Laura

20/08/2022

XDR vs SIEM – Which is Better?

Compare these two definitions from PCMag Encyclopaedia: Software that “collects and analyses data from multiple sources, including internal as well as external traffic” and “software tools that manage, analyse and correlate multiple sources of security information and log files in a network.”

Both sound the same. Yet one refers to extended detection and response (XDR), and the other one describes security information and event management (SIEM).

With XDR still a relatively new technology, spotting the difference between these two security solutions can be a challenge. While some believe that XDR is merely a rebranding of SIEM (or SIEM 3.0), others are adamant that XDR is a “game-changer” that can solve SIEMs’ many shortcomings. However, the reality is that although XDR might replace SIEM in the future, right now, both technologies serve two different functions. And each technology has its own problems.

For organisations looking for a cost-effective way of improving their threat detection and response capabilities, neither XDR nor SIEM is ideal. Instead, other security products, including SenseOn’s security automation platform, can offer better performance at a lower cost of ownership.

The Many Shortcomings of SIEM

Coined by Amrit Williams and Mark Nicolett of Gartner in 2005, security information and event management, or SIEM for short, describes a category of tools that collect and aggregate large volumes of event and log data from different sources within the same network. 

In this way, SIEM technology can give defenders centralised visibility and analysis across tools like endpoint detection and response (EDR), network detection and response (NDR), and so on. In theory, this makes it easier to identify and remediate threats faster. Almost three-quarters of SOC teams today view SIEM as an integral part of their organisation’s security posture.

However, the reality of traditional SIEM solutions tends to make life harder for security operations staff. In a recent survey by Panther Labs that asked over 400 security professionals (including CISOs, security analysts, and incident response professionals) about the biggest obstacles they face when interacting with SIEM solutions, nearly one in four cited too many alerts. Close to 1 in 10 also mentioned false positives, either from the product or the rules written by the team. Not only is investigating false positives a huge waste of time and resources, but it can also lead to security teams missing real cyberattacks.

Adding to the problem is that SIEM alerts do not always provide enough context for investigation by themselves. For security teams, knowing that something happened but not knowing how or why makes differentiating between genuine and legitimate activity more difficult.

And, even though SIEMs are supposed to provide a “single pane of glass” view into an organisation’s environment, as companies introduce more devices (including IoT) and applications and the problem of shadow IT gets worse, many SIEMs simply can’t keep up with these more complex infrastructure models. Around 14% of security professionals say they lack visibility across on-premise and cloud environments. Enter XDR.

XDR to the Rescue?

SIEM tools (and security orchestration, automation, and response tools that aim to augment SIEMs) work by tying together data from siloed products, which often results in alerts based on poorly correlated information. In contrast, extended detection and response (XDR) technology consolidates multiple products into a single, unified security solution.

Therefore, XDR platforms can automatically correlate and contextualise alerts from various security controls (spanning endpoints, networks, servers, and the cloud) into malicious security incidents in real-time to provide coordinated prevention, detection, and response capabilities.

Theoretically, XDR is easier to set up and has fewer false positives than a SIEM. However, that doesn’t mean that XDR has rendered SIEM tools redundant. While Forrester predicts that XDR is on a “collision course” with SIEMs and might even replace them altogether in five years’ time or at least become “head-to-head competitors,” for the time being, the two technologies are destined to co-exist.

According to Gartner, in the short-term, at least, XDR solutions will likely be adopted by smaller companies that don’t have the resources to integrate best-of-breed tools with a SIEM platform overlay. Compared to larger enterprises, these kinds of organisations tend to find it more difficult to get proper value from a SIEM. The reason why is that SIEM use cases extend beyond threat detection and response to include risk analysis, compliance, and operational monitoring.

XDR vs SIEM: Where to Go From Here

As a tool for demonstrating a certain level of security maturity, SIEM can be invaluable for organisations that need to comply with cybersecurity regulations and standards. However, when relied upon for threat detection and response, SIEM often falls short. 

Even though 80% of firms might be using a SIEM in the hopes that it’ll help decrease their mean time to detect (MTTD) and mean time to respond (MTTR), studies show that many SIEMs detect less than 5 of the top 14 MITRE ATT&CK techniques used by cybercriminals.

Unsurprisingly, faster threat detection and containment is viewed as the top benefit of XDR by nearly 1 in 2 of the individuals who either currently use this technology or are familiar with it.

That being said, XDR is not a silver bullet. Experts are still debating its market maturity, the products it should encompass (“There’s no one way to implement XDR. It’s kind of a mishmash of the different products that the vendor supports,” says Allie Mellen of Forrester), and whether it should be “open” (i.e., vendor-agnostic) or “closed” (i.e., vendor-specific). Some have even gone so far as to call XDR “fancy product marketing.”

For anyone that likes the sound of what XDR promises but is not convinced of the current offering, it’s worth looking beyond cybersecurity acronyms and toward clear-cut alternatives.

Founded in 2017, SenseOn’s self-driving cyber defence platform simplifies threat detection and response through security tool consolidation. Natively linking network and endpoint telemetry and investigator microservices metadata, SenseOn replaces NGAV, EDR, NDR, IDS, SIEM, and SOAR tools with one cohesive platform. As a result, organisations gain unparalleled, real-time visibility into their entire digital infrastructure.

SenseOn’s “Threat Triangulation” technology, which mimics human analysts, also reduces the number of false-positive alerts taunting security professionals. Rather than bringing every suspicious behaviour to your team’s attention, SenseOn inspects data across your entire environment to see if there is a connection between the security events and tests them against real-world hypotheses via machine learning frameworks. Only alerts that indicate malicious activity are flagged, and each alert is mapped to the MITRE ATT&CK framework and prioritised based on how critical it is. For advanced threats like ransomware, SenseOn Reflex will immediately isolate affected devices to prevent network infection.

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.