SS-SUBJ-04: Security 101 - What is XDR?

[00:00:14] Speaker A: Welcome to Security Serengeti. We're your hosts, David Swineger and Matthew Keener. Stop what you're doing right now and follow us on twitter at serengeti sec. [00:00:24] Speaker B: We're here to talk cybersecurity. We're currently doing alternating episodes. One week it's news. The next is something different. Sometimes it'll be a 101 on a specific type of technology, sometimes a deep dive on a topic like certifications or conferences, maybe occasionally a book report, just like grade school, but without the spitballs. And we are way hotter than your teachers were today. It's XDR 101. What the is this Bender marketing edition? [00:00:56] Speaker A: And if you couldn't tell by that statement, the views and opinions expressed in this podcast are ours and ours alone and do not reflect those of our employer. [00:01:04] Speaker B: And given how cynical we are, I still have mixed feelings that we should even be expressing our opinion. But here you are listening to it. Here we are saying it. So, XDR, the idea for this episode came up because I saw a couple articles pop up in the feedly we use to kind of review things for our news episodes. And I was like, what is XDR? And I looked into a little bit and I thought it looked ridiculous. It looked like they were just taking existing technologies and renaming it. So I was like, all right, well, this seems like a good topic for a podcast because if I don't know what it is, there's probably other people that don't know what it is and we can dive into it. So would you like to read your bottom line up front, David? It's yours. I think that you should get to read it, certainly. [00:01:54] Speaker A: So basically, this is my opinion, obviously, that this is just more marketing crap that says that AI and ML are going to save the world. And it seems to me that this is really just a black box sim that spits out magic high fidelity alerts. [00:02:10] Speaker B: And for maybe the first time, David's more cynical than I am on this. I mean, I'm sure if you listen to the certification podcast, I did come across as pretty cynical about certifications. I thought about it, and I think I was perhaps a little too rough. I think they have been improving over the years. But let's talk about what is XDR? Before we kind of dive into the opinion, let's do this summary. So XDR I saw is, depending on which vendor you're looking at, they may define it as extended or cross layer detection and response. It's an evolution of EDR. EDR is endpoint detection and response, and EDR itself is an evolution of antivirus and host intrusion detection and host intrusion prevention systems. Back in the day, way back in the day, you used to have separate products and separate methods of doing your antivirus, doing your host intrusion detection, your process monitoring your file, monitoring your memory, monitoring all those used to be different things. You'd buy something for your aV, you'd buy something for your hids, you would maybe install some sort of sim that would bring in your process logs and your authentication logs, et cetera, et cetera. [00:03:25] Speaker A: Don't forget your host based firewall. [00:03:28] Speaker B: Your host based firewall. Yeah, you're right. That was the evolution of EDR. EDR took four different products and they combined it into one. And it was good. It was not necessarily the quantum leap that everybody would like you to believe, but it was good. It was more useful. It simplified things. You only had to install one agent instead of four. And we know how much it, people love agents. [00:03:54] Speaker A: What's rejoicing? [00:03:57] Speaker B: So the XDR definition, stolen blatantly from dark readings. XDR 101 article is visibility across all organization endpoints, as well as network and cloud workloads that will analyze the collected data, act upon the threats, and send unified alerts and action items to security analysts. [00:04:20] Speaker A: Yeah, so how is this not a sim? I mean, even Gartner says automatically collect and correlate data from multiple security products to improve threat detection and provide incident response capability. [00:04:32] Speaker B: Well, one of the vendors, synet, had this comment on SIM from their webpage, and we'll link it in the show notes so you can poke through it yourself. Their comment was although similar results can be achieved with a combination of EDR and SIM solutions, XDR goes beyond these capabilities. SIM solutions collect shallow data from many sources, while XDR collects deeper data from targeted sources. Of course, SiM collects what you tell SiM to collect. If you want to collect shallow data, for example, on a Windows machine, you can just turn on the Windows logs and let them run with no configuration and you will collect shallow data. There will be stuff you can use in there and you'll miss a lot of stuff. If you want to collect deep data from Windows machine, you can, you can either turn up the logging, you can install Sysmon, you can turn on that host based firewall and start recording those packets coming in and out on the Windows machine. You can do all that with SIM. You don't need a separate product to do it. So just I listed out some capabilities, some supposed capabilities of XDR as part of this