∆DR: A New Cybersecurity Category Built to Close the Gaps XDR Leaves Behind

Kirstin Burke:

So we always enjoy these monthly livestreams, but this one's special to us. And for any of you, if any of you have either taken a look at our website or LinkedIn, we made a very big announcement today that really isn't even about us. It's about how cybersecurity is built, packaged, sold, used, and we're really doing it to benefit the entire industry. But we really feel like our eight years of business and experience and customer onboardings and just everything has really led to this. A new category. So, Shahin, what's this all about?  

Shahin Pirooz:

When we first put the concept of WhiteDog together back in 2016-17, and then when we launched our first services in 2018, from that moment forward, we were always confused with lookalike offerings in the market. When we built our first offering, it was a SOC-as-a-service offering and we kept getting compared to MDR players, and we ended up having to create our own MDR solution so that we can identify if you'd like MDR, we have it. But our SOC is an enterprise grade security operation center with proper threat hunting, threat intelligence, NTA, UEBA, all the bells and whistles that an enterprise SOC would have. There was about 13 technologies in that stack versus an EDR and a SIEM. And we were getting compared to companies with EDR and a SIEM. Over the next couple years, we laid out the roadmap for what would become our XDR portfolio. And that XDR portfolio was really, we didn't know, there was no extended detection and response concept in the market. And then a few years later when Palo Alto announced the concept of XDR and Gartner and Forrester and all the other analysts started grabbing onto it and running with it, we said, you know, the concept of extended, the X part of extended, everything, all data, is exactly what we're marching towards. We align with that. That's what we should call our new offerings going forward. So we launched our extended detection and response offerings well before the rest of the market started coming. And we were very excited about having a new category to focus on and put energy into and something that would articulate what it is. We're doing much better than MDR or SOC. And lo and behold, every single MDR player and EDR player in the market started rebranding as XDR. And all of the single tool solutions out there, SIEM, EDR, or both of those with a little bit more telemetry from network and email, were now XDR players. And it has been a challenge to be able to articulate what we do that is differentiated from that ecosystem. And we feel that there is a marketing fallacy in the word extended. And, it's become, it became an education that we had to do for our marketplace. Where we ended up was we have to create a new category, we have to be outside of this and truly offer what is really an extended detection and response. The extended detection response solutions that are in the market right now are really more heavily, it's a capital E instead of a capital X because they're more focused on the endpoint. They're not focused on the extended threat landscape and threat vectors. So fast forward to multiple internal sessions and roundtables we had and trying to come up with, what is this new category? What do we call it? What is something that depicts what we actually do and intend to do, and what is it that we think that the market should shift towards? Because to your point earlier, we feel creating this category, just like Palo Alto created XDR, is a way to communicate there has to be a better way. There has to be something different than what we're doing. And it cannot, please, please, Marketplace, please, my partners and ecosystems, do not just rebrand what you do to this new category. Fix it. Let's fix it so that we can secure all of our customers on an equal playing field and have products and technologies that stand out on their own. So I know you're all dying out there. What is this category? So we are launching officially, publicly today, with press releases and all that, our website, LinkedIn, DeltaDR. And the concept of Delta was something that has been part of our DNA as a team for almost 30 years. Most of the WhiteDog team has worked together for almost 30 years now. And we always took this Kaizen or lean Six Sigma approach to the way we looked at operations and productization and all that. And part of the Kaizen life cycle is this notion of a Delta T. What are the actuals, how you're operating today, what's the theoretical place you want to be, and what's the delta or the gap between those two things? And that delta is always the 𝚫 Greek symbol. So we had an epiphany as a team that the delta symbol is literally talking about what we're trying to do. We're trying to close the security gaps across the minefield of threat vectors. And we feel that there's five layers of security in our maturity model, starting with email. 93% of attacks start in email. Largest threat vector, it used to be, I'll talk about that in a second. DNS, 80% of malware needs DNS to function. Identity, which is now the largest threat vector. Because those two solutions get the bad actors to identity. 100% of attacks take advantage of an identity to crawl across your network. Endpoint, last layer of defense. By the time they get to the endpoint, that's where they are able to compromise the system, use that system as a bastion host to crawl across the network. And network, which if there is not proper network security and visibility, they're going to crawl across your network and move laterally throughout your systems. So those five layers are what we use for our security maturity model. And if you do not have, and I'm going to call it in air quotes, an "extended detection and response solution" that covers all five vectors, not just with visibility, but detections and response, you don't have a proper security ecosystem. And if you think about what I just said, at a minimum, that's five different technologies. So a single vendor can't solve that problem.  

