Close this search box.

Open XDR vs. SIEM

Matching Resources and Business Risk with the Right Solution

Gaining visibility and responding to attacks across the entire enterprise infrastructure (endpoints, servers, applications, SaaS, cloud, users, etc.) is a very tall order in today’s cybersecurity environment. Enterprises are forced to create complex security stacks consisting of SIEM, UEBA, SOAR, EDR, NDR, TIP and other tools in order to meet this challenge. For many enterprises, SIEM is the main tool for aggregating and analyzing data from the infrastructure. Nearly half of enterprises report that they are not satisfied with their SIEMs [1], but all enterprises will be quick to point out the amount of capital, time and resources they have poured into standing up and maintaining their SIEMs. Open XDR is emerging as a new approach addressing the challenge of gaining visibility and responding to attacks across the entire enterprise infrastructure. In this article, we’ll look at how Open XDR and SIEM measure up as security solutions.

Defining Open XDR

Gartner defines XDR, or eXtended Detection and Response, as “a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.” This definition, dating back to 2020, does not capture Open XDR as an emerging category of XDR that collects and correlates data from all existing security components, not just proprietary or single-vendor ones. So, Open XDR is defined the same as Gartner’s XDR definition except that it ends with “all existing security components, delivered via an open architecture”. The Open vs. Native XDR difference is discussed in detail in another article. In this article, we focus on Open XDR as it compares to SIEM. So Open XDR has the following technical requirements to fulfill the promise of the above definition:

  • Deployability – Cloud-native microservice architecture for scalability, availability and deployment flexibility
  • Data Fusion – Centralize, normalize and enrich data across the entire attack surface, including network, cloud, endpoints, applications and identity
  • Detection –  Built-in automated detections through Machine Learning 
  • Correlation – High-fidelity correlated detections across multiple security tools
  • Intelligent Response – One-click or automated response from the same platform.

Sound similar to SIEM plus a little SOAR? That’s because it is. However, there are major architectural differences that allow Open XDR to deliver on many of the promises of SIEMs where SIEMs have fallen short.
Defining Open XDR

Defining SIEM

Gartner defines SIEM, or Security Information and Event Management, as technology that “supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources.” This definition is notably similar to the definition of XDR. Architecture is where the biggest differences lie, but purely definitionally a SIEM was named after its main purpose – to manage information and events. XDR was also named after its main purpose – to detect and respond. This may seem like a minor point, but this difference in business purposes is what drives the architectural approach, and is why SIEMs are so capital-intensive in today’s security environment.

Architectures Compared

This comparison focuses only on the differences. There are a number of technical similarities including long-term storage, open integrations with security tools, cloud-nativity, and efficient search and threat-hunting.
However, Open XDR has five key architectural differences from SIEMs:

  1. Data is forced into a normalized and enriched state, and this is done before the data are stored in a data lake.
  2. Detections and correlation of alerts are automatically driven by AI in Open XDR, not human-written rules as with SIEMs.
  3. Incidents are produced from correlated alerts, from which a single response on the same platform is orchestrated, compared to a SIEM, which sends alerts to a different SOAR platform which then performs downstream correlation and response.
  4. Many tools required for security operations are unified, such as Big Data Lake, UEBA, SOAR, TIP, NDR or EDR on one platform while many SIEMs only include a Big Data Lake, forcing SIEM users to manually combine many complex tools together