article. It can do internal and external traffic analysis. Well, so can your firewalls. It can do integrated threat detection. So can every single security tool, pretty much any modern one. It can do machine learning based detections. Again, every vendor will happily beat down your door with sales engineers to tell you about how their machine learning will do it all for you. It can correlate related alerts and data. That's what a SIm is built to do. It can do remote orchestration. Well, we've got tools to do that too. And it has a centralized user interface. This is actually one of the things that might distinguish it, because after a decade doing security, that's one of the things that everybody loves to promise, is this mythical single pane of glass that doesn't actually exist. And the biggest reason it doesn't actually exist is usually your different products don't provide all the information back to what should be your central pane of glass, the SIM. You usually use the SIm to do your detection and correlation and some investigation, but then you frequently have to pivot because not all the information is in the Sim. [00:06:56] Speaker A: In here, I thought it was because unicorns are the ones that made that glass and you just can't find them anymore. [00:07:02] Speaker B: Just can't find. We hunted them to extinction back in the day, just like the passenger pigeon. So that centralized user interface, if they can make that a real thing and they can actually make it useful, that might have some value anyways. But all those other capabilities, all those capabilities exist in existing products. None of them are new. It did list some benefits, improved prevention capabilities and automated response. We already have that granular visibility. The SIM provides that there is some granular visibility that EDR does better, I believe, than SIM, especially in terms of the visualizations. If anybody's used crowdstrike or carbon black, where it can more easily visualize things like dlls loaded by processes and files, touched by processes. But you can probably write some SIM searches to be almost as effective. There effective response to robust data collection. Again, that's in your SIM. Greater control, blacklist and whitelist traffic and processes. We can do that with existing technologies. This whole thing, all these supposed benefits that they're talking about, all of them already exist. And this is what's frustrating for me anyways. What vendors are jumping on this bandwagon? Well, I'd read off the list, but the answer is really all of them. That being said, they are listing off some different capabilities. For example, Trend Micro listed that the four places it keeps an eye out for, that it includes in the XDR is the network, the endpoints, email and cloud workloads which is kind of interesting. I can definitely see correlating email and endpoints together and email and network and endpoints together and network and cloud workloads together. Although email doesn't really fit in with the cloud workloads. One versus synet, which listed its capabilities as next gen av, EDR, UBA, network traffic analysis and deception, which is kind of a weird one to throw in there. [00:09:07] Speaker A: Yeah. What was interesting in one of the articles we had for this was that it said that deep pocketed vendors like Symantec are integrating point products to create XDR suites. But Sim vendors like Logarithm are just messaging XDR. [00:09:28] Speaker B: Yeah, they're saying they're already XDR. [00:09:30] Speaker A: No, I think. But the way I interpreted this is Symantec. They're building XDR. But the sim vendors are just talking as if they can do XDR. It's not true. XDR. [00:09:46] Speaker B: But even if the XDR vendor admits you can do a lot of the same stuff with EDR plus SEM, then are they wrong? [00:09:55] Speaker A: No. I could have equated it to, you have a home gym with a bunch of weights, but instead of using those, you're going to buy a bow flex and that's going to solve your problem, not the fact that you aren't using the weights to their best effectiveness. [00:10:19] Speaker B: I like that. I actually really like that analogy because again, kind of the weights are more of the do it yourself. You've got to figure out the movement. You've got to where's the bowflex? Tells you everything and puts it all in one shiny package and charges a lot more. [00:10:31] Speaker A: Yeah, and it's advertised by really sexy people. [00:10:35] Speaker B: I haven't seen any XDR products advertised by sexy people yet. I should probably keep my eye out when it hits that Super bowl ad. You know, it's really hit the mainstream. [00:10:46] Speaker A: Well, I think after this podcast they're going to be coming to you to advertise XDR and then there you'll have it. [00:10:54] Speaker B: No, it's actually when you go through the airport and you see the big giant 30 foot long signs with accenture and Deloitte advertising it, that's when you know XDR has really hit the mainstream. [00:11:05] Speaker A: Wow. Or that the government had decided that they're going to jump on the bandwagon and must have it. [00:11:13] Speaker B: So you added a point in here, David, about whether Sim has failed or not. Would you say in general, do you think Sim in general has been successful to this point? Is it