IT security teams face an ongoing challenge: how best to collect event data from every corner of their IT infrastructure and turn it into threat intelligence to prevent or stop cyber attacks. After all, the output from any system that processes data is only as good as the input.
To help security teams out, vendors have released successive generations of products -- and a host of acronyms -- that aggregate and analyze security events. Each product tries to solve the shortcomings of its predecessors by improving event data collection and interpretation and shortening attack detection and response times.
Security teams today can choose among security information and event management (SIEM), security orchestration and response (SOAR), and extended detection and response (XDR) products.
To start with, let’s start with definition of each:
Gartner's definitions of SIEM, SOAR and XDR are fairly similar. SIEM "supports threat detection, compliance and security incident management through the collection and analysis of security events, as well as a wide variety of other event and contextual data sources." SOAR enables "organizations to collect inputs monitored by the security operations team." XDR is "a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components."
Determining the differences among these options -- and figuring out which would best suit their enterprises -- is a challenge for security teams, to say the least.
SIEM collects event data but requires manual effort
The initial driver behind SIEM products in 2005 was compliance reporting. First-generation SIEM systems aggregated log data generated by applications, endpoints and network devices.
Although a combination of security information management and security event management functions, these SIEM platforms provided limited incident response and visualization. Such systems analyzed event data from preventive technologies, such as antivirus software, intrusion detection systems and firewalls. This made it hard to detect a sophisticated attack, particularly as events from different sources weren't correlated. Threat analysis was often difficult and time-consuming. Threat detection rules had to be set manually. Network traffic increased static threshold values, triggering an excessive amount of alerts that required manual analysis to eliminate false positives.