Secureworks CEO on why XDR with ‘full coverage’ is critical

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

While extended detection and response (XDR) may have become a security industry buzzword of late, an XDR-driven approach that covers the customer’s entire environment actually is the “real answer” for how to make businesses more secure, Secureworks CEO Wendy Thomas said in an interview.

In recent years, Secureworks — a publicly traded firm whose majority shareholder is Dell Technologies — has doubled down on XDR, which the company offers as part of its Taegis platform. On the prevention side, the Taegis platform offers vulnerability detection and response (VDR). 

It’s XDR, however, that has been getting a lot of the attention lately. Numerous analyst firms have been pointing to the potential for detection and response that extends beyond the endpoint, and across a customer’s increasingly complex environment, to prioritize the biggest threats by correlating data from multiple security tools.

While approaches vary by XDR vendor for how to accomplish this, Secureworks has embraced an “open” XDR approach, with a platform that integrates feeds from third-party security tools. That data is then normalized and analyzed, using capabilities that Secureworks has honed through its two decades in cybersecurity, Thomas told VentureBeat. Founded in 1999, Secureworks has been a longtime player in incident response and security operations, she noted.

Beyond the endpoint

While many vendors now claim to offer XDR, the reality is that many of them are focused on the endpoint or network segments of a customer’s environment, Thomas said. To offer “true” XDR, she said, “fundamentally we require full coverage.” Of the events that Secureworks is processing, only about 40% come from endpoints.

Relying on data from endpoints, according to Thomas, is “absolutely insufficient” to give you the full picture. Given the way that an adversary weaves its way through an environment, “you have to have that full visibility in order to detect behavioral movement through an organization,” she said. “That holistic coverage is absolutely fundamental.”

While it’s still relatively early days for XDR, Thomas says the results for Secureworks are promising so far. Two and a half years after launching Taegis, Secureworks has reached $165 million in annual recurring revenue (ARR) and has roughly 1,200 customers for the platform, with a focus on the mid-market, she said. 

Looking ahead, Secureworks has provided guidance that “we’ll grow another $100 million or more in ARR in the year ahead,” Thomas said. “That growth rate continues to be higher than market, at least for publicly available growth rates for XDR peers.”

Fixing security

Ultimately though, while the business opportunity is strong, the underlying reason is that XDR really is a powerful solution for improving security for customers, she said. The security industry “frankly has had a lot of investment, and a lot of customer spend, but not necessarily a reduction in damages from breaches,” Thomas said. “The ultimate goal is to fix this.”

And with its comprehensive XDR approach, spanning the customer’s entire environment, “we do have the real answer,” said Thomas, who was named president and CEO of Secureworks in September 2021, after previously serving as president of customer success at the Atlanta-based company.

Thomas had also earlier spent two years as chief product officer at Secureworks, in which she played a key role in establishing the direction for the Taegis platform.

“We stepped aside and developed this strategy and this vision, and invested heavily in building this platform — because we actually think it’s the right answer for customers to be secure,” she said.

What follows is an edited portion of the interview with Thomas.

How did Secureworks come to focus on XDR?

In terms of the journey to XDR, when this started five years ago, we called it TDR — threat detection and response. But industry parlance has come around to extended detection and response. Shortly after the IPO, we stepped back and realized that we needed a different approach to running really scaled and speedy detections, investigations and response capability. Because it’s that time between finding something and being able to remediate it that you reduce the risk of actual damage from a breach. And we saw the need for a different approach to the technology to make that happen. So we started a startup within the company [to develop this platform].

What informed the way you went about developing this platform?

We had a few fundamental principles that came from having been in the space as a security operations provider for a long time. One is that we needed to really [use] data science [as much as possible] to reduce the noise of detections. For us that meant, fundamentally we require full coverage. This is one of the most core things about the XDR debate in the marketplace. Of our events that we’re processing, only about 40% of those are from endpoints. That’s very important. [Endpoint is] absolutely insufficient on the whole to give you [the full] picture. Especially the way that an adversary weaves through an environment, you have to have that full visibility in order to detect behavioral movement through an organization. That holistic coverage is absolutely fundamental and that’s principle No. 1. 

The second one is that we’re a big believer in the importance of the service side. On the one hand, we do over 1,400 incident response engagements a year. And taking that learning about the adversary — not just proactive threat research, but actual experience — and turning that into detection capabilities in the platform is incredibly important. And that direct learning, rather than buying third-party threat intelligence, is fundamentally important. 

Another piece that’s important — from being in the fight with customers every day — is the automated playbooks for both investigation and response capabilities. Making those calls more automated gets you speed to remediation, but it also has to be something that customers really trust that you’re automating the right things. 

The platform is also cloud-native, and [the] code is from scratch — so we’re not trying to cobble together a bunch of different pieces of the pie. The data lake is holistic, the detections run across that data lake. And our experience — having worked with all these different point products for 20 years — means that the way that we tag and normalize that telemetry, so that detections can work across those, is really a fundamental differentiator from someone who comes at it from a network-only or an endpoint [background].

Could you say a little more on how your XDR platform is differentiated from others on the market?

It’s really the speed and depth of detections — with a lot less noise — and the automation of investigations and hunting, which we think is a fundamental thing. So proactive hunting is included in our offering. Automated response to speed that time to remediation. And then all of the scale that that enables for security teams. For customers, it’s really fundamental — “show me you’re reducing my risk, help me navigate the shortage of security talent that’s out there. And help me make sure I optimize my current security investments, now and over time.” We absolutely have the capabilities for them to replace certain standalone point products with features and capabilities in the platform. But we’re not forcing that — we’re not forcing a rip and replace. It’s really important in terms of risk reduction and risk management for a CISO, to be more in control of that journey.

Do you feel you’re more focused on this “open” approach to XDR than some other vendors?

We absolutely are. Certainly the way they’ve started has been a more of a single-stack approach. That’s certainly easier understood. Some now are starting to talk about being more open, but it is not a small thing to understand the the myriad leading point products — from firewalls, to endpoints, to email, to Active Directory, you name it — to understand all of those systems, and be able to write detections across those based on an understanding of adversary behavior. So just deciding that you’re going to start to bring in all that data, doesn’t actually make it information that’s useful. 

How long have you been able to do this — bring in data for third-party security products?

That was our approach from the beginning — because we had that history of ingesting that telemetry into a platform before that was primarily detection focused. It’s our Counter Threat Platform or CTP. So that underlying design principle and knowledge base, as we architected the Taegis platform, started with that. That was one of those fundamental guiding principles that we started with.

Would you say that XDR is your lead focus now?

The Taegis platform is our lead focus. It really has two main software products, and then a selection of different wrappers around that. One is XDR — the extended detection and response. And the other is VDR — vulnerability detection and response. If you think about the key fundamentals of an effective security program, the ability to optimize your vulnerability management side, for prevention — and to then have in place full detection and response capabilities, when prevention falls short — having those two together is the absolute fundamental required for a security program.

There’s also a virtuous cycle there — in terms of the threat intelligence that comes from the XDR side, and what it is that gets exploited — and the prioritization engine on the prevention side.

In the past you’ve described your platform as the “first true XDR solution” — perhaps you’ve already touched on it, but what capabilities are you referring to there?

It is that full coverage of the environment. So it’s not just endpoint-centric or network-centric, or single vendor stack-centric. I do view that as [a prerequisite for] XDR. No. 2, it has been natively built, end-to-end, in terms of the detection and automation and hunting capabilities. So all of the playbooks around investigation, automation, response and proactive threat hunting — it’s all incorporated into the platform, built natively by Secureworks. There are not a lot of players with both that XDR capability and 20 years of incident response and security operations experience.

How would you describe the momentum you’re seeing for Taegis, in terms of adoption?

We launched Taegis about two and a half years ago. And in two and a half years, we’ve hit $165 million in ARR and about 1,200 Taegis customers. So the growth rate is really a testament to customer adoption. And one of the things that we shared externally [during the latest] earnings is because we’ve seen very good product-market fit, we’re starting to get some third-party industry recognition as the secular recognition of XDR is taking hold. Conversations today are a lot different than they were two years ago, about what the heck XDR is. And because when we’re in proof of concept situations, our win rates are quite high — we’re going to make some targeted investments in marketing this year, in order to get ourselves in as many of those demonstration opportunities as possible. Because we have a lot of confidence in the product, and it’s really now about positioning ourselves to be in the conversation.

Do you feel you were ahead of the curve on XDR?