time to replace Sim? [00:11:25] Speaker A: I think what we're really talking about is we're talking about the same concepts, just repackaged. It's not that Sim has failed or the concept of Sim has failed. It's that it's hard work and throwing machine learning and AI at it and calling it XDR, I don't think is going to get you where it needs to be. I think the prospect of risk based alerting is going to get us closer to where we want to be than expecting machine learning black box stuff to get us there. Because the thing is, with the machine learning black box stuff, your organization is not going to be doing those things. Somebody else is going to do that. And maybe it's right. Maybe it's not right for the way that the systems interoperate in your organization, though. [00:12:19] Speaker B: The point you bring up about generally the way that Sim works is it comes with a bunch of out of the box default rules that are usually pretty mediocre and super noisy. And you have to put a lot of work into tuning the rules, you have to put a lot of work into building your own custom rules. And that's been one of the things that's really frustrating me about Sim, is that each of us are independently building our own rule sets. And I feel like there's a lot of wasted effort and a lot of duplicated effort as everybody builds their own version of a malicious email detection rule. And there's been projects to try and address that, but none of them have really gained mainstream support. I mean, Splunk has the analytics stories, which is their effort to kind of, they've released like 100 some use cases in Splunk. And I know that there's some sort of generic. There was some project I heard about a couple of years ago that had like generic logic detections. [00:13:17] Speaker A: Well, I mean, basically, here's the thing. So you say that Sim out of the box comes with a bunch of crappy alerts. [00:13:30] Speaker B: XDR coming out of the box with a bunch of crappy alerts. [00:13:33] Speaker A: Well, actually, that's the point I'm getting to. A Sim comes out of the box with crappy alerts, but you can look at those alerts and understand their logic. XDR is coming out of the box with. I'm not going to say crappy alerts because I'm not sure, but if the default in the sim is not great, is the expectation that the default in XDR is going to be great, but you're not going to be able to look into that black box. [00:13:58] Speaker B: That's one of my biggest issues with firewalls. Firewalls do this a lot where they'll tell you a packet is bad and they'll show you the packet, but they won't tell you which specific bits they found and leave you at kind of a loss to say, well, I don't know because I don't know if this actually matches what you're looking for, if it matches something else completely. [00:14:18] Speaker A: Right. You see that a lot in ids alerts, black box ids alerts. It's like, oh, we alert on this pack. This pack is bad, but you don't get to see the alert. It's not like splunk or not splunk snort, where you can look at the snort rule and say, oh, here, I can see where it pulled this out of the payload to say that that's bad. [00:14:39] Speaker B: Speaking of, I found what I was talking about. There's a project called Sigma, it looks like it's being moderately updated, last update two days ago where they're writing generic logic alerts in sort of a generic language and then releasing them. See, this is what I would love to see is I would love to see more effort put into kind of coming up with community alerts with community data on how accurate it is. What's your true positive and false positive rate? How many bad guys did you catch with it? And then maybe having easy to change thresholds. [00:15:15] Speaker A: Well, I think that would be awesome if you also had that overlay of your risk based alerting to say that this generic alert you're talking about, we suggest a risk threshold of 50 and then have another set of rules that says, okay, when you get these three things together, that's going to trip a risk alert that actually is going to be looked at by an analyst. [00:15:42] Speaker B: All right, we've got to do that as an episode. [00:15:45] Speaker A: Right. [00:15:45] Speaker B: Because, you know, I love risk based alerting. We've talked about this so much. Oh, yeah, we've got to do an episode on this. [00:15:51] Speaker A: But yeah, I would not dispute that. Basically what we're talking about is crowdsourcing sim alerts. [00:16:02] Speaker B: Just like snort, just like Yara alerts. Those things have been pretty successfully crowdsourced in the past. And you can find feeds and all kinds of information about those. But we haven't done it for the higher level sim logic. [00:16:15] Speaker A: Right. And the thing is that those depends on how you're thinking about. But what I'm kind of thinking about is that they would be more like pseudocode and not exact code to say that, oh, an alert from an ids and alert from this and alert from that. That's your risk based rule, not necessarily saying, oh, this is the exact line that you need to take, copy and paste and put into your tool. [00:16:42] Speaker B: No. So the way that Sigma works is it has a generic markup language that's kind of similar to Yara. It looks like where for example, this one, I'm looking at one right now