SIEM, XDR, and the Evolution of Cybersecurity Infrastructure
Security Event and Information Management platforms (SIEMs) collect data from security logs and in doing so are supposed to identify blind spots, reduce noise and alert fatigue, and simplify detection and response to complex cyberattacks. However, SIEMs have not lived up to these promises. Now, the new idea is XDR – what are its advantages, and should it coexist with or replace a SIEM? This paper explores the current cybersecurity landscape, how SIEM fits into that landscape, and how XDR platforms can significantly improve security incident visibility, analysis and response.
The Security Landscape
The most obvious thing about today’s security landscape is that threats are on the rise:
- According to Accenture, 68 percent of business leaders felt their cybersecurity risks were increasing in 2020.
- Risk Based reported that data breaches exposed 36 billion records during the first half of 2020.
- Proofpoint found that 88 percent of worldwide organizations experienced spear phishing attacks during 2019.
In addition, attacks are becoming more complex. Hackers once targeted a single vector, such as a firewall port, but today, they target multiple vectors. For example, an attacker might log into the network from an unrecognized location, access the Active Directory system and change a user’s privileges, and then begin downloading data from a server. By themselves, each of these indicators might be viewed as false positives by the systems that track them, but in reality, they’re all part of a single attack.
In this environment, companies are struggling to identify and remediate attacks. The traditional approach of collecting a group of siloed tools (such as EDR, NTA, SIEM and UEBA) to analyze traffic in networks, servers, endpoints, cloud and other slices of the security infrastructure is simply not working. In a 2020 survey, Enterprise Strategy Group (ESG) found that 75 percent of companies are finding it difficult to synthesize results from different security tools to determine attacks. Moreover, the survey shows that 75 percent of companies have deployed one or more security tools that have failed to live up to their promise.
Finally, there’s a gap in people skills. ESG’s survey showed that 75 percent of companies have a people skills gap – they can’t hire enough experienced analysts to support security analytics and operations.
How Tools Address the Challenges
SIEMs collect data from many different sources, including firewalls, network detection and response (NDR) systems, endpoint detection and response (EDR) systems and cloud application security brokers (CASBs). The idea is a good one: that a single tool collects data from across the attack surface and aggregates it for analysis, detection and response. But there are issues with SIEM tools:
- Each siloed tool produces data in its own format.
- There are still a lot of manual tasks needed, like transforming the data (including the data fusion) to create context for the data, i.e., enrichment with threat intelligence, location, asset and/or user information.
- There is so much data that analysts have great difficulty spotting complex attacks.
- Analysts can’t see complex attacks because of the volume of data and the effort it takes to manually correlate separate detections. A human brain can’t correlate more than three sources of information at a time, so wading through a flood of information is difficult or impossible.
It’s no wonder that even with SIEMs at work, many companies take weeks or months to identify complex attacks: the average time to identify a complex breach is over 200 days. Security analysts are awash in false positives, so they can’t see the alligators in the swamp because they’re up to their necks in water and just trying to breathe.
XDR – Seeing the forest and all of the trees
If the idea behind SIEMs was the right one in terms of collecting data from across the infrastructure, XDR (Everything Detection and Response) is the evolution of that idea. The idea is to ensure the entire attack surface can be monitored from a single console.
XDR is a cohesive security operations platform with tight integration of many security applications under one dashboard to correlate events into meaningful incidents across the entire attack surface. An XDR platform ingests data from SIEM, NDR, EDR, CASB, user entity behavior analysis (UEBA) and other tools and, unlike a SIEM, normalizes these disparate data sets into a common format. The common data pool is easily searchable so analysts can drill down on alerts to detect root causes of attacks. Moreover, XDR also uses AI and machine learning to automatically correlate detections and issue high-fidelity alerts, significantly reducing false positives.
Unlike humans, computers can correlate an unlimited number of data points, so by using normalized data and AI tools, XDR can automatically identify complex attacks in many cases, often in minutes or hours instead of weeks or months. Moreover, tight integration with siloed security tools enables XDR to automatically trigger responses to alerts, such as blocking a firewall port.
Open XDR – Making XDR More Affordable
Most XDR platforms on the market are single-vendor solutions that build on the EDR base and firewalls. Companies opting for single-vendor XDR must therefore abandon their existing tool investments in order to adopt XDR. Most companies have spent millions acquiring and learning to use their existing tools, so they are reluctant to do this.
Open XDR is an XDR variant that works with existing security tools – any EDR and any firewall. It therefore allows users to retain their cybersecurity investments while enhancing them by aggregating all of their data, detecting attacks, presenting high-fidelity alerts from across the infrastructure under a single interface, and responding automatically in many cases to deliver an immediate improvement in the overall security posture.
In addition, Open XDR platforms integrate their own sets of SIEM, NTA, UEBA and other tools. This enables users to sunset some of their existing tools over time, gradually reducing licensing costs and operational complexity.
SIEM has been the basis of security operations for several years, but it often creates more work with fewer results. Analysts are overburdened with masses of alerts, data is difficult to normalize, and it’s impossible to hire enough analysts to meet the need.
By delivering fast, clear detections from existing systems with automated responses, Open XDR systems speed attack identification and remediation while reducing the burden on analyst teams, leading to better overall security, happier employees, less disruption and lower costs.
Open XDR is the foundation of the next-generation Security Operations Center.