XDR: Moving Beyond the Limits of SIEM and SOAR

May 27, 2021 | 4 minute read

Organizations around the world are under siege from cyberattacks, and they need tools that can protect against malware, exploits, and increasingly sophisticated attacks on both devices and users. SIEM, SOAR and EDR technologies all have their benefits, but organizations with mature security programs are looking to move beyond the limits of these offerings - that’s where the advent of XDR comes into play.

XDR, short for Extended Detection and Response, has emerged as one of the best options for defending the modern corporate IT infrastructure against attacks, alongside popular solutions like SIEM (Security Information and Events Management), SOAR (Security Orchestration, Automation, and Response), and EDR (Endpoint Detection and Response).

The challenge is understanding the strengths and limitations of each and figuring out where XDR fits into the broader cybersecurity puzzle. It can be confusing to cut through the marketing hype from vendors in order to understand the benefits and limitations of each tool, especially when the product categories provide similar or overlapping capabilities. Let’s take a closer look at each option:

SIEM (Security Information and Event Management)

SIEM solutions are one of the primary tools organizations use to make sense of their security and log data. The technology emerged to help organizations aggregate and correlate data from a variety of sources and provide a centralized source of truth for security investigations, threat detection, and to prove compliance.

Modern SIEM tools often use a data lake structure and cloud analytics to centralize events, attempting to distill it down to the events that need attention. The value and effectiveness of a SIEM is highly dependent on the sources of data it has access to, and how well it has been architected, tuned, and maintained.

The challenges with SIEM are that it often generates false positives and too many alerts—resulting in “alert fatigue” or apathy about alerts which leads to high-priority threats being ignored. A SIEM tool can be useful in detecting threats but usually does not do anything to actively reduce risk aside from generating alerts.

SOAR (Security Orchestration, Automation, and Response)

SOAR extends beyond the use-cases of SIEM by providing a means of response. SOAR systems ingest and analyze data, similar to a SIEM, but go a step further by initiating automated actions in response to specific events or triggers.

SOAR tools typically ingest signals from a variety of threat detection technologies, such as SIEM, EDR, firewalls, and email security gateways. In response to detected events, SOAR systems can alert IT security teams or escalate threats when human intervention is needed. SOAR improves on the actionability that SIEM lacks, but requires a few prerequisites in order to maximize success.

First, SOAR solutions typically require integrations with other security tools for threat detection and security analytics capabilities. And, plan for the upfront investment required to build automation workflows and response playbooks.

Similar to SIEM, a SOAR platform is only as good as its collection of integrations and ingested data sources. Automating response actions can lead to significant time-savings; just be sure to test and retest to minimize the risk of unintentionally impacting user experiences or blocking critical systems.

EDR (Endpoint Detection and Response)

Endpoints -- servers, desktops, laptops, and now mobile devices -- are essentially the backbone of the IT environment, so it is important to protect them effectively. The typical approach for detecting attacks entails looking for Indicators of Compromise (IOCs). Common IOCs include virus signatures, malignant IP addresses, MD5 hashes of malware files, and URLs or domain names linked to botnet command-and-control servers. If any of these are observed on either a network or operating system, a breach has most likely occurred.

But today’s more advanced malicious actors either create custom tools to target specific organizations or uniquely compile existing malware code to make sure it doesn’t match with any known file hashes or malware signatures. This renders the IOCs detection approach completely ineffective. Signature-based anti-malware solutions are simply not an effective approach against today’s threat actors.

For example, Cybereason EDR is unique in that it is able to collect, identify and convict a Malop™ (malicious operation) earlier than other solutions based on Indicators of Behavior (IOBs) on the endpoint -- the more subtle chains of malicious behavior that can reveal an attack at its earliest stages, which is essential to stopping advanced campaigns such as the recent supply chain attacks like SolarWinds and the HAFNIUM attacks against Microsoft Exchange.

Cybereason EDR can then initiate an automated response to remove or mitigate the threat and notify IT security personnel, and also provides telemetry and forensic data that provides crucial context for incident response and forensic investigations into the event.

XDR (Extended Detection and Response)

EDR is a significant improvement over traditional antivirus and antimalware endpoint security solutions. However, attacks today are often more complex and more sophisticated than an exploit on a single endpoint, which makes the scope of EDR too myopic to effectively defend against a broader malicious operation XDR takes the Indicators of Behavior (IOB) concept from EDR, but widens the scope to the modern distributed IT environment.

This includes integrations with email, productivity suites (e.g. Microsoft & Google), network data, and cloud infrastructure. Comprehensive monitoring across the entire attack surface allows Cybereason XDR to identify patterns and detect potential threats on a broader scale—connecting the dots between seemingly disparate or innocuous events to recognize indicators or behavior and take action to prevent or stop threats.

Cybereason XDR breaks down data silos and unifies device and identity context for faster, more effective threat detection and response, and can be an extremely effective technology to enable organizations to reverse the attacker advantage and end malicious operations by extending detection and response capabilities across the entire enterprise environment.

Conclusion

Each of these tools has played a role in evolving and expanding cybersecurity protection. A good XDR solution provides comprehensive monitoring of the entire attack surface. Broad visibility enables XDR to identify patterns and detect potential threats--connecting the dots between seemingly disconnected or innocuous events and activities to recognize indicators of behavior and take immediate action to stop threats.

Effective XDR enables organizations to reverse the attacker advantage and end malicious operations quickly. Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Eric Sun
About the Author

Eric Sun

Eric Sun is a Product Director at Cybereason, focused on helping security teams measure and improve their resilience against modern threats. Eric works closely with the Nocturnus research team and global SOCs to understand emerging attack campaigns and evolving best practices. He brings a layer of behavior analytics and risk management from his many years in Asia as a professional poker player.

All Posts by Eric Sun