in GitHub where it's looking for AWS EC two user data downloads. And it tells you like here's the detection logic. Like the source event source is EC two request parameter attribute, user data and event name describe instance attribute. And it's saying if you find all of these conditions within 30 minutes and there is more than ten of them, then trigger the alert. And this is supposed to be for bulk downloading of user data associated with AWS EC two instances. [00:17:25] Speaker A: Okay, I see what you're saying. [00:17:27] Speaker B: Yeah, it's very much like Yara where it's got a generic and you need a translator. And I think they provide a translator for most of the major, but yeah, that would be kind of the big problem, right. Is you would then need to translate that into, but it's enough I think to get the logic out there and then, you know, kind of do the manual translation. [00:17:45] Speaker A: What this kind of reminds me of is actually McAfee's threat intel exchange and data exchange layer. And they actually have an open XDL as well. And basically coming up with it's not exactly like API, but really some kind of standard communication level or that you can take this stuff and you can from here and put it over there. But there's no incentive for vendors to come together on this stuff. You have partnerships where Maxv will partner with a firewall company or something like that and they will both be able to talk data exchange layer. But in an industry wide there is no kind of standard where you'll be able to pull all those things together. You have to have something like you're talking about and then they have to build a bunch of different translations in order to get all this stuff to work. [00:18:41] Speaker B: This is, this is actually the same as, this is my common complaint about know, we have to know teams installed and slack installed and discord installed. Because every vendor uses a different chat thing. It should all be like IRC, it all uses the same format. And your vendor just provides you the experience you want to do. Like back in the day in 2000, as I date myself, I used to have a chat client called trillion that could talk on ICQ, it could talk on AOL, that could talk on IRC. I just want them to all use the same protocols. I want them to use the same kind of logic protocols. I want them to use the same data transfer protocols. And then I would choose vendors based on the user experience that I want and the capabilities I want, not the data transfer stuff. [00:19:31] Speaker A: Yeah. You think they'd be able to sell that, though, saying that the magic that we do in order to produce that output, that's the magic, not necessarily the output itself. [00:19:42] Speaker B: Yeah, all that does is, and I get it, they're trying to force you into their ecosystem, but that's not what I want. I will fight against that. [00:19:52] Speaker A: Well, actually, that's one of the things that was in one of the articles that I looked over for this XDR stuff, and this is a quote, priority should be given to XDR solutions that are purpose built for a vendor's native security stack to ensure optimized analytical capabilities. So in other words, you should pick the XDR that has an endpoint agent, that has a firewall, that has an ids, that has a mail security gateway, et cetera, et cetera, et cetera. [00:20:27] Speaker B: It sounds like, and pick ones that are optimized to work with each other as well, which could be seen as using their own proprietary. [00:20:36] Speaker A: It could be based on partnerships, but based on that statement, it sounds like, oh, well, you should have a vendor that does all these things. And I'm not saying that's necessarily bad. [00:20:48] Speaker B: Yeah, we had these discussions, I remember years ago when we worked with each other. Do you buy best of breed in every spot, or do you buy one vendor that's not quite as good, but it works together really well, which I guess we were discussing XDR five or six years ago. [00:21:03] Speaker A: Yes. Like do you buy the solution that's homogeneous and 80% or the ideal of each that's at 90%, but doesn't talk to each other? [00:21:14] Speaker B: There's surprising number of tools, we've talked about this in the past as well, but there are a surprising number of tools that don't have API connections at all, tools from major vendors that I am shocked by, and I don't want to name them because I feel bad, but. [00:21:28] Speaker A: You mean because they won't sponsor us in the future? That's really why you're keeping your mouth shut. Got to keep your options open. [00:21:35] Speaker B: Yeah, no, because we talked about this a little bit the other episode. I've been working a lot in automation, and I'm just consistently surprised about the things you cannot do in automation. Or where an email vendor, for example, has an API where you can block an email in your own private personal block list. But you can't block an email for the entire company. And that seems completely opposite to me, because why would a user, like an individual user, write a script to go to the API to block something in their personal block list? That doesn't sound like something that an individual user would do. [00:22:15] Speaker A: Right. Well, what I've started doing is when we're looking for any kind of application, we