Kirstin Burke:

I'm going to hop in here real quick because as I listened to Shahin talk and he mentioned 30 years and all of the different organizations, really where you've led the technology evolution. And as I'm listening to you talk about this historically, even when we started in 2018 and when we started with the SOC, our SOC wasn't just a SOC, and as we've moved through, whether it be EDR, MDR, XDR, the way that you challenge your team isn't to be just good enough. The way that you challenge your team is really coming from that perspective of an MSP saying, I don't want to be just good enough. Like, I want to be rock solid and I don't want to be surprised. Like, if I'm turning this over to you, I don't want surprises. I don't want to be nickel and dimed. Like, if you're telling me you're doing this, do this. And what is was always so amazing working with you and the tech teams that you lead is you're constantly pushing them beyond what's there and beyond what's known. And I think with the threat environment the way that it is, you have to have that perspective. You can't build it and say, good. Or build it and say, well, we'll bolt this on, we'll bolt this on. And what is so cool about what we've done with WhiteDog is there was never a bolt on plan ever. The plan was, we know this is going to have to change, we know this is going to have to be dynamic. And so within that architecture that you guys somehow magically built, this ecosystem moves and changes, integrates, takes out, as the environment changes. And I think what has been so cool with this evolution of DeltaDR is, it's what we planned all along. And, really with this Delta, you know, think of that kind of replacing what that X was supposed to mean, which is whatever, whatever comes our way, whatever threat is, whatever, whatever gap it is. But it really, the X, as you mentioned, has kind of been pushed aside. And it's we'll just bolt on whatever we have to to satisfy the market. And we're saying, yeah, but satisfying the market doesn't mean a secure market. And so we're so excited about DeltaDR. Because we can honestly look, whether it's analysts, journalists, partners in the face and say, this is the best you're going to get. And not that they're tools we've built, they're commercial tools, but we've tested them, they're tried and true, we've integrated them, they work together. We can support them, we can threat hunt them. This is the best you're going to get.  

Shahin Pirooz:

Leading up to this conversation and this launch, we've had conversations with analysts in the industry and the one consistent thing we've heard is that we're struggling with the X in XDR ourselves. This category doesn't seem to be what we intended and expected it to be because there's so many players who are calling themselves XDR. If you went to RSA two years ago, every single booth was XDR. There's not that many XDR solutions in the market. There just isn't. But it's a marketing wave that everybody's trying to jump onto, which is part of, you know, the itch that's been in the back of our heads is this can't be a marketing spin. This has to be real, it has to really solve a problem. And thank you for the compliment, but that's really the way we operate. It wasn't, it's not. We didn't build this thing in response to market demands. We built this things in response to threat demands. That's the way we look at the world. The threats keep changing the ecosystem of tools in the marketplace, of which there are now 4,500 manufacturers making security tools, only last three to five years at best. So as an enterprise, you have to every three to five years evaluate and change your security stack because they simply can't keep up with the threat landscape. Because the threat landscape changes exponentially faster. Moore's Law in security is getting faster and faster and faster. Dwell time is getting shorter and shorter and shorter. So you have to detect somebody in much less time than you used to be able to. And our entire mission and mantra from the beginning for our operations teams was, our goal is to take six months of dwell time down to six minutes. And we have achieved that for eight years running and we'll continue to strive for that. And six minutes will at some point become too much. We're not there yet. We're still, you know, the average in the industry is around 200 days, which is close to six months. There are certainly attacks that are much faster than that, but we have consistently been seconds to minutes in detecting dwell time in an environment.  

