just trying to find a more efficient way to do it but is it anything brand new no so okay well with that we'll say busted yep adam in the comment had a great one

focus on the outcome love that oh thanks down myth 7 xdr requires an endpoint does it absolutely 100 require an endpoint what are the thoughts here what do you think uh maybe throw back to you brian you've worked with all sorts of organizations across canada and all sorts of different types of environments yeah like could could you do xdr without an endpoint sure you could you could look at you know network telemetry and cloud telemetry and combine that with aspects of threat intelligence and some other log data that you're collecting from your sim for enrichment but realistically when you look at the way that most attacks unfold where do they emanate from i'm not saying

everything this is always the case but the bulk of large attacks do have a device or an endpoint component and without that telemetry i think you're missing a lot of the richness that would be necessary to get to a good detection and response scenario so does it require an endpoint i think realistically we have to say yes could you do it without an endpoint you could but i think you'd really be missing a lot of valuable information that makes xdr really what it is so so i just wanted to comment one thing on there you know brian you're 100 correct on you know where do most attacks begin you know although everybody says 80 plus percent come

through email but it's the person who clicks on the email on the end point that really cause that causes the infection uh you know so if you have your email coming in and then there are end points there to you know actually say what happened you know i would say again yes you can do it without but it's a really nice tool to have you know having a car without wheels you still have a car but you're not going to go do that yeah i mean us as a consultants going into companies and representing multiple vendors it's kind of one of those answers technically yeah could you but you'd be crazy not to have your endpoint data in

your exterior solution okay we'll say pretty much confirm but we'll say plausible based on like i like george's comment you can have a car without wheels it's but so so last myth here here we go and how are we doing for time we got 10 minutes left so you know we could say five minutes left for for a little bit of uh audience um conversation but myth eight the r is uh this response can be completely automated so the r in xdr um does it need to be completely automated like where's another way to phrase this is there a human element in involved so i don't know richie again i go i'll go back to you right you mean

you you run a run a sock um implemented all sorts of of sore and sim uh solutions what are your thoughts here yeah i mean i think the utopia is that things to be monitored are completely automated in a response and maybe for certain use cases you can but i think it's it's definitely a goal at a panacea and we're nowhere close to that yet um it's uh it's the same reason we don't uh you know automate you know nuclear missile launches uh there are some things that can happen that can have negative consequences uh even as simple as quarantining a wrong system a critical system and i'm not even talking about it on our ot environment even in a

corporate type environment so well i think it's a goal i think really the the reality is uh using the automation uh where applicable to minimize the response time uh and get a faster mctr um but the complete automation goal but not there yet and you know i think you have to take into consideration the scope of what r really means right and you know as we were talking about before how many teams are involved there might be in specific environments gating controls that that need a human component that need approval before we actually execute the response action and so you can't say that everything is always going to be completely automated i think there's a lot of opportunity for

automation and i think with something that creates a better workflow between a bunch of today what are dis products xdr will help in that respect but i don't think you can ever say that xdr is always going to completely automate everything that you're doing in the out of the sock and across all the teams uh i you know it really depends on you know asset criticality who's involved what is the appropriate response at the right time but the good part is you get a framework that you can work with to do as much of that as possible i like the comments there's comments about skynet and automatic uh but i think the reality is kind of

similar to what tao's comment is like we will get certain amounts of data and response automated data enrichment and then push it back to the intelligent analysts saying you know here's a couple options we recommend uh i think that's the level that we're starting to see in some of the more mature clients with the reality being even some of the largest and this is in the next year even the largest soar deployments have had limited automation on the actual response more automation in case management and data enrichment into the case to make the analyst faster and we even see you know levels of criticality right so as as more data is brought in we can get a

level of confidence uh and out of that confidence we can say now we've met a threshold and so we're going to go and do something right away right there's a severity or criticality that comes into play that in this situation if we know there's a data x fill event we want to lock it down now maybe the scope of that is just one individual endpoint and so there's limited exposure but you know you can put in some of those things where you say based on these conditions yeah we want to automate because that is the best way to keep us safe in other scenarios it might be well you know what we got to bring