have engineering requirements. Its management console has to be a web interface. It has to have what we call a full API, which means the API does everything that you can do in the GUI. [00:22:37] Speaker B: Yeah, that makes sense. Yeah, we've started doing that as well, where if they don't have the API, we don't buy them. [00:22:42] Speaker A: Right. And I think that's something that customers need to start forcing, say that is a showstopper requirement for us. Either you have that or you are not going to be considered for our company. [00:22:58] Speaker B: Yeah, I think the biggest thing we found is a lot of companies that say they have APIs. What they really have is they have the ability to dump data via API, and that's about it. They'll happily serve you all your alerts or serve you all kinds of information, but you can't close incidents, you can't perform remediation actions, et cetera. [00:23:16] Speaker A: Right. It's like a one way. [00:23:18] Speaker B: Yes. All right. But we went a little far afield here. Let's draw us back and let's finish up with where I think there is some actual value in XDR and where I think there's going to be some potential issues. So, first of all, I think there's two places that there is going to be a lot of value in XDR. And the first one is if they can actually do the single pane of glass for all of those systems, just like how EDR brought in the AV, the Hids, the firewall, local firewall stuff and the process stuff all into one dashboard, simplifying you from four tools to one. I think if they can bring in another three or four tools, then I think that does have value. I don't know that it deserves its own name and a big marketing push, but it does have value. Second, if you're starting from scratch today, or if you're at the point where you're ready to just redo your complete security system, like your whole stack from top to bottom, I think XDR probably sounds like a pretty good place to start there looking for, because it can bring all that data in together and it should be ready to work natively with itself, although you're going to want to check on that, because I would bet that the vast majority of XDR solutions were not designed to natively work together. They are separate products purchased by a vendor or developed by a vendor, and then smashed together with some spaghetti code after the fact. But if you're starting from scratch today, it might simplify your installation, it might simplify your life, or if you want to rebuild your whole thing. There probably is also some native detection logic advantages, depending on if they blockbox it or not. But having all of your data come from a single set of tools from a single ecosystem, because there are definitely difficulties trying to do the SIM data model simcompliant thing, and that's two different sims. One is the SIEM security information and event management, or whatever SIM stands for, and the other one is simcim common information model. So trying to get them compliant with the common information model is a pain, and it does require a lot of work. As the XCR vendor themselves said, you can do almost all of this, maybe all of it, maybe more, and assembly yourself, but it's going to take some man hours or woman hours, person hours. Additionally, future AI and ML will hopefully be able to knock out all the low level stuff automatically, especially if it's heavily integrated with Soar. This is another particular point of view that I have, but I'm 100% believing that the SoC one position will be eliminated within five years. I think David shares his viewpoint too, but I'm not going to speak for him. [00:26:08] Speaker A: Certainly deserve to be gotten rid of. I think five years is a bit optimistic. It's probably closer to ten, but sore is definitely. And really, if you're talking about that though, you're probably really talking about getting that soar down to the cybersecurity poverty line level. [00:26:33] Speaker B: You're right, because when I say things like five or ten, even when you say ten years, we're probably talking about big, well funded companies. I would bet there's going to be SoC ones and small to medium sized companies for 20 or 30 years. [00:26:43] Speaker A: Yeah, the cost of sort has to come down well, not only for that. [00:26:47] Speaker B: To happen, but their default logic has to be better too, because it doesn't even help you if soar is super cheap. If it comes in, you still got to hire one or two people to actually do that. Automation. [00:27:00] Speaker A: Yeah, that's a good point. Or hire a consulting company to come in and do $300 baseline stuff. [00:27:06] Speaker B: Yeah, maybe that's what I'll be doing then. I think future AI and future machine learning are definitely interesting. I haven't been terribly impressed with the machine learning I've seen so far. All right, potential issues. The biggest issue for me is the black box detection issue. Now that you're not going to be able to see the raw data necessarily flowing from each of those pieces and how they're correlated into a detection, you're going to end up with a lot more detections. I believe that simply say something bad happened, you should believe me and you should go take this guy offline. But since you don't know what happened, you don't know why it happened, you