Kirstin Burke:

So we held our first partner council recently, and we wanted to talk to them about this and get their feedback and get their input. And really interesting that they too were struggling with differentiating or really explaining well why, almost why you do so much. And very excited that, obviously we still have MDR, we have XDR, we have those capabilities. But we even have one of our partners who says, I don't even sign on a new customer now without them selecting one of these security choices because the world's just too dangerous for them. And you know, we don't want to have that on us and really we don't want them having it on us. But one of our partners said, you know, this is really going to help us compete better in the market. Talk to us about how DeltaDR, what are the high points of how DeltaDR stands out and for our partner ecosystem, how does it help them differentiate?  

Shahin Pirooz:

So let me start with what XDR is in the marketplace and compare to that. So MDR is focused primarily on, it has become synonymous with SOC, which is a SIEM based solution that is collecting telemetry from your environment. Oftentimes it's limited to a firewall and your endpoint tool. But that's fundamentally what MDR is. XDR bolted onto that. Let's take more telemetry. Let's collect from Office 365 so that we can get identity information and email information and DNS information into the stack. XDR was really, the extended was supposed to be, let's extend what we have visibility to so that we can identify an attack chain more clearly. Problem is, none of the tools that they're pulling telemetry from are detection tools. They're just standard ecosystem technologies there. The correlation rules don't really exist and we count on the SIEM manufacturer to create the proper correlation rules to do that. That is one of the key differentiators in our MDR and XDR offering is we write all of our own threat intelligence, all of our own detection rules and correlation rules, and we create chains of detection and correlation that nobody else is doing, which embeds behavior with vulnerabilities. So if we see a bad actor behaving in a certain way, targeting a system with a certain vulnerability that their behavior could take advantage of and exploit, that's a higher level alarm for us instantly. And it doesn't require an analyst having to investigate that level of detail. All SIEMs in the marketplace do. So that's the first layer of differentiation. So let's talk about where we start to pull ourselves apart. Even in our XDR and MDR offerings, we start to add layers of our attack surface management to it. All of those offerings include extended security posture management and internal network security posture management. So we're doing external / internal scans against your domains, your network, trying to find vulnerabilities to pull into what I just described. So that we can say based on behavior analysis is somebody targeting a vulnerability, and therefore be able to do faster correlation and reduce dwell time. As we go up in stack in our XDR offering, we start to add things things like DNS vulnerability scanning. We start adding DNS detection and response and meaning that is at the endpoint distributed across wherever the endpoints are, not just on the firewall, which most other solutions do. What really differentiates Delta is we've now gone to the next level. We add data security posture management and do detection and response and data encryptions and so on and so forth. We add identity security posture management and are able to scan when a bad actor is doing things that look like they're taking over an identity by creating, effectively honey pots in your Active Directory. We've added the ability to do configuration management of your Active Directory and detect stale or unused accounts that are potential risks for a bad actor to take advantage of. We look for accounts that have too many privileges, that are a risk that a bad actor can take advantage of and get a foothold in your environment and spread. And then we also have layered on top of that additional detection and response functionality. So our when we say email security, we're not just pulling logs into, in Delta, we're not just pulling logs in from Office365. We're literally crawling through the inboxes and finding threats and removing them before the user can click on them. This is post gateway security in your inbox, not just a gateway based solution. We have phishing simulation and training that goes far beyond what any of the existing tools in the market are doing. They're AI based that not only identify what the user clicked on and then immediately send them training that says you should not do this, this is a bad idea. Here's why. In micro training we've added that identity detection response I talked about. And honestly what we've decided is that those five layers of security I talked about before email, DNS, identity, endpoint and network all need not just monitoring and visibility, but they all need detection and response. Delta covers all five layers with detection, deep correlation and response. Let me walk you through a threat chain, an attack chain. Well-crafted email gets sent to a user, that's the first layer. User clicks on a link and goes to a known bad website, or maybe a new website that isn't known bad yet. That's DNS. The account compromise happens right there where the user has to log into what looks like Office365 in order to get the document from the well-crafted phishing email. That's identity. Once they click on the identity, it then routes them into a document that looks like what it was. And they've now also downloaded a malware, which is endpoint. The bad actor now has an endpoint, a target customer, company, an identity within that company, and a bastion system that they can use to spread across the network. If you don't have detection and response across every single one of those layers, how are you going to protect against that very simple attack? You can't.  

