SIEM, SOAR and XDR: Data-based Approaches to IT Security
SIEM, SOAR, and XDR: Data-based Approaches to IT Security
The IT world is full of acronyms and initialisms, particularly in the area of IT security. Among the most talked-about lately: SIEM ─ security information and event management, SOAR ─ security orchestration and response, and XDR ─ extended detection and response.
There’s a good reason these three types of security products are being frequently discussed. They represent options for proactively combatting cyber threats. They’re also the focus of some of US Signal’s recent and upcoming Beers with Engineers (BWE) sessions. If you haven’t or can’t make it to a BWE event on XDR, you can watch one of the previous sessions here.
SIEM, SOAR, and XDR are important topics because combatting cyber threats continues to be a significant challenge for IT teams ─ and the source of potential disaster for many organizations. These product types all collect and analyze security event data for the purpose of threat detection and response. They also have a shared goal of helping security teams reduce alert fatigue and streamline incident response processes.
While they offer complementary capabilities and can be used together, they each operate differently and yield different end results. One of the key differences between them is how they handle event alerts.
COMING SOON: XDR from US Signal
What is SIEM?
SIEM solutions collect and aggregate security-event data from firewalls, network appliances, intrusion detection systems, and other tools to generate huge volumes of event-related data. They then categorize and analyze the incidents and events, often using machine learning (ML) and analytics software.
Log data is examined for patterns that could indicate a cyberattack. The SIEM solution next correlates event information between devices to identify potentially anomalous activity. From there, an alert is issued. A key feature of SIEM solutions is data retention and report automation for the purposes of governance and compliance. They provide organizations with the ability to collect data, safeguard its storage, and automate the creation of regulatory reports to ensure company, industry, and government compliance.
Among the problems with these solutions is that before log data is processed by a SIEM, it goes through a series of hand-offs between data aggregation tools. The SIEM solution then runs the analytics and creates an event that requires a response. This all makes threat detection and incident response slower and more expensive than they should be because SIEM isn’t built to respond to incidents.
In addition, SIEM systems generate a large volume of alerts that security teams often don’t have time to deal with, which means that many get ignored. SIEM tools also often require tuning to continually understand and differentiate between normal and anomalous activity. This takes up IT time that could instead be used for triaging the constant influx of security event data.
What is SOAR?
SOAR systems take things a step further than SIEM solutions. They were developed with the goal of speeding up remediation and only escalating threats when human intervention was required.
A SOAR solution works by gathering security alert data from multiple sources, such as threat intelligent feeds on the latest attack signatures and phishing emails. The information is placed in a single location where it can be researched and assessed.
SOAR solutions include multiple playbooks in response to specific threats. Each step in a playbook can be automated or set for one-click execution directly from within the platform, including interaction with third-party products for comprehensive integration. All of an organization’s security tools, systems, and applications are integrated, enabling the IT team to automate incident response workflows.
By automating and orchestrating time-consuming, manual tasks, IT security teams can accelerate their response times and better use their specialized skills. The result is a faster mean time to detect (MTTD) and mean time to respond (MTTR), reduced dwell time, and greater preparedness. Of course, this requires integration with other security tools, and teams still must set playbooks, custom alert levels, and response measures.
Collaboration and Commonalities
SIEM and SOAR can be used together. The SIEM solution detects potential security incidents and triggers the alerts; the SOAR solution responds to the alerts, triages the data, and takes remediation steps, as necessary. Some vendors include SOAR features in their SIEM solutions to better compete with standalone SOAR tools. Unfortunately, maintaining visibility across an entire network remains a problem for security teams as IT infrastructures and applications expand.
However, both SIEM and SOAR solutions typically rely on siloed, sometimes proprietary security products. This can lead to alerts based on incomplete or poorly correlated information, often causing unnecessary disruption to systems and users.
What is XDR
Among the latest developments in proactive threat detection and incident response is XDR ─ extended detection and response. Delivered as software-as-a-service (SaaS), XDR is a security monitoring platform that provides deeper visibility for organizations across multiple security layers.
The idea behind XDR solutions is to provide a centralized incident detection and response capability with comprehensive monitoring across the entire attack surface. It’s considered an extension or evolution of endpoint detection and response (EDR) because it extends EDR capabilities beyond the endpoint to an organization’s cloud workloads, applications, and user identities, and across the entire network itself.
XDR solutions work by collecting telemetry from all parts of an organization’s infrastructure, giving IT security teams greater visibility into what’s going on. Unlike SIEM and SOAR solutions, XDR solutions make that telemetry highly actionable. Integrating investigative tools, behavioral analytics, and automated remediation, they deliver the required context and correlations rather than just alerting on uncorrelated network activity.
From a single console, IT security teams can view and act on hidden and advanced threats, and automate complex, multi-step responses across their security technology stacks. As a result, an XDR solution can improve threat visibility, accelerate security operations, reduce total cost of ownership (TCO) and reduce IT security staffing burdens.
The downside to XDR is that it doesn’t have the log management, retention, and compliance capabilities of SIEM. As such, it’s critical to find an XDR platform that can integrate with existing security controls or has an open architecture.
XDR vs SIEM and SOAR
XDR isn’t meant to replace SIEM or SOAR. In the case of SIEM, SIEM has use cases beyond threat detection, including the aforementioned log management, retention, and compliance. While an XDR solution can often serve threat-centric use cases, replacing SIEM in that way, a company may still have other needs for a SIEM solution. Some SIEM tools do offer XDR capabilities, but they’re typically add-ons or plugins that require configuring and tuning.
In regard to SOAR solutions, these products have capabilities that XDR solutions don’t. For example, SOAR solutions offer valuable orchestration capabilities that help IT security teams optimize resources and prioritize activities. XDR solutions may not have these capabilities, making it advisable to maintain an existing SOAR system and integrate it with XDR.
In addition, SOAR platforms employ use-case-based playbooks that orchestrate response actions across the environment, assign tasks to personnel, and incorporate user inputs to augment automated actions. XDR solutions typically lack this capability (although dealing with SOAR playbooks etc., requires time and a certain level of expertise that in-house staff may not possess). Instead, they automate single actions in response to the analysis of incoming data. That’s one of the reasons many XDR vendors include separate SOAR solutions in their offerings.
A More In-depth Security Approach
There’s still no single IT security solution that solves all threat detection and response issues. Every solution category – SIEM, SOAR, and XDR – has its own advantages and disadvantages. Each organization must assess its own security resources and needs, and do due diligence when considering security options.
One thing is for sure, however. When used closely together, SIEM, SOAR, and XDR solutions can deliver more comprehensive security insights and help accelerate incident responses. That in turn can better help organizations avoid cyber threats or mitigate any damage if one should be successful.
Make sure to catch the overview of XDR provided by experts from US Signal and Acronis at a recent BWE event here, including their thoughts on the most important attributes of XDR and what organizations should be doing now to start an XDR implementation. You can also find information on upcoming BWE events here.