Email Security

    Are SOC Teams Ready to Shed Complexity with XDR?

    Security vendors are looking to tame complexity as the proliferation of cybersecurity tools is actually reducing security teams’ effectiveness.

    by Rusty Weston

    Key Points

    • Security professionals manage too many cybersecurity tools and dashboards, some with redundant capabilities.
    • Recent initiatives such as API alliances and XDR collaborations promise to create a more unified and effective environment.

    Simple isn’t the SecOps way. Cybersecurity teams have tended to seek strength in numbers and equip themselves with an array of cybersecurity tools spanning from endpoint to cloud. Accordingly, nearly half of security professionals use more than 20 tools to investigate and respond to a typical cybersecurity incident, according to a recent IBM study.[1]

    With this level of complexity, though, the solution has become part of the problem. From a practical standpoint, managing multiple and often disparate tools requires security pros to juggle too many dashboards and forces organizations to pay subscription fees for tools with overlapping capabilities. So far, there’s little evidence that more tools drive better outcomes in fighting cyberattacks. Incidents are rising — up 50% last year.[2] So is spending on cybersecurity, estimated to grow 12.2% this year, according to Gartner.[3] 

    And in a recent poll conducted at this year’s RSA Conference, over four in 10 respondents actually called the overabundance of security tools their No. 1 challenge. More than half said they had “wasted more than 50% of their cybersecurity budget.” The kicker? They still couldn’t remediate threats.[4]

    Yet, cybersecurity software tools proliferate because detecting, analyzing, and responding to threats is complicated. The attack surface is expanding and may include different devices, applications, cloud services, microservices, and more. An attacker may slip through the network at one point and cause additional damage elsewhere. For example, endpoint detection and response (EDR) tools can listen to endpoints, of course, but don’t cover cloud-based threats. 

    At this point, the cybersecurity ecosystem has become so fragmented that an expert named Cole Grolmus has even begun mapping it as a “practical approach to grappling with the enormity of it all.”[5]  

    How will cybersecurity teams transcend this issue of complexity and build a more resilient future? Answers are emerging as the security industry coalesces around new architectures such as extended detection and response (XDR), as well as forming collaborations, such as Mimecast API alliances, that knit together partners’ security solutions via application programming interfaces.

    XDR: An Alternative to Complexity 

    Security is far from a greenfield. A “do-over” with one console and architecture that automates the gathering and analysis of endpoint, network, and cloud telemetry would help. But in real life (IRL), new solutions must integrate with legacy ecosystems and greatly reduce complexity while driving better business outcomes. 

    With XDR, security teams can achieve more compelling outcomes by adopting a solution that addresses cybersecurity risk more thoroughly than other existing products such as security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms. 

    XDR helps improve threat detection and response by generating actionable insights without the extensive false positives that undermine many other systems. One recent survey showed that SOC teams typically receive more than 11,000 alerts daily and that analysts spend nearly 70% of their time investigating, triaging, or responding to alerts.”[6]

    XDR proponents cite three ways that XDR can reduce complexity for SOC teams:

    • Integrated insight: SIEM is challenging to implement and generates too many false positives. In a cloud-native XDR solution, integrating data from endpoint to cloud can pinpoint a single root cause among multiple systems and enable greater insight into attacks. XDR, in effect, creates a network of security ecosystem inputs. Integrated solutions are necessary because there’s no monolithic approach that is best-of-breed at everything. 
    • Best of all worlds: While SIEM emphasizes detection and SOAR focuses on response, you need both capabilities. SOC teams are generally understaffed and over-tooled. By consolidating and centralizing threat detection, investigation, and response capabilities, XDR addresses a broader range of attacks and produces results faster. But SIEM doesn’t go away entirely; you’ll still need SIEM for log management, data retention, and other forms of compliance monitoring.   
    • Better data for data-driven decisions: According to Accenture, XDR can deliver a zero-trust architecture and help organizations take a “data-centric approach to cybersecurity,” leading to an “enhanced ability to detect and respond to rogue actors” that threaten the enterprise. SOC teams need to expand their visibility into cloud-delivered apps and microservices.[7]

    Cybersecurity Industry Trends Away from Complexity

    For its part, the cybersecurity industry is consolidating, with active mergers and acquisitions among providers of various point security solutions. Leading security vendors are also advancing integration under new collaborations such as the XDR Alliance.

    With Mimecast as a member, the XDR Alliance recently released the Open Source Common Information Model as a collaborative XDR framework that enables easy integration of security tools. Many of the vendors involved are also partners in less formal API alliances, allowing their products to be plugged into each other via APIs and even working together on off-the-shelf integrations of point security solutions. If successful, alliances such as these could untangle some of the complexity in today’s SOC.        

    The Bottom Line

    Are security teams ready to shed unnecessary complexity? The answer is a qualified yes because nobody wants more monitors and applications with redundant capabilities. In their place, an approach such as XDR that can process and analyze every input from endpoint to cloud will reduce the tangle of security software tools that are the bane of security professionals’ daily work. Learn more in our whitepaper, “XDR: What to Know, What to Do Now.”


    [1]Cyber Resilient Organization Study,” IBM and Ponemon Institute 

    [2]Businesses Suffered 50% More Cyberattack Attempts per Week in 2021,” Dark Reading

    [3]Forecast Information Security and Risk Management Worldwide, 2020-2026,” Gartner

    [4] “Cybersecurity Budgets Are Wasted By An Overabundance Of Tools,” Saryu Nayyar, in Forbes

    [5]Cybersecurity Ecosystem,” Cole Grolmus

    [6] “Cutting Through the Noise from Daily Alerts,” Palo Alto Networks, in Threat Post

    [7] “Growing zero trust security with an XDR strategy,” Accenture

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top