Open XDR , Security Information & Event Management (SIEM) , Security Operations

Microsoft, Palo Alto, CrowdStrike Lead XDR Forrester Wave

Palo Alto Networks Reaches Leaderboard While Trend Micro Falls to Strong Performer
Microsoft, Palo Alto, CrowdStrike Lead XDR Forrester Wave

Microsoft remained atop Forrester's XDR provider rankings, while Palo Alto Networks and CrowdStrike climbed into the leaders' space and Trend Micro fell to strong performer.

See Also: Enhancing Cyber Defense with AI-Powered SOCs

XDR vendors are increasing integrating diverse telemetry sources and developing strategies for replacing SIEM products as they work to enhance detection capabilities, streamline user experience and manage costs effectively, said Forrester Principal Analyst Allie Mellen. Vendors now natively support telemetry sources beyond their technological heritage, including data from endpoints, identity, cloud and network.

"When many of the vendors have native telemetry they're supporting, they have total control over it," Mellen told Information Security Media Group. "They know the format that it's going to be in and they can swivel in their chair and talk to the person who's developing it from a product standpoint. So they're able to have a lot more control than they can with third-party telemetry."

Mellen said this expanded support improves the quality of detections as well as the overall effectiveness of XDR technology. Many vendors have developed strategies to offer SIEM alternatives that integrate seamlessly with their XDR platforms, providing a unified analyst experience and managing the costs associated with data storage and management, according to Mellen (see: How Major Acquisitions Are Transforming Security Operations).

"Everyone is looking at their options right now no matter where you are in the market," she said. "Large enterprises are looking at their options for a potential SIEM replacement in part because of the cost associated with the SIEM, which has plagued them for a very long time."

The new XDR Forrester Wave replaced the inaugural one from fall 2021. Trend Micro fell from first to fourth in Forrester's assessment of the strength of its current offering, and Microsoft, Palo Alto Networks and CrowdStrike each moved up a spot to first, second and third places, respectively.

"Everybody is looking at their options right now no matter where you are in the market."
– Allie Mellen, principal analyst, Forrester

Microsoft received the top score from Forrester for strategy, and CrowdStrike and Palo Alto Networks received the second- and third-highest marks, respectively. Trend Micro and Bitdefender tied for fourth place. In 2021, Microsoft, Trend Micro, CrowdStrike and Bitdefender were all tied for the highest strategy score.

What Sets XDR Leaders Apart

Market leaders such as Microsoft, Palo Alto Networks and CrowdStrike have distinguished themselves with advanced features that improve the overall analyst experience as well as strategic approaches to SIEM replacement, Mellen said. The features developed by market leaders include better visualization and understanding of data, automated response actions, and enhanced threat hunting capabilities.

"The key difference between the leaders and all the other participants in the wave was just these little features that they're able to incorporate into the offering that stand out above the rest," Mellen said. "A lot came back to, 'What is being built into the product that's different from the rest of the market and that improves analyst experience?'"

Mellen said these vendors have developed strategies for managing the costs and complexities associated with data duplication between XDR and SIEM systems. Looking ahead, Mellen said, the XDR market is expected to focus on further developing cloud and identity detection capabilities. As attacks continue to target cloud environments, she said, the need for detection and response will only grow.

"If you are getting data or getting telemetry from one vendor, you don't want them to charge you twice for it," Mellen said. "You don't want them to charge you for it in XDR and then say, 'Hey, we're also going to charge you for it in your SIEM, which we also have for you.'"

Outside of the leaders, here's how Forrester sees the XDR market:

  • Strong Performers: Trend Micro, Bitdefender, SentinelOne
  • Contenders: Cisco, Sophos, Trellix
  • Challengers: Broadcom, Fortinet

Microsoft’s AI-Powered XDR Slashes Attack Response Times

Microsoft invested in technology that predicts and halts attacks in real time, reducing the time needed to recognize and shut down an attack from an average of 72 minutes to just three minutes, said Scott Woodgate, general manager of threat protection. The company's tech disruption capability also shuts down compromised devices and identities, which Woodgate said prevents further spread of the attack.

