May 19, 2021 | 3 minute read
XDR, shorthand for the emerging Extended Detection and Response solution offerings, has quickly established itself as one of the best options for defending the modern enterprise IT infrastructure against cyberattacks. But many are still trying to wrap their minds around XDR and where exactly it fits compared to other established solutions like SIEM, SOAR, and EDR.
The challenge in determining which of these solutions is the right fit for your organization requires an understanding of the strengths and limitations of each and then figuring out where XDR fits into the broader cybersecurity puzzle. It can be confusing to cut through the marketing hype from vendors in order to understand the benefits and limitations of each tool, especially when the product categories provide similar or overlapping capabilities.
What is clear is that organizations around the world are under siege from cyberattacks, and they need tools that can protect them against malware, exploits, and increasingly sophisticated attacks on both devices and users. With that in mind, let’s take a closer look at these options and where XDR fits into the mix.
SIEM solutions are one of the primary tools organizations use to make sense of their security and log data. The technology emerged to help organizations aggregate and correlate data from a variety of sources and provide a centralized source of truth for security investigations, threat detection, and to prove compliance.
Modern SIEM tools often use a data lake structure and cloud analytics to centralize events, attempting to distill it down to the events that need attention. The value and effectiveness of a SIEM is highly dependent on the sources of data it has access to, and how well it has been architected, tuned, and maintained.
The challenges with SIEM are that it often generates false positives and too many alerts—resulting in “alert fatigue” or apathy about alerts which leads to high-priority threats being ignored. A SIEM tool can be useful in detecting threats but usually does not do anything to actively reduce risk aside from generating alerts.
SOAR extends beyond the use-cases of SIEM by providing a means of response. SOAR systems ingest and analyze data, similar to a SIEM, but go a step further by initiating automated actions in response to specific events or triggers.
SOAR tools typically ingest signals from a variety of threat detection technologies, such as SIEM, EDR, firewalls, and email security gateways. In response to detected events, SOAR systems can alert IT security teams or escalate threats when human intervention is needed. SOAR improves on the actionability that SIEM lacks, but requires a few prerequisites in order to maximize success.
First, SOAR solutions typically require integrations with other security tools for threat detection and security analytics capabilities. And, plan for the upfront investment required to build automation workflows and response playbooks.
Similar to SIEM, a SOAR platform is only as good as its collection of integrations and ingested data sources. Automating response actions can lead to significant time-savings; just be sure to test and retest to minimize the risk of unintentionally impacting user experiences or blocking critical systems.
Endpoints -- servers, desktops, laptops, and now mobile devices -- are essentially the backbone of the IT environment, so it is important to protect them effectively. The typical approach for detecting attacks entails looking for Indicators of Compromise (IOCs). Common IOCs include virus signatures, malignant IP addresses, MD5 hashes of malware files, and URLs or domain names linked to botnet command-and-control servers. If any of these are observed on either a network or operating system, a breach has most likely occurred.
But today’s more advanced malicious actors either create custom tools to target specific organizations or uniquely compile existing malware code to make sure it doesn’t match with any known file hashes or malware signatures. This renders the IOCs detection approach completely ineffective. Signature-based anti-malware solutions are simply not an effective approach against today’s threat actors.
For example, Cybereason EDR is unique in that it is able to collect, identify and convict a Malop™ (malicious operation) earlier than other solutions based on Indicators of Behavior (IOBs) on the endpoint -- the more subtle chains of malicious behavior that can reveal an attack at its earliest stages, which is essential to stopping advanced campaigns such as the recent supply chain attacks like SolarWinds and the HAFNIUM attacks against Microsoft Exchange.
Cybereason EDR can then initiate an automated response to remove or mitigate the threat and notify IT security personnel, and also provides telemetry and forensic data that provides crucial context for incident response and forensic investigations into the event.
EDR is a significant improvement over traditional antivirus and antimalware endpoint security solutions. However, attacks today are often more complex and more sophisticated than an exploit on a single endpoint, which makes the scope of EDR too myopic to effectively defend against a broader malicious operation. XDR takes the Indicators of Behavior (IOB) concept from EDR, but widens the scope to the modern distributed IT environment.
This includes integrations with email, productivity suites (e.g. Microsoft & Google), network data, and cloud infrastructure. Comprehensive monitoring across the entire attack surface allows Cybereason XDR to identify patterns and detect potential threats on a broader scale—connecting the dots between seemingly disparate or innocuous events to recognize indicators or behavior and take action to prevent or stop threats.
Cybereason XDR breaks down data silos and unifies device and identity context for faster, more effective threat detection and response, and can be an extremely effective technology to enable organizations to reverse the attacker advantage and end malicious operations by extending detection and response capabilities across the entire enterprise environment.
Learn more about Cybereason XDR here and get even more details here, or you can reach out to a Cybereason Defender to see how Cybereason XDR can benefit your organization.
Yossi Naar, Chief Visionary Officer and Co-Founder, is an accomplished software developer and architect. During his 20 years of industry experience, Yossi has designed and built many products, from cutting-edge security platforms for the defense industry to big data platforms for the AdTech / digital marketing industry as well as the Cybereason in-memory graph engine.All Posts by Yossi Naar