Search
Close this search box.

SIEM, XDR, and the Evolution of Cybersecurity Infrastructure

SIEM, XDR, and the Evolution of Cybersecurity Infrastructure
Security Event
and Information Management platforms (SIEMs) collect data from security logs and in doing so are supposed to identify blind spots, reduce noise and alert fatigue, and simplify detection and response to complex cyberattacks. However, SIEMs have not lived up to these promises. Now, the new idea is XDR – what are its advantages, and should it coexist with or replace a SIEM? This paper explores the current cybersecurity landscape, how SIEM fits into that landscape, and how XDR platforms can significantly improve security incident visibility, analysis and response.

Evolution of Cybersecurity Infrastructure

The Security Landscape

The most obvious thing about today’s security landscape is that threats are on the rise:

  • According to Accenture, 68 percent of business leaders felt their cybersecurity risks were increasing in 2020.
  • Risk Based reported that data breaches exposed 36 billion records during the first half of 2020.
  • Proofpoint found that 88 percent of worldwide organizations experienced spear phishing attacks during 2019.

In addition, attacks are becoming more complex. Hackers once targeted a single vector, such as a firewall port, but today, they target multiple vectors. For example, an attacker might log into the network from an unrecognized location, access the Active Directory system and change a user’s privileges, and then begin downloading data from a server. By themselves, each of these indicators might be viewed as false positives by the systems that track them, but in reality, they’re all part of a single attack.

In this environment, companies are struggling to identify and remediate attacks. The traditional approach of collecting a group of siloed tools (such as EDR, NTA, SIEM and UEBA) to analyze traffic in networks, servers, endpoints, cloud and other slices of the security infrastructure is simply not working. In a 2020 survey, Enterprise Strategy Group (ESG) found that 75 percent of companies are finding it difficult to synthesize results from different security tools to determine attacks. Moreover, the survey shows that 75 percent of companies have deployed one or more security tools that have failed to live up to their promise.

Finally, there’s a gap in people skills. ESG’s survey showed that 75 percent of companies have a people skills gap – they can’t hire enough experienced analysts to support security analytics and operations.

How Tools Address the Challenges

SIEMs collect data from many different sources, including firewalls, network detection and response (NDR) systems, endpoint detection and response (EDR) systems and cloud application security brokers (CASBs). The idea is a good one: that a single tool collects data from across the attack surface and aggregates it for analysis, detection and response. But there are issues with SIEM tools:

  • Each siloed tool produces data in its own format.
  • There are still a lot of manua