Rated XDR: Where CrowdStrike’s Ajit Sancheti thinks Extended Detection and Response is Headed, what it means for SIEM and how it can Improve the Current State of Security

CrowdStrike is on a roll. With the recent acquisitions of Humio and Preempt Security, they’ve added serious capabilities to an already robust security portfolio. That’s why CRITICALSTART CTO Randy Watkins spoke with Ajit Sancheti, former founder and CEO of Preempt and current VP of Identity Protection for CrowdStrike, to gain his perspective on the role XDR plays in CrowdStrike’s strategy as part of the first installment of our 5-part series: Rated XDR.

Ajit shared with us his opinion of XDR versus SIEM, and CrowdStrike’s vision of what a completed XDR solution looks like. He explained the role of an XDR platform for a zero-trust approach, and how to make it frictionless for the end user.

Warning: Rated XDR may not be suitable for legacy security vendors.

Early in the discussion, Ajit discussed why Preempt targeted identity management so heavily, utilizing the active directory in particular, and how this delivers a unique mesh with CrowdStrike’s endpoint-centric focus. “Why did we choose active directory?” he related. “It’s a mess, but it’s also the place where all identities are stored. Typically four out of five breaches have something to do with compromised credentials. And if someone’s trying to get the credentials, it’s the active directory that they want to compromise.“

Ajit went on to explain that at the beginning of the COVID-19 pandemic, the two common themes they were hearing from customers were concerns over remote work and controlling identities. And he really feels that CrowdStrike is headed in this direction as part of a comprehensive security package. “I couldn’t be more excited because I think the fit of our architecture with the core CrowdStrike Falcon Endpoint Protection Platform is just seamless and we’re starting to see the benefits of it,” he shared.

“It definitely fills some gaps in not just visibility, but also control, which I think is very unique and customers are starting to circle around to it,” added Randy. “I really think the focus is on endpoint, identity and applications, whether they’re SAS, cloud—whatever—and CrowdStrike is definitely moving towards that fashion. They can audit the software that’s installed on the end point. Now you can look at the different user interactions with that software…And then kind of bake that into whether or not they should have a certain level of access to a machine. It’s really coming through into a much broader picture for both visibility and enforcement.”

XDR presents the data that matters

A common theme discussed by Randy and Ajit was the massive amounts of data generated from all of these different sources and the difficulty faced by SIEM platforms ingesting it as the amounts and sources of this data continues to grow. “The basic thought there is that we are getting hit by very sophisticated attackers,” Ajit explained. “And we’ve been called in and there’s no telemetry (on the customer side). The telemetry that you need to figure out what happened just doesn’t exist. And the reason is that people cannot afford to collect it with this exponential data growth. I think right now organizations are saying that unstructured data is doubling every 40 months…What CrowdStrike is doing  is providing the ability to log and answer everything…it’s index free and cloud native in real-time. It gives ingest data, which allows you to redefine XDR in a manner that says, ‘Let’s go find the data sources that really matter rather than saying bring all the data and consider this to be a next generation SIEM.’

“Think of it more as a security use case,” he continued. “What are the security use cases we’re trying to solve? How do we want to solve it? Our focus is on building XDR so that it answers these security use cases. I also think that if you look at the CrowdStrike story, we have so many good partners that do so many great things. So we want to bring in their indicators into our platform. And that’s how we want to leverage XDR. We can get to the point where we can solve these questions, not just by CrowdStrike’s native data, but with the partners that we work with in the industry that are really focused on these security use cases.”

During the discussion, Randy raised the idea of a compliance auditor versus a compliance assessor. He highlighted how an assessor wants to understand the intent behind the control and to ensure that an organization is actually meeting that intent. The hope is that XDR will become a mitigating control for SIEM by providing more meaningful data feeds that will fulfil the security intent.

Zero-trust becoming the norm through XDR

The CrowdStrike team are solid believers in the zero-trust security model and Ajit explained how XDR can help make this model reality without providing an undue burden on users. “If you look at any kind of logging solution, it’s near real-time, or as close to real-time as possible, but it’s still not real time,” he stated. “What I want to know about the user is what are they doing now? That’s where I think XDR helps us is to get a better and more comprehensive view of the user over time.”

Through XDR, suspicious behavior such as logging into an application the user has not worked with before can be tracked and compared against typically normal user behaviors. It can recognize patterns and assign a risk score to determine when the activity is suspicious enough to warrant action.

Ajit feels that the telemetry XDR provides for security will solve increasingly complex use cases over time, and that SIEM vendors will need to decide whether they will work with the technology or risk getting replaced by customers. Randy agreed with this as he concluded, “There’s definitely going to be a lot of catch-up work for some of these vendors that have been either only looking at their own data for telemetry, or they don’t have a backend that will support the ingestion of third-party data for additional telemetry. It seems like the mission statement behind XDR is to accomplish what we really wanted to get out of SIEM, which was how do we lower dwell time of an attacker in the environment.”

While these are a few of the highlights, be sure to listen to the full podcast of episode 1 of Rated XDR . And tune in for the next episode where Randy talks with Chief Product Office of the freshly IPO’d SentinelOne.

Newsletter Signup

Stay up-to-date on the latest resources and news from CRITICALSTART.
Benchmark your cybersecurity against peers with our Free Quick Start Risk Assessments tool!
This is default text for notification bar