IT security teams face an ongoing challenge: how best to collect event data from every corner of their IT infrastructure and turn it into threat intelligence to prevent or stop cyber attacks. After all, the output from any system that processes data is only as good as the input.

To help security teams out, vendors have released successive generations of products -- and a host of acronyms -- that aggregate and analyze security events. Each product tries to solve the shortcomings of its predecessors by improving event data collection and interpretation and shortening attack detection and response times.

Security teams today can choose among security information and event management (SIEM), security orchestration and response (SOAR), and extended detection and response (XDR) products.

To start with, let’s start with definition of each:

Gartner's definitions of SIEM, SOAR and XDR are fairly similar. SIEM "supports threat detection, compliance and security incident management through the collection and analysis of security events, as well as a wide variety of other event and contextual data sources." SOAR enables "organizations to collect inputs monitored by the security operations team." XDR is "a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components."

Determining the differences among these options -- and figuring out which would best suit their enterprises -- is a challenge for security teams, to say the least.

SIEM collects event data but requires manual effort

The initial driver behind SIEM products in 2005 was compliance reporting. First-generation SIEM systems aggregated log data generated by applications, endpoints and network devices.

Although a combination of security information management and security event management functions, these SIEM platforms provided limited incident response and visualization. Such systems analyzed event data from preventive technologies, such as antivirus software, intrusion detection systems and firewalls. This made it hard to detect a sophisticated attack, particularly as events from different sources weren't correlated. Threat analysis was often difficult and time-consuming. Threat detection rules had to be set manually. Network traffic increased static threshold values, triggering an excessive amount of alerts that required manual analysis to eliminate false positives.

To improve upon itself, second-generation SIEM technology added support for big data and real-time event analysis. Next came machine learning and behavioral analytics plugins to create baselines of normal user and device behavior. This made it easier to identify anomalies, reducing the time between compromise and discovery.

Despite their advances, the sheer volume of alerts from SIEM platforms still overloaded security teams. Teams demanded tools that could enhance the quality of alerts and automate responses.

SOAR simplifies manual remediation efforts

SOAR tools emerged in 2015 to improve SIEM platforms. They aimed to enrich event data, simplify the identification of critical incidents and automate response actions to specific events or triggers. The goal was to speed up remediation and only escalate threats when human intervention was required.

SOAR tools ingest data from multiple sources, such as threat intelligent feeds on the latest attack signatures and phishing emails. This requires integration with other security tools, and teams still must set playbooks, custom alert levels and response measures.

Some SIEM vendors have added SOAR features to their products to compete against standalone SOAR tools. However, maintaining visibility across an entire network