Hi infosec professionals,
What are the main architectural differences between those two technologies? What are the relations between the two of them? Are they complementary?
What does an XDR solution provide that SIEM doesn't and vice versa?
Thanks for sharing your knowledge with the community!
SIEM focuses on correlation - detection, both known (and with UEBA), unknown/0 Day anomalies.
XDR focuses on blocking - usually of only known patterns - If on Threat Intel List, block - much like implementing AV at a firewall/network level, not entirely dissimilar to IPS.
Most organizations don't even configure their IDS to block and do IPS.
In my opinion, SIEM/UEBA should be used to detect the threats, confirm multiple indicators and feed SOAR to block them.
Historically pulling in threat intel lists and even alerting on matches has had a high false-positive rate (>66%). Blocking in low-accuracy detection scenarios leads to Denial of Service events.
In the end, both SIEM and XDR are as good or bad as their intelligence and correlation capabilities. Garbage In, Garbage Out.
FWIW I'm in favor of many default blocking policies. Allow by exception only. ITAR and OFAC country lists for instance are easy wins with few false-positive scenarios.
I look at XDR much like a firewall with open-source intelligence lists automatically blocked. Not entirely bad, but as much detection, correlation, or confirmation abilities as I'd like to automate threat detection and response.
A SIEM is basically a solution/product that collects all security and syslog data from whatever device you send to it, to store and help decipher all of that data for your needs, like compliance or forensics.
But it can be very labor-intensive if you do not have a team of people that knows what they are looking for.
XDR's have more AI built in them and like its cousin EDR, which only looks at the endpoints, XDR (Extended Detection & Response) can also monitor your firewalls and even traffic from your IoT devices.
But you will still need a team to know what they are looking for.
If you don't have a team, you can look at MDR (Managed Detection & Response). MDR's already have the team with the expertise to detect and help your respond better than trying to figure it out by yourself.
But if you have a team (or plan on building one out), the combination of a SIEM with an XDR solution is a good way to go.
XDR as a solution is still evolving and means different things to different organizations.
Each vendor has a different spin on XDR as they try to win the market and enterprises struggle to figure out what XDR includes and doesn't.
I try to take a simpler approach as XDR stands for Extended Detection and Response where the extended is referring more than EDR (endpoint detection and response). XDR is the ability of an EDR solution to do more or ingest or provide more detection beyond the endpoint (network or other sources).
Therefore, you will find EDR vendors talking about XDR as well as SIEM providers.
Since the SIEM can manage information and events from sources like an EDR, it can then ingest information and events from other locations beyond the endpoint and provide XDR capabilities.
In many cases today, it is the combination of an EDR tool and a SIEM to provide XDR capabilities.
We, see many customers adding NDR (Network Detection and Response) to their EDR environments and with tight integrations with the SIEM.
Does EDR + NDR + SIEM equal XDR? In many cases, yes.
Hope the below will be helpful
Although it's from the vendor, it's a good description of SIEM / SOAR / XDR, etc.
https://www.sentinelone.com/bl...
Hi,
I found this on the SentinelOne website:
"How Is XDR Different From SIEM?
When we talk about XDR, some people think that we are describing a Security Information & Event Management (SIEM) tool in a different way. But XDR and SIEM are two different things.
SIEM collects, aggregates, analyzes, and stores large volumes of log data from across the enterprise. SIEM started its journey with a very broad approach: collecting available log and event data from almost any source across the enterprise to be stored for several use cases. These included governance and compliance, rule-based pattern matching, heuristic/behavioral threat detection like UEBA, and hunting across telemetry sources for IOCs or atomic indicators.
SIEM tools, however, require a lot of fine-tuning and effort to implement. Security teams can also get overwhelmed by the sheer number of alerts that come from a SIEM, causing the SOC to ignore critical alerts. In addition, even though a SIEM captures data from dozens of sources and sensors, it is still a passive analytical tool that issues alerts.
The XDR platform aims to solve the challenges of the SIEM tool for effective detection and response to targeted attacks and includes behavior analysis, threat intelligence, behavior profiling, and analytics."