SIEM vs. XDR: Advances in Security Monitoring and Cyber Defense

9/28/2021

By Rae Jewell

The cybersecurity industry is chockfull of jargon, abbreviations, and acronyms. So much so that it can often be difficult to decide which tools may provide the best protection for your company. To help, we’d like to clarify some terms and review the benefits of a few solutions.

Let’s begin with SIEMs

Security information and event management (SIEM) technology has been around for a long time. Having evolved from log aggregation, log management, and event management, SIEMs serve to collect, aggregate, analyze, and store large volumes of log data from across numerous systems.

SIEM vendors began by taking a broad approach and collecting available log and event data from almost any source across an enterprise. Over time, they extended a SIEM’s reach from the office to the manufacturing floor and beyond. The goal was to gain more complete visibility across an organization’s landscape — from firewalls and switches to operating systems and applications. Unfortunately, the level of detail in the data from each source is typically low. In other words, SIEMs provide wide, but shallow data sets, which requires far more work to derive meaning from them — and work is time and money.

Not only can it take years to map all the low–resolution log data to a meaningful alert, but also, with COVID–19 creating the new work–from–home norm, companies are now gathering far few system logs. Thanks to alternative, cloud–based solutions, many users simply never need a virtual private network (VPN) to communicate back to the company network.

Even though many SIEM solutions are adding agents to endpoints to gather and push logs to a cloud collector, if a person is working from home and not accessing the network for data, why create alerts from that computer’s logs if they don’t affect the security of the internal network? This would require a security engineer to further tune segregation issues — and that’s if you’re lucky enough to have an engineer on staff.

The advantages of EDR and XDR

Today, extended detection and response (XDR) tools are gaining traction. As the name would imply, they are an evolution of endpoint detection and response (EDR) tools, which combine antivirus with post–detection analysis capabilities — for example, enhanced alerting, automatic stopping and quarantining of malicious behavior, signature– and threat intelligence–based detection, and full–blown artificial intelligence on systems for autonomous operations.

While an XDR solution may appear similar in function to a SIEM platform, it offers much more. And that’s why Arete chooses to use XDR with our Managed Detection and Response (MDR) service.

The XDR console lives in the cloud to allow for fast, accurate reporting on what’s occurring across your entire pool of assets. In fact, it provides rich metadata on every event that occurs on monitored endpoints; records every DNS request, file access, and intercommunication between computers; and uses artificial intelligence to detect inappropriate actions by programs and scripts, stopping them before they can affect the kernel or memory.

XDR can also threat hunt for indicators related to attack precursors, which allows us to notify you of inappropriate communications coming through your firewalls or from unprotected endpoints that may be connected to your environment. It also static detects badness as malicious actors touch or execute files. In short, it’s hard to hide from XDR — and in using it to protect the core systems that contain your data, Arete protects your ability to do business.

Other advantages XDR has over SIEMs include:

• • The ability to detect all assets on networks where company computers with the agent reside.
  • USB control to prevent exfiltration.
  • Firewall control native to Windows systems.
  • Network interface card control to stop communications in an emergency.
  • Vulnerability data on all covered Windows, Linux and Mac systems.

XDR tools are not only capable of reporting on ransomware damage, but their autonomous behavior-based capabilities can detect and stop ransomware before it can cause any damage.