don't know how it was detected, it gives you very little data to investigate, gives you very little data to remediate. How do you remediate? Depending on the detection, even the same type of malware, depending on who's using it, what group is using it, and what they're doing with it may lead to completely different responses. For example, if you get a first stage loader and the second stage never showed up, then you can probably just remove the first stage and hopefully fix whatever caused it to be loaded on there. But the machine was probably not actively compromised. A lot of that follow up, I don't know if you'd be able to see. Hopefully you would, but you need that extra context for the investigation. Second major issue, locked into a single vendor. If you get one of these DXR products, if you make a good choice and get a good vendor, you are golden. If you pick the wrong vendor, you are going to be stuck in a world of hurt for a very long time. [00:28:52] Speaker A: Something else to consider as well is that as you were talking about with the vendor list above, this vendor says, well, we do this, this, and this, and this vendor says, we do this, this and this. So if you're going to use only those detections, you have XDR. That's it. Otherwise you have to have a SIM in order to take those detections, and then these other detections from these other platforms which don't fall within that scope. And then what's the cost there going to be? Are you really going to double your expense to have a SIm and an XDR where the XDR's job is just to give you better alerts in your sim? [00:29:41] Speaker B: Yeah, I didn't even consider that. But you're right, depending on which vendor you get. I was like one of the ones we were looking above. I think Signet didn't cover email, so you'd still have to do something about your office 365 email alerts. Your email gateway alerts, any of that kind of stuff. I don't think it included web servers or application related stuff, database stuff. Still got to pull those in. None of these EDR products actually allows you to eliminate the Sim because I don't think any of them cover all the layers. [00:30:12] Speaker A: Yeah. So you better hope that whatever black box they're providing is really essentially what you're saying here is that XDR has to be the 80% solution and then the other 20% stragglers, you're going to take those and maybe they're going to provide additional context or something to what the XDR is providing. Or XDR vendors might be saying, well, you don't actually need anything other than what we have. [00:30:38] Speaker B: I don't know, man. I would not want to ignore email alerts for sure. And I saw some of the XDR vendors did cover the email stuff and some of them didn't cover email. That's a pretty big gap. Some of the other ones, like web servers, I can see where that's less of a thing because if you've got the EDR on there, once it breaks out of the web server and starts working off the disk, then you can catch it there. So there's places you can catch stuff where it's not being specifically called out in the stack. But yeah, I would definitely make a list of what are the absolute drop dead things that we need to monitor an email would 100% be on there. [00:31:14] Speaker A: I think this is where XDR kind of falls down overall. Is that it's really just a marketing term. No one has said this is the XDR standard. So one company say we do XDR and this company say we do XDR, but they have completely different stacks and they don't necessarily overlap. So is this two XDR that these guys are doing, or these guys or are they both not doing XDR? They have to come up with some kind of standard to say this is XDR. And are you or are you not beating that? [00:31:45] Speaker B: Yeah, but the XDR, and the problem there is, like I said before, I think you mentioned as well, is that most of the people doing XDR are doing it with basically their own stack of security products that they purchased or built in house. And we're going to need to get to the partner stage where maybe it doesn't do email, but we have a partnership and we use the API of proofpoint to cover this gap. And the proofpoint alerts are integrated into our black box logic. [00:32:16] Speaker A: Yeah. So you're going to end up with the horde versus the alliance. [00:32:21] Speaker B: Yeah, pretty much. [00:32:23] Speaker A: And you have to say, well, we have to get rid of this vendor, bring in this vendor because they're part of this ecosystem. This is where a vendor or a VAR or somebody could come in and say, oh, here is the ecosystem that you need. You need these vendors and these are the ones that talk to each other, et cetera, et cetera. I don't know. I think this XDR overall, I'm not confident that it's going to solve more problems than it's going to create as far as gaps and confusion, as far as what it does and what it doesn't do. And is that what you need or not? [00:33:08] Speaker B: All right. Other issues that I see is the AI and the machine learning aren't showing a ton of value. Now. I just haven't been impressed with anything I've seen. Maybe I haven't seen the top of the line stuff. And finally, if you have an existing security ecosystem, I think the last thing you're going to want to do is rip and replace with one of these, unless you