Simplifying SIEM, EDR, XDR & SOAR

Author: Jeroen Dubbelman from Bitrate (PTY) LTD

There is much hype around these acronyms within the market today and I think the frustration for most large enterprises is the contradictory information you find when searching the internet. It is like trying to diagnose your own medical condition and getting scared out of your wits with the different ailments you may have!

It’s ironic that when you search for these acronyms you get overloaded with information! You have to delve into it and “try” to make sense of it. Similarly, it is interesting that these acronyms exist because they have data-overload of cyber-security events in common.

I have done my own investigation and have realized that many opinions are published based on a vendor, manufacturer or service provider furthering their own agenda. I believe a neutral perspective should be offered.

Why are these solutions important today? The best way to answer this is to go back 25 to 30 years. We hardly heard about an enterprise breach back then.  When we did hear about an event it was big news! Today, it can still be big news but it happens so regularly we have become immune to it.

There is an exponential rise in threats every year. Years ago it was a “script-kiddie” wanting to prove he or she could gain access into an enterprise or government network. Today we are dealing with high stakes “organized criminal” activities by different types of bad actors with differing objectives. It is big business!

We also have to include “Nation State” attacks into the mix as there are countries that are providing funds to create cyber-weapons. Some argue it is for “defense” reasons but in war there is always “collateral damage”. This can be you or your organization! Make no mistake, “cyber war” is happening all around us.

What is concerning is that there are more focused bad actors than there are focused defenders of our cyber environments. Attackers often use the very same tools initially designed to asses and defend our organizations environments, for their malicious or criminal intentions. Enterprises use machine learning(ML) or artificial intelligence(AI) for defense but bad actors are building the same capabilities into their attack tools. This in turn increases the complexity and the number of threats an enterprise is exposed to.

These are some of the cyber security challenges organizations experience today:

• Finding sufficiently skilled individuals to defend or protect their environment
• Log and alert overload giving rise to “Alert fatigue”
• The more stealthy threats may fly under the security team’s radar
• Investigations take long which eat up costly and scarce human resources
• Disparate teams don’t always connect the dots when required
• Too many false positives
• Slow response to a threat, if any
• Unnecessary compromise and business downtime

What can organizations implement to help with these challenges?

• Add more skilled staff resources and more training
• Correlate the detection of threats
• Ensure faster analysis of events
• Introduce better visibility in order to detect, identify threats and re-mediate faster
• Identify stealthy threats automatically with machine learning
• Automate detection, response and re-mediation

Employing more staff may be possible for some organizations but it has cost implications and there is the lack of available & qualified skills to consider. Automation is an option. Hence the rise of SIEM, EDR, XDR and SOAR. There are more variations but let’s keep it simple.

A neutral explanation of what each are:

• SIEM or (Security Information and Event Management) has been around longest. SIEM ingests data from multiple sources, helps correlate events and automates reporting in order for a human operator to analyze the result and make the next decision.
• EDR or (Endpoint Detection and Response) is one of the first iterations of the era of automated “response” that you see in XDR and SOAR today. The endpoints are monitored for threats, threats are correlated and there is an automated response to a threat which may include remediation steps.
• XDR or (Extended Detection and Response), we see as an extension or “extended” detection and response where more data sources than just the end points are monitored and used for detection, response and remediation. These data sources can include SIEM, next generation firewalls, end points and more.
• SOAR or (Security Orchestration, Automation and Response) has much of the XDR functionality but adds the automation of other security management processes like vulnerability management and playbooks into the solution in order to reduce the load on the security teams.

There are many conflicting definitions when researching these solutions. Many vendors like to refer to these solutions as (software as a service) or SaaS and this may be true in many instances but it is possible to install comparative on-premise solutions or obtain the service from a managed service provider. There are obviously pros and cons to consider dependent on your organization’s requirements.

Organizations should carefully investigate what approach to take. It is worthwhile to consider the following:

• There will be a substantial cost to each solution, so investigate the differences between on-premise, SaaS or a managed service carefully over the long term.
• These are not “configure and leave” solutions. Continuous improvement is required to manage these solutions.
• Skilled people are still required to manage these solutions whether you hire them or contract them.
• From a business perspective, the solutions should prevent attacks or a breach without business disruption or downtime.
• The intention is that critical applications, assets, personally identifiable information (PII) and organizational reputation are protected and maintained.

I sincerely hope that this short summary helps you make sense of the different solutions and their acronyms! Perhaps this can help you make a more informed decision about your cyber security defense systems moving forward.