Actionable XDR Telemetry vs. Uncorrelated SIEM Alerts

As a class of security tools, Security Information and Event Management (SIEM) finds itself in a curious position. On the one hand, the global SIEM market is expected to continue growing over the next few years.

Valuates Reports reported that the market is expected to reach $6.4 billion by 2027. Such growth implies a CAGR of 6.8% over the next six years. It also means that continuous monitoring, incident response, regulatory compliance, and log management will remain priorities for organizations during that period.

On the other hand, organizations are dissatisfied with the lack of performance by SIEM solutions. Why? Because “traditional SIEM platforms no longer meet the growing needs of security practitioners who face new and emerging threats,” as noted by Help Net Security. Specifically, 18% of security professionals surveyed said that it had taken them more than 12 months to deploy and implement their organization’s SIEM.

Many weren’t impressed once they got their SIEM up and running apparently. Nearly half (46%) of respondents said that the cost vs. capabilities of the SIEM did not align with their employer’s priorities. A quarter of survey participants went on to highlight the delivery of too many alerts as the biggest problem with their SIEM platform.

SIEMs as Imperfect Solutions

The findings discussed above tie in with why many security professionals are unsatisfied with their SIEM’s visibility. Indeed, SIEMs were originally designed to ingest a wide range of telemetry from various sources (security tools, logs, etc.), but that’s about it. All they really do is present the analysts with an “organized mess” that lacks the necessary context and correlations across the telemetry an analyst needs to answer the question, “Are we under attack?”

Most everything is in one place that security teams need, but it's still just raw data they need to manually sift through, assess, and then correlate with other telemetry in order to make a judgement call—all of which is heavy on human resource consumption and cannot scale effectively or provide the level of automation the modern enterprise requires for a robust security posture.

Of course, that’s assuming that a SIEM is even capable of handling all that data. We noted previously that no one uses a SIEM to understand what’s happening on their endpoints because no SIEM solution can handle the volume of logs that security teams need to effectively analyze endpoint data. This means that many security teams lack visibility into what’s going on with their endpoints using SIEM, and a SIEM can’t correlate that intelligence with other non-endpoint telemetry.

Using Endpoint Detection and Response (EDR) solutions to compensate doesn’t always work, either. EDR offerings - and even most XDR solutions - don’t have the ability to ingest all available telemetry for their EDR tools, so they are forced to use “data filtering,” a process which involves the elimination of telemetry even though it might be useful for detection. They need to engage in this practice because they need to send all their data to the cloud for analysis before they can return a detection.

Acknowledging the shortcomings of supplemental EDR tools, SIEMs remain what we like to think of as really expensive log reporting systems used primarily for compliance purposes, yet don’t do much to actually improve security posture. Security teams need something a little more sophisticated sooner or later. Hence the need for organizations to shift to a more effective security approach.

Advanced XDR (Extended Detection and Response) to the Rescue

Extended Detection and Response (XDR) is a security approach that requires the collection of all relevant security telemetry from not only endpoints, but also application suites, user personas, cloud workloads and more. And this telemetry needs to be comprehensive and granular, down to items like configuration changes for cloud workloads, attachment metadata for email messages, and all network traffic - without unnecessary “filtering” of any telemetry.

If an EDR or XDR solution provider is trying tout “smart filtering” of telemetry as a feature, this is a big red flag indicating they cannot deliver Advanced XDR (or even EDR for that matter).

Furthermore, the real value of an Advanced XDR solution is that it takes a step beyond simply collecting and organizing telemetry. It makes the logical correlations between otherwise disparate intelligence sources and then provides the analyst with a comprehensive view of how all those activities are connected to reveal the attack timeline, as well as automated and guided one-click remediation options to deliver effective security at scale.

The Cybereason Advanced XDR Advantage

Cybereason delivers an Advanced XDR solution that enables organizations to embrace an operation-centric approach to security because where other XDR solutions limit critical data collected because they can’t process or store it, AI-driven Cybereason XDR is designed to collect and analyze 100% of event data in real-time, processing more than 23 trillion security-related events per week, with absolutely no “dumb filtering.” This allows customers to improve their detection and response intervals by 93%.

The Cybereason Advanced XDR Platform comes with dozens of out-of-the-box integrations and is designed to provide visibility organizations require to be confident in their security posture across all network assets, and delivers the automated responses to halt attack progressions, eliminating the need for both SIEM and SOAR solutions. Organizations can enjoy these benefits whether they drop their SIEM and SOAR entirely or augment it with Cybereason Advanced XDR.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed