Published on February 9, 2021
By Augusto Barros, Vice President of Solutions
Maybe because of all the excitement around the US elections, we did not post anything about an excellent report by ESG Research on extended detection and response (XDR), called "The Impact of XDR in the modern SOC" and published back in November.
The report includes a survey around the perception and intention of organizations on XDR. It includes data about how XDR is perceived (Is it a product? A package? Extended EDR?) and how organizations are planning to use it. But within this report there are also very interesting findings about SIEM.
The report confirms the very important role of the SIEM for threat detection and response (TDR). “58% of respondents identify SIEM as one of their organization's most effective TDR tools." The SIEM is helpful and its approach works. So why don’t we see SIEM as part of discussions about XDR very often?
The report indicates that XDR is in many ways interpreted as a solution that delivers or supplements capabilities very often associated with SIEMs. 36% of the responses about "XDR Perceptions" said that "XDR collects, processes, analyzes, and acts upon security telemetry from numerous controls and data sources." Isn't that exactly what a SIEM is supposed to do?
I believe there are two interesting reasons to include SIEM as part of an XDR discussion. The first comes from the strong presence of legacy technologies in the SIEM market. Many products, including some of the leaders in this space, run on antiquated technologies, struggling with the challenges to collect and analyze huge amounts of telemetry from multiple sources, including cloud sources. They were designed and built for a time where the challenge was to collect a relatively low volume of logs from on-premises systems. The analytics required were also very basic, where simple normalization of events and application of correlation rules was enough to meet the needs of that time. Data was parsed and normalized, but the concept of enrichment, the application of advanced ML, and the use of complex threat models to link individual events together was still far into the future.
Organizations running these legacy systems will often misinterpret their limitations as being the limitations of all SIEMs in general, pushing them to look elsewhere for solutions to their needs. For them, XDR seems to be the way to get out of that hole.
The second reason is the understanding that SIEM has an important role in a SOC architecture, even when XDR is a part of it. This is true regardless of what you understand as XDR. If you see XDR as a consolidated product providing TDR on endpoints and other places, such as network and cloud, you would still need a SIEM to cover all other data sources not covered by that XDR product. The XDR solution would be just another data source for the SIEM. This would allow you to correlate events from the XDR with data from other sources, such as your business applications.
But if you see XDR in a broader manner, as an approach, things get even more interesting. In this view, the SIEM becomes part of your XDR solution. An XDR solution needs the ability to collect, enrich, and analyze a high volume of data from multiple sources. This is exactly what a good SIEM does. In fact, a SIEM built in the cloud, with modern technology and advanced analytics capabilities, can do it extremely well.
But it's not enough to just ingest data. The integration between the SIEM and the other parts of the solution must be deeper than simply providing an out-of-the-box data parser. The appeal of XDR is to have the data from sources such as EDR and NDR fused together in a way that enables advanced detection content covering all of them. We expect out-of-the-box content that leverages the fused data for better threat detection insights.
The XDR acronym includes "Response" too, and the expectation is that an XDR solution will be able to support response not only from an incident investigation perspective, but also with containment and remediation actions. Modern SIEM solutions include SOAR capabilities that fit perfectly into this architecture, providing the ability to engage with the other components to perform those actions.
As many organizations look for a way to better handle threats that span across their environment, adopting an approach that remains flexible is critical. But this flexibility should not come at the expense of excessive complexity. That's why Securonix provides pre-built content to address this challenge, with deep, bi-directional integration with some of the best EDR, NDR and cloud security solutions on the market. Deploying an XDR solution with a modern SIEM at its core allows organizations to pick the right combination of best of breed components for their needs.