the human into the loop a little bit more and you know put it put it into a holding pattern until the right decisions can be made sorry for laughing there i just read that adam's final part of the meat bags are still required i'm not sure if i can go back to my sock and call them eggs right now they'll call me the ceo punching bag but i love it but the future is bright as a security practitioner is what you're saying right we're not going to be out of jobs anytime soon i don't think there's enough i mean the concept of xdr automating response we need it because there's not enough of us so i don't think anybody in the

security industry should be afraid of this automating our jobs and us going out uh because let's face it there isn't enough of us there's not enough time to do the stuff we want to do now so let's automate the stuff that is task based that you know doesn't require that you know just it's useless time of doing stuff so that we can focus and use the big brains that we have onto the problems that really matter okay well busted i think it's uh i think it's unanimous it's but it's busted so that is our final myth we do have what let's call it five minutes left here i'd love any any comments or or questions

from the audience i think we would love to love to hear from everybody well while we're waiting for those to roll in there is something that i wanted to return to there were some questions on uh you know generating your own threat intelligence and you know consumption of ioc feeds and what does that really mean does xdr add the relevance uh or is it just matching indicators look it you know is local intelligence important right there's there's the global perspective there's a whole bunch of attacks out there when when colonial pipelines happen you know dark side then everybody started to worry about it but you know some of the threat telemetry that we saw for example was

that darkseid actually had a very small prevalence factor and there were other ransomware threats that were degrees orders of magnitude much more prevalent on a global scale or even a local regional scale across north america and so you know you never want to take your eyes off the off the prize but at the same time you need to use that intelligence capability to be able to understand what is the local relevance to me and that's a global perspective plus those things that you do locally those two really have to come together and i think that's part of the place where xdr helps you know is it a sim well you know it helps with what you have done in sim but i

think part of the uplift in value in xdr is a better um analysis engine or layer that sits on top of some of that newer more rich threat telemetry and intelligence coming together to give you better detections and so you know just just a comment or a perspective on some of those things that were brought up around you know threat intel and iocs so brian i gotta thank you for bringing up the butterfly in australia for flapping its wings you know yeah exactly exactly just looking back through the questions uh there you know kyle had a kind of a common question like how do we standardize a response and i don't think there is one answer i

think that is going to be unique to every organization i mean come on we all understand there's some you know common things if you're getting hammered by an iep addre if you've got a you know a bad domain that keeps it down you can block the domain but i think when it comes to the more complex attacks it really depends on the security controls in your environment and where you have the ability to implement uh blocking or additional detection and so i think that is part of the reason why xdr on the response and even uh soar to an extent uh are very tailored to every organization because this is the one case where everybody is a little bit

more unique you get these standard playbooks and standard responses from other folks but if you're missing half of those abilities to implement those uh those actions on those types of devices you have to find what's relevant for you and so i don't know that there ever will be a standard yeah yeah c2 beaconing response to blockade sorry the last thing i'll say there is you can but you also have to appreciate that in a lot of uh a lot of attacks some of the the c2 commander control systems can move around faster than you realize and so blocking it one c2 uh ip or domain uh can change in a very short period so just as much as you have

the ability to put that in you have to have an ability to understand when it's no longer being utilized as an attack uh as an attack source and pivot to not only release that one but look to see where else it's coming from yeah or or you know threat actors who are leveraging existing and well-known domains for c2 activity and you start blocking them and then you start getting yourself into other challenges right other problems all right guys we're we're pretty much out of time here so anyways i just want to thank all the the b-sides um the b-sides members for for joining our session today if you have any questions comments feel free to reach out to

the brian ritchie george or myself we would love to hear from you and and further the conversation um 100 gift card we will let you guys know we're going to get together as a panel and and vote on who the best uh is the the most um engaging audience participant was and uh we'll reach out to you and make sure you guys get that gc so thanks all