The company merged XDR and security operations into a single product, helping security teams manage everything without switching between interfaces. By combining the detailed insights of XDR and the broader context provided by a SIEM, Woodgate said, Microsoft's unified security operations platform speeds up information retrieval and provides stronger context for both human analysts and AI systems (see: Microsoft Unveils Services to Simplify Threat Hunting, XDR).

"This attack disruption in real time recognizes an attack in process and shuts it down, limiting the attack surface area," Woodgate told ISMG.

Some reference customers told Forrester that Microsoft's licensing model essentially forces them to adopt the full suite of Microsoft products to benefit from XDR. But Woodgate said that Microsoft offers flexibility and various entry points for customers to scale their usage according to their needs.

"The tangible difference with Microsoft is customers that would have landed in unfortunate situations now have business continuity for the vast percentage of their users," Woodgate said. "The security teams who have experienced that are not excited that they've had an attack but very excited that attack disruption has mitigated it on their behalf."

Palo Alto Networks Boosts XDR With AI, Robust Data Analysis

Substantial investments in artificial intelligence and machine learning have enabled Palo Alto Networks to handle unprecedented amounts of data while reducing the mean time to detect threats, according to Cortex President Shailesh Rao. He said the company integrates and analyzes data from various sources to provide comprehensive protection and leverages its dataset to improve its machine learning models.

Palo Alto Networks has invested in expanding its data analysis capabilities to include more than 200 data sources, further enhancing its ability to protect diverse IT environments, Rao said. The company's focus on integrating third-party data and providing a unified security operations platform has been a key part of its strategy, helping Palo Alto Networks detect a broad range of attack techniques, Rao said (see: Palo Alto CEO: 'SIEM Needs to Be Eliminated and Replaced').

"Our mean time to protect went from one day to about 10 seconds for a dataset that went from 1 billion events a day to 36 billion events," Rao told ISMG. "Imagine being able to increase the amount of data being analyzed by roughly four times. We went from 20 to 80 terabytes in terms of analysis, while bringing down the mean time from one day to 10 seconds. Nothing even close has ever been accomplished in security operations."

Some customers expressed concerns to Forrester about the cost of Palo Alto's XDR technology. Rao acknowledged that the company's high-end analytics and extensive use of AI and machine learning can make its offerings more expensive than those of some competitors. But Rao argued that the value provided by these advanced capabilities justifies the higher price point.

"Our ability to compete has not been at a disadvantage because of our price," Rao said.

CrowdStrike Transitions to LogScale, Bolsters XDR Data Usage

CrowdStrike moved all of its customers from Splunk's back end to its proprietary LogScale platform to enhance its XDR efficiency and capabilities, according to Head of Products Raj Rajamani. The migration enables customers to analyze, correlate and search data more effectively and handle daily volumes of more than 7 petabytes of data. These enhancements boost third-party data source integration and detection rule application.

The company's integration between SIEM and SOAR has streamlined operational workflows, allowing for on-demand triggers and queries, automating follow-up steps and enhancing operational efficiency, he said. CrowdStrike has developed hundreds of connectors for various security services to facilitate seamless data integration and normalization into a semantic data modeling framework, Rajamani said (see: CrowdStrike SIEM Demand Rises Amid Cisco-Splunk, Legacy Woes).

"Our biggest competitive differentiator is that every single customer of ours is now an XDR customer," he told ISMG. "We are also giving customers 10 gigabytes of free ingest every single day because we are very sure about the capabilities of our platform and that they will like it once they start using it."

Despite being recognized primarily as an EDR company, CrowdStrike is expanding its reach and capabilities in the XDR space, according to Rajamani. He said the company's approach to integrating network-based assets and threat intelligence into its platform underscores its commitment to comprehensive cybersecurity solutions.

"We are one of the leading providers of incident response services," Rajamani said. "Anytime we see new or unique tactics, techniques or procedures being used, it immediately finds its way back into a very closed-feedback loop that makes its way into the product."


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.