Kirstin Burke:

What I love about you giving that example, when you are talking about the technology side of things, you're going into Active Directory and DNS and all of these things, in my mind I am thinking, gosh, there might be people out there mistakenly thinking, I don't need all of that, right? I mean, it's a lot of stuff and it's a lot of layers. But when you walk through the simplicity and the extensiveness of the attack, what you just explained could happen to a business of one, a business of 10, an organization of 10,000. Right? It only takes one, one of those emails, one of those things. And so it doesn't matter who you are, it doesn't matter how many people, how much revenue. That scenario you described, open opportunity to anybody. And so this really needed to be a solution that could be consumable by anyone. That it doesn't discriminate between oh, well you can't afford this because you're too small or you don't have enough money. That it really needed to be a solution that our partners could take to market independent of the types of folks that they service.  

Shahin Pirooz:

Yes, our largest end customer environment is in the 30 to 50,000 seat range. Our smallest end customer, and these are through partners, is one seat. We scale up and down without any issue. We are now protecting endpoints across 26 countries and six continents and continue to expand and grow. And, I was super excited in our inaugural launch of our partner advisory council. Got a lot of, shared some of the roadmap, what we're doing, what we got a lot of good feedback in terms of what's working and what's not, which we take to heart. A lot of the evolutions and enhancements we've made in our portal and interfaces and partner experience have really come from the voice of the partner and the customer. Hearing those things allows us to innovate even more targeted. But what really got me excited, I shared this with the partner advisory team, was we've for the last eight years been an engineering out solution and that's not really the way we like to operate. We prefer living by the voice of the customer. We did hear and we listened to the voice of the customer over the years but it was really still we heard the thing you don't like, we're going to engineer something to solve it. And this inaugural launch, and we've got a quarterly cadence to our advisory council now, is really intended to allow the partner community to give us direct feedback about yes, you heard us, yes, you did this thing, but that's not what we meant. Here's what we meant. So being able to be very agile in the way we approach solving challenges, problems or needs in the marketplace, we think that we are much more better serving the community if we're community led.  

Kirstin Burke:

Well, and I think, not to digress too much from DeltaDR, but this is kind of a similar vein, but it's coming out around the same time as DeltaDR, which is Open XDR. And open, one of the other things that we heard, obviously our whole portfolio can be consumed as much or as little as you want, right? You don't have to take the whole thing, you don't have to buy everything. But one of the things we heard was well, gosh, what if we want to bring our own tools? And so we were really able to find a way to accommodate that to really answer, you know, some of those needs the partners were having too, which is they may not want to stay on those tools forever, but they're contractually obligated or whatever the situation might be. That we need to give them some kind of security on-ramp to get healthier, to get more secure, to move them in the right trajectory. And so, I think, this first half of 2025 has to your point has really been that transition to, from an engineering-led to a hey, we know what we've built, we know now that we can adapt it the way that we need to. So now let's really be even more responsive than we've been able to be in the past.  

