EDR pioneer Cybereason expands into XDR

Cybereason becomes the latest entry in 2020’s rush of XDR solutions, with some capabilities that they believe not only sets them ahead of traditional security, but also their XDR competitors.

Cybereason, which began operations doing what would eventually become known as EDR [Endpoint Detection and Response] in 2012, has announced their expansion into XDR [Extended Detection and Response] with the availability of Cybereason XDR. While 2020 has already seen multiple vendors enter the XDR space, many of them larger players, Cybereason sees a positive differentiation as an open best of breed player which is not part of a larger platform.

Cybereason was founded in 2012 by three veterans of the Israel cybersecurity defence establishment who believed that the commercial cybersecurity world was far from catching up with something like Stuxnet, which in 2010 was used against the Iranian nuclear program.

“We considered the commercial world’s entire defense paradigm was wrong,” said Yonatan Striem-Amit, Cybereason’s CTO and one of the co-founders. “They didn’t understand what hacking really is. Anti-virus doesn’t help manage complex cyberattacks. This led to a need to talk about a cyberattack as a process, which is is much more complex than getting malware on an endpoint. It is a very long and complex process, that remains much the same today as in 2012.

“The main reason for founding Cybereason was making sure every single step the hackers have to execute after they get in collapses,” Striem-Amit stated. “No one then had the data and analytics for this, so we decided to build it. When we started the company there was no name for the concept, which became known as EDR, and involved bringing massive amounts of data, collecting it and analyzing it.”

Striem-Amit said that their concept of XDR involves ingesting data from an even broader range of security controls then EDR in order to break down siloes where analysts use separate tools on each type of asset — endpoint, cloud, mobile and cloud identities. Those siloes make it easier for attackers to hide in the seams.

“We are now launching our XDR, to interact with more data,” Striem-Amit stated. “In this siloed environment, piecing together Malop [Malicious Operation] becomes difficult for analysts. The only way they can fight back is if we piece things together for the user so they can see what happened, and how it happened and how you make it go away. They can look at the attack as a Malop, one whole entity, and see how one silo impacts the rest of your environment.

“Our purpose with this is to end cyber attacks, to stop attacks across all siloes with one click, Striem-Amit stressed. “XDR lets you make sure that you don’t miss things.”

Cybereason is not the first vendor to bring XDR to the market, and whether through acquisition of startups or internal development, much larger companies like Palo Alto Networks and McAfee who position their XDR as part of a broader platform are already there. Striem-Amit emphasized, however, that Cybereason is in a position to successfully differentiate.

Yonatan Striem-Amit, Cybereason’s CTO

“You have companies who have a suite of solutions making an XDR product for it,  and you have others like us which say XDR is about openness, where you  don’t have to buy everything from me,” he said. “You just need one cohesive data plane where everything is talking in the same language. You don’t need to buy everything from a single vendor.”

Striem-Amit stressed that an open XDR system is better able to deliver the extreme efficiency the technology offers.

“The proof is in the pudding,” he said. “XDR is best of breed, so operational overhead becomes critical. The ability to customize to user need while using analytics to drive value becomes a very easy way to visualize why an open approach is a better solution. If you look at the metrics of customers using XDR,  the numbers speak for themselves. There is a 308% ROI just on savings of labour.” It also lets Level One and Level Two analysts perform with Level Three proficiency.

Cybereason goes to market today entirely through channel partners.

“We sell purely through partners, and don’t do direct,” Striem-Amit said. “Partners account for 98% of our deals. The rest is legacy. We have a lot of multiple strategic partnerships across VARs, MSSPs and distributors.”

Striem-Amit said that many partners understand that it makes more sense to bring in a vendor product for this than to use a Do-it-Yourself strategy.

“I see extensive shifts from a mindset that we can do it on their own,” he indicated. “We have multiple partners building MSSP practices where we generate efficiencies that are really impressive. On the endpoint side they have a ratio of 1 analyst to 200,000 endpoints. That’s easy to manage at scale and provide premium service.”

Strategic vendor relationships are also a significant part of the Go-to-Market strategy.

“We have technology partners as well as solution provider partners who use us on their back end,” Striem-Amit said. “There’s a large network of these. This allows us to get to their customers.”