Threat Detection And Response

Interview: Why XDR Isn’t Just A Buzzword, And How It Can Help SMBs Face Today’s Cyberthreats

Eric Skinner, VP of Market Strategy at Trend Micro, discusses the changing dynamics within the threat landscape, the steps organizations can take to secure themselves in the face of those changes, and the position of XDR within the threat detection and response market.

Expert Insights Interview With Eric Skinner Of Trend Micro

Eric Skinner is the Vice President of Market Strategy at Trend Micro. Skinner is a product management and marketing executive with over 20 years of experience in the cybersecurity space. IN his current role at Trend Micro, Skinner utilizes his expertise in planning and executing innovative strategies and his in-depth understanding of enterprise customers’ security concerns to spread the word of Trend’s work in the industry, and drive consistent revenue growth.

At RSAC 2022, we spoke to Skinner to discuss the changing dynamics within the threat landscape, the steps organizations—particularly small businesses—can take to secure themselves in the face of those changes, and the position of XDR within the threat detection and response market.

Trend Micro is a leading provider of cybersecurity solutions globally. How has Trend Micro kept its competitive edge, with new shifts in the endpoint security market and changing customer needs?

I think that any vendor that’s continuing to lead in the cybersecurity space has to focus on the attacker behavior, in particular, and to continue innovating. No one can stand still in this space when the attackers are evolving weekly. And the pace is accelerating. The attackers are speeding up, because they know that’s a good strategy for achieving their objectives.

So, over many years, we’ve consistently been refreshing, innovating, and enhancing in order to maintain that leadership. That’s because the number one objective is to protect our customers.

In recent years, we’ve seen huge changes in the ways in which people work and engage with digital services. What are the big security risks that you’ve seen since the last RSA conference, and where are things going?

For sure, people have changed the way they work, and one of the dynamics there that concerns me is that considerably more of the workforce is remote. There have always been some employees who are traveling or working from home, but now the majority are in many cases. And that’s dramatically reduced IT visibility over the endpoints and other services that those employees are accessing, and that in turn has increased the challenge for the defenders to rapidly detect threats. So that was one of the major dynamics.

What are the biggest challenges organizations are having when trying to implement effective security tools to protect against these risks?

I think that the pace of attack is making it harder for security teams—especially in smaller organizations—to stay on top of the various tools that they’re using. And that has driven two important dynamics.

One, especially in this smaller-sized organization, is the heightened attractiveness of a well-integrated platform, rather than having lots of individual tools, because the platform is able to correlate threats across a variety of different sources.

And the second dynamic that’s also been growing in the SMB space is the use of managed services. This enables them to get assistance with respect to doing that threat detection.

We work with a lot of MSPs in the United States, and those MSPs themselves are relatively small organizations. In some cases, what we’ve been doing is backing up MSPs with managed services for the MSPs. So, we offer managed detection and response to the MSP, who in turn offers a full suite of capabilities to the customer, and that enhances their ability to detect threats in the organization. And the customer may not even be aware that Trend is providing that service to the MSP.

We’ve been hearing some discourse here at RSAC around managed services versus upskilling and cross-training internally. How important is each of them, and which should organizations be doing?

I think it’s always useful for there to be skilled people in an organization, until you get to a very small organization. So, having some security skills and experience inside the organization is helpful. But I think that the rise of managed services is a very good development in the industry, because those managed service providers—in particular around the detection and response or MDR services—are able to use data aggregation across a range of different customers, they’re able to use AI models, and they’re able to use a very specialized skill set that it’s very unlikely that a smaller organization is going to be able to grow in-house. So, there’s some symbiosis between skilled resources in the customer environment, and huge value in leveraging managed services.

The other dynamic for those smaller organizations especially, but also the large organizations, is leveraging SaaS security products and SaaS platforms in general, because the legacy on-premises approach requires more investment to maintain and manage. The days of people running their own email servers are going away, let alone running other on-premises security products. The more that the organization can focus on things that relate to their organization, the better, instead of having to patch security servers when that could be done in the cloud for them.

You also mentioned that organizations are moving towards using one holistic platform, rather than lots of disparate tools. What are some of the benefits of this?

It’s not intended as a self-serving message, there’s actual value in this. So, one of the dynamics that’s emerged—and you see it on the show floor this week—is XDR. We were one of the very early vendors that pushed into the XDR space, and the whole concept of XDR is to look at subtle clues of attacker activity across the entire environment—not just on endpoints, but in the email system and in the network activity, in an active directory and old servers—and to correlate those subtle data points that each on their own are not sufficient to trigger an alarm.

Because attackers will do things that are very subtle and that look like they might be normal actions, but are actually very consistent attacker behaviors. But an XDR system that has visibility across those various systems is able to pull away and to realize that there is an attacker involved, and potentially take automated action or, at the very least, raise the visibility of that activity to the customer themselves and ideally to a managed service provider as well. So, in a well-integrated platform, you get that correlation value of threat detection activity.

And the next level up that we’ve been working on at Trend and that has started to roll out this summer, is our ability to do attack surface management. That means helping customers get visibility to their whole environment and understanding what they have, because they may not realize that they haven’t properly protected something.

For example, they might realize something is connected to the internet and they weren’t aware of it. Or they might realize that there’s an endpoint that doesn’t have any protection on it, or that there’s insufficient security controls.

So, we’re helping really digest a whole bunch of telemetry from that endpoint and from the servers and from the network about the threat activity, but also the configuration of those vulnerabilities in the environment. So that this very overworked security team is able to prioritize the most important tasks.

Traditionally, in all these siloed systems you would get hundreds or thousands of to-dos, depending on your organization size. That makes prioritizing your day very challenging. Well, with this kind of integrated view across a unified platform, you can start to see, “Okay, here are the five things I need to do today that are going to have the biggest impact.”

Because not all vulnerabilities matter as much as other vulnerabilities.

Some people think of XDR as just being a bit of a buzzword. What would you say in response to that?

So, there are there are some people who might say, “XDR is not a valuable strategy and it’s just slapping an ‘X’ in front of EDR.” And I think there’s a wide disparity in the approaches that various vendors are taking to XDR. Some of them are slapping the ‘X’ label on their existing endpoint capability and on some very lightweight integrations to other third-party products. But the reality is that XDR done properly is tremendously valuable. We know this in practice, and it came from some very basic observations that we had several years ago related to phishing attacks.

So, you can take a concrete example: many phishing attacks target multiple employees in an organization. Our EDR was detecting the consequences of a phishing attack locally launching some malicious file and doing damage, and we found ourselves saying, “We’d really like to know who else got this email.” And with XDR, we’re able to put together a chain of events and, in fact, automatically remove that malicious email from the other employees’ inboxes based on the initial EDR detection.

And there are countless practical examples of these real integrations that emerge from having a unified posture.

So, XDR no doubt is done differently by a range of different vendors and people should choose carefully. But I do dispute the comment that XDR is not about the strategy overall. No doubt that comes from somebody who doesn’t have XDR and wishes they did.

Finally, what is your advice to organizations looking to improve their resilience against sophisticated cyberthreats such as ransomware? What is the best first step they should be taking?

Getting better visibility is critical, especially given the work from home dynamic and the disparate workforce. And I would say, make sure that you have the help that you need—either in house or from a managed service provider—to stay on top of the alerts that are being generated. Far too often, we see situations where organizations had alerts related to attacker activity, but did not have the staff to respond to those alerts. And that is tragic.

Thank you to Eric Skinner for taking part in this interview. You can find out more about Trend Micro’s cloud and endpoint security solutions, including their XDR platform, via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.