We say we had XDR before XDR was a thing. We absolutely were on that leading edge. And even with the announcements now [from other vendors] — because it’s become a bit of a buzzword — just calling EDR XDR, because you’ve got some network log storage, it’s truly not the same thing as that centralized, normalized data lake that you’re able to run behavioral detections across, based on understanding of the kill chain.

What do you foresee in terms of the pace of adoption for your XDR platform going forward?

We definitely see growing traction in the base. We provided guidance that we’ll grow another $100 million or more in ARR in the year ahead. That growth rate continues to be higher than market, at least for publicly available growth rates for XDR peers. So we’ve been the fastest-growing this past quarter, both in terms of customer count, and in ARR growth. And that’s something that we think speaks to the efficacy of the product — with marketing spend that’s half of our peers in the space, if not less. So that [adoption] can only be helped by marketing spend that gets us in more conversations.

Do you see your XDR platform displacing existing tools used by customers?

For the XDR market, the real opportunity for us is to start by working with what’s in the customer’s environment — but show them the opportunity and the efficacy to reduce their total cost of ownership, by replacing individual products with a feature or capability of the platform. So we certainly see SIEM use cases increasingly being covered by the platform. I think compliance reporting, that’s a pretty wide field, so there’s always opportunity to add to the capabilities there for folks to have that in an automated way. And in terms of the log retention and those other types of capabilities, we absolutely can do what a SIEM can do — but we’re going to be the ones writing all of the detections for you in real-time, all of the automation playbooks, and more that you can’t get with that.

The other piece is that part of the reason EDR players are starting to claim XDR, is that XDR absolutely covers all the use cases for endpoint detection, response and prevention. So we have AV capabilities if you want to check that box — an endpoint agent that’s proprietary that can serve the detection and response capabilities. So over time, our view is that there’s a great opportunity to continue to advance share of wallet. And then as the underlying technologies that we’re looking to secure evolve and expand, we simply make sure that our capabilities for detection and response — across those evolving technologies — continues to keep pace. For us, it’s all about relevant detections, rapid deployment of those and automating more and more of the hunting and response capabilities.

What sort of demand do you see for your managed XDR offering?

Where we play, We solidly target the mid-market, maybe the top end of the smaller commercial market and the lower end of enterprise. And so in those cases, there’s some degree of services that that segment of the market typically wants and needs. Now for us, we work with a lot of MSSP partners now, who use the platform to provide those services. But this is definitely a market of great demand. Unfortunately, that is a market that is now solidly targeted, especially by ransomware players — where a few years ago, they might have not necessarily been the kind of targets that large banks or large retail institutions would be. So they absolutely need a higher level of security. They don’t have the ability to recruit and retain the level of security expertise that they need in-house. And frankly, it really doesn’t make sense from a total cost of ownership perspective. So using the automation and the capabilities of the platform, combined with services provided by partners, is what we see makes most sense for the market.

I’ve heard an analyst say that Secureworks might be a candidate for an acquisition — could you see any advantages in that?

We certainly have the cash on the balance sheet, and the ownership structure, where we have the resources that we need to grow the business. And so on that front, we’re confident we can continue to grow well in the market, without some kind of inorganic acquisition of us. On the opposite side of the house, we [continue] looking for acquisition opportunities. We did one in September of 2020 around the vulnerabilities space. And we’ll continue to do that at valuations that are reasonable, which has not been easy to find in this market. Who knows what’s coming ahead. But strategic alliances and partnerships, for us, increasingly start to make sense as a way of accelerating growth, without necessarily doing a capital structure transaction. Now, those tend to lead to other things sometimes. But we’ve got two good vectors of scaling and growth without necessarily having to do inorganic things.

Overall, how would you summarize the opportunity you see ahead in XDR?

The most important thing, fundamentally, is that we stepped aside and developed this strategy and this vision, and invested heavily in building this platform — because we actually think it’s the right answer for customers to be secure. [We believe this can] turn the tide of an industry that frankly has had a lot of investment, and a lot of customer spend, but not necessarily a reduction in damages from breaches. The ultimate goal is to fix this. We think this is the absolute right answer, based on 20 years of experience in this space. And the fact that it’s a great market opportunity for our business as well. So long as we stay focused on those customer outcomes, the business will grow very nicely.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

This post Secureworks CEO on why XDR with ‘full coverage’ is critical was original published at “”