Shahin Pirooz:

Yeah, what really led to the Open XDR was actually twofold. It was one, partners who've made those investments you're talking about in their tool ecosystem and they have long term contracts they can't get out of. And it was, well, we can address that problem. We can solve it because what our IP really is, as Kirstin mentioned earlier, is we did not create the engines because we fundamentally decided that a composable stack is the right way to go to market. So we don't have the technical debt that means we have to rewrite our stack every three to five years. We simply have to rip and replace a technology stack that is no longer effective and allow those 4,500 and growing manufacturing partners, OEM partners of ours, to create a better technology, challenge them to be better, challenge them to stay at the head of their game and then bring the best in class tools and technologies as engines under the surface. The surface is our IP. The surface is the platform we've used to integrate all these technologies together so that there is a unique and unified experience in accessing those resources in single sign on, in reporting, in dashboards and our 24 by 7 threat operations which back up everything, the way we approach threat, the way we correlate data, our threat intelligence, our threat hunting. So all of those things and our attack surface management are what we pull together to say, what if we layered that on top of tools we don't own? What if we approach this as let's take all that IP and apply it to the tools that a partner has, or even giving the partner the flexibility to say, even if they have made the decision to use our tools, but they come across a customer, an enterprise that has made those investments and doesn't want to make a change, they can go ahead and put forward Open XDR as their solution for those customers. So Open XDR was really this notion of, you know, the world is shifting towards a multi vendor security approach, which we kind of talked about we did in 2016, but never mind. We think we're very much behind this open vendor approach because the open technology stack, the engines, the right thing to do is that there's no single manufacturer in any single category that can solve across multiple categories well. They might solve one category. They might solve endpoint super well, they might solve DNS super well, they might solve email super well. But when you get a vendor, and there's a few out there that have tried to do everything and write it all themselves, they're not good in, let's say they cover the five categories, they're not good in four of the five. They're only potentially good in one. God, I hope they're good in one. Sometimes they're not even good in one. But no names mentioned. Love you all. The reality is if you're creating a system of tools yourselves, you have all this technical debt to deal with. Similarly, this Open XDR movement in the marketplace, because we did not come up with that terminology, that's a marketplace terminology, is this notion that you need to be able to detect and defend across multiple vendors. You can't rely on that one vendor being able to cover all your categories. So it's kind of, I wrote an article a while ago which was the SIEM is dead, it's kind of leaning that way. Open XDR is basically the next evolution of what SIEM ought to be. And it has been the way we have operated from the very beginning, the way we're able to do what we do and accomplish what we do in our multifaceted approach to security has been this concept of Open XDR. Composable stack, multi vendor, integration. And that's what we bring to market in Open XDR and take that up a level and include all the engines and that's Delta.  

Kirstin Burke:

Well, and I think you were talking a little bit about, we've talked a lot about the tools that make all of this up. And I think where a lot of these solutions fall down, and where a lot of these organizations get stuck, are the people behind the tools and the process behind the tools. And how do you threat hunt? Do you threat hunt? How do you know what to do? And I would be remiss if I did not mention the outstanding work that our threat hunters do, that our 24x7 SOC does. Whether you're adding that on to the tools you already have, or whether this is a part of the WhiteDog ecosystem that you are part of, what makes this work so well is that team that we've got who, six months to six minutes, all of the things that have been created to help them do what they do so, so, so well. And you just don't find that, or it's very hard to build that on your own.  

Shahin Pirooz:

We have 30 years of innovation together, you and I, and that innovation is not what I'm the most proud of. It is always the teams that we've developed that back up those innovations. From the very beginning, starting back in 1999 and moving forward, we have had the fortune of finding amazing people, building amazing standard operating procedures and training programs and boot camps to bring people's skill sets up and level them to a point where they are exceptional in their field. And that is no exception. Today we have got a phenomenal team of threat hunters, operators, tools engineers, software engineers that are creating this tech ecosystem we're talking about. And I could not be more proud of our team. They're some of the best people in the industry, and we would love to share them with you.  

Kirstin Burke:

Exactly. You probably can tell there's a lot of great energy around DeltaDR. You might have some questions We may not have covered everything. And, you know, how does this work with me? Or what does this mean? What about this? We would love to answer questions. So, as always, we open this live stream up to questions, but also offer for you to reach out to any of us here at WhiteDog. And, we'd love to talk about what you've got going on with your partner strategy, what types of environments you're supporting, and how we can come alongside you to help kind of level up that security posture that you're putting out there. So thank you, Shahin. And thank all of you for joining us, and we will see you next month.

‍