by Jeanne Zepp

Security Operations Centers (SOCs) exist to detect and mitigate cyber threats. The sheer scope of data, systems, and devices that analysts must monitor — and the decisioning involved in determining whether a true threat exists — is creating an essential need for technology such as XDR and SIEM.

Let’s first unpack these two acronyms.

• XDR stands for Extended Detection and Response. It is a powerful real-time solution, perhaps better described as an integrated platform that employs multiple tools and source data to enhance threat detection. It delivers a comprehensive view of an organization’s IT ecosystem.
• SIEM, or Security Information and Event Management, also delivers real-time threat monitoring and analysis capabilities. It comprises two subparts: SIM (Security Information Management) and SEM (Security Event Management). More on this solution and its components later.

XDR

The power of XDR lies in its capability to not just collect security data but also correlate data from many sources (e.g., applications, devices, servers, cloud environments, and networks) in the IT environment. XDR’s centralized dashboard provides analysts a comprehensive, integrated view of the threat environment, simplifying and hastening incident monitoring, analysis, and response. Beyond automating threat detection, XDR can automate threat response. For example, it can isolate an infected endpoint without human intervention.

The power of XDR lies in its capability to not just collect security data but also correlate data from many sources in the IT environment.

SOCs that incorporate XDR can:

• Enhance the speed with which they detect and respond to threats. Speed helps limit exposure and potential damage.
• Minimize false positives and analyst workload.
• Offer untold efficiencies derived from a single dashboard view of an organization’s IT environment.
• Enable enhanced collaboration among SOC staff members.
• Perform root cause analysis.

Many firms offer XDR solutions, including:

1. Cortex XDR
2. Falcon Insight XDR
3. Microsoft Sentinel
4. Trend Micro XDR
5. MVISION XDR
6. FortiXDR

Organizational size and needs will guide XDR solution selection, as will the ability to integrate with current operating solutions. Other factors to consider include the operating environment (cloud versus on-site) and planned growth.

SIEM

SIEM also collects and stores wide-ranging security data in a centralized location, allowing cyber analysts to monitor, identify, and analyze anomalies. As mentioned previously, SIEM comprises a SIM component and a SEM component. The former compiles security data, creates logs, and manages those logs. The latter relies on pattern analysis, machine learning, and even behavioral analytics to determine whether an event corresponds to a threat.

SIEM also collects and stores wide-ranging security data in a centralized location, allowing cyber analysts to monitor, identify, and analyze anomalies.

SIEM’s dashboard functionality allows SOC teams to visualize incidents in a comprehensive way and create meaningful reports. Its systems readily identify patterns and correlations that a human analyst might not recognize. Plus, its preconfigured rules, machine learning, and behavioral analytics capabilities, alone or in conjunction with threat intelligence feeds, enhance detection. An alert function operates in real time, enabling immediate focus on threats in a prioritized way.

SIEM’s historical data collection capabilities facilitate forensics, offering insight into an attack’s scope and source as well as suggesting ways to enhance future attack detection. Its logs provide a detailed look at the entire network at any given point in time.

Last, but not least, SIEM systems offer organizations a ready compliance mechanism with its logs, reporting capabilities, and policies for data retention. These systems are responsive to the Federal Information Security Modernization Act (FISMA) and General Data Protection Regulation (GDPR), among many other standards.

SIEM solutions to consider include:

1. Splunk
2. IBM QRadar
3. ArcSight
4. LogRhythm
5. Elastic SIEM
6. SolarWinds Security Event Manager
7. Microsoft Sentinel
    

Comparing XDR to SIEM

Scope and functionality separate the two platforms. Organizations should consider their objective(s) when deciding which platform is right for them. If compliance is paramount, along with log creation and pattern recognition, SIEM may be the better choice. If fast threat recognition and response is primary, XDR’s advanced detection capabilities, incident orchestration, and automated response features may influence decisioning.