already have the majority of one of their products, because like I said, none of these are actually a unified system. They're a bunch of separate tools that used to be sold separately and now they're selling it as a group of tools. If you've already got three out of four of the tools, you've already got their firewalls, you've already got their EDR product, you've already got their, I don't know, email product or whatever, then maybe it's a pretty easy thing to just add one more product and start taking advantage of the interconnectedness of the single vendor suite. [00:34:03] Speaker A: Yeah, get the semantic action pack. [00:34:05] Speaker B: Now with XDR, buy five tools, get the six one free. I mean, that's not too far off, but I'm thinking Palo Alto. Is Palo Alto specifically calling it? I think they are. They're calling it their XDR, their data lake product and everything because they've already got pretty good firewalls and they've got the traps product and they're calling it Cortex XDR because they've got the soar product because they bought demisto earlier this year, which is probably related to this. So someone like Palo Alto probably has actually a pretty good stack. [00:34:41] Speaker A: Well, then it's a matter of timing because they're going to buy the distinctive parts they need and then they're going to spend six months doing a. [00:34:56] Speaker B: Are. [00:34:57] Speaker A: Then it's going to only kind of work and it's going to be five years or so before they solidify that integration. So that this third party purchase that they made is actually now really a Palo Alto product. It's kind of like the way Macbee did their endpoint. They had AV and then they bought another hips and it took a while and then they got it in EPO, then they actually got it in the, you know, it's a process that takes years to get looking at. [00:35:28] Speaker B: I'm looking at Palo Alto's page, Palo Alto's page. Feel free to laugh at me about how I pronounce things. It's totally cool. You don't have to tell me on Twitter how badly I pronounce things. I know, my wife tells me all the time. But showing they actually have partnerships too, because it looks like they're doing their own next gen firewalls. But they're also integrating Cisco checkpoint, Fortinet firewalls and bro logs, which is cool. Then they've got their own endpoint agent. Plus they're adding the Windows event logs which again you can just do in the sim. But then for cloud and identity they're doing Prisma, which is their product. They're adding azure active directory, Okta, Google Cloud and then AWS, cloud watch and cloud trail. They're integrating other companies data, which is interesting and good, but that's still pretty like they're still missing the email stuff, they're still missing the web server and the database stuff. They're doing cortex, XDR and Windows event logs. I don't know if they support Linux or Mac. They probably do. Most people support Mac and Linux these days, but they don't call out like the Linux event logs or the windmac event logs. They probably don't find as much stuff either. [00:36:39] Speaker A: Yeah, because generally those things focus on one platform and then they kind of do the other ones as kind of an aside almost. And generally don't do them as well. It's a matter of market share. Windows has got a huge market share. So they'll do windows, right? Linux is next. So they'll start on that one next, but won't ever probably reach the level of Windows. [00:37:01] Speaker B: Wow. Mac, maybe their XDR agent supports Windows, Mac, Linux, Chrome OS and Android operating system. It's interesting. They don't support iOS but they support Android. But no, you know what, that does make sense because Android is used in IOC devices or IoT devices. [00:37:17] Speaker A: All right, yeah, that's interesting. [00:37:22] Speaker B: Now I'm picturing Apple announcing their new IIot operating system. It costs 20% more to have the exact same IoT devices, but you get your iOS operating system on them. [00:37:36] Speaker A: Yeah, I was going to say Apple's too expensive to do Iot. [00:37:40] Speaker B: Yeah, that's fair. All right. I think that's about all I have to say on XDR. [00:37:47] Speaker A: Yeah. I think the bottom line is it sounds nice, but I'm really skeptical of execution about how this is really going to be better than the sim. And they say it's not a sim replacement. It really sounds like they're trying to make it one, though. [00:38:02] Speaker B: Yeah, they're working awful hard to distinguish it. It's really just sim. But again, I think it can be better. I think it can be just as good or better than Sim if you don't have the manpower to do the sim and or you're starting off from scratch and you don't have a bunch of established stuff you'd have to rip and replace. [00:38:21] Speaker A: Right. It's kind of like, do you hire an MSSP or do you build your own? Yeah, kind of that. [00:38:27] Speaker B: Kind of same decision. Yeah. [00:38:29] Speaker A: All right, well, thank you for listening to Security Serengeti podcast. Follow us on Twitter at serengeti sec and download and listen to this podcast on whatever your favorite podcast app is. [00:38:43] Speaker B: Yeah, anything but itunes currently are Apple podcasts. [00:38:47] Speaker A: We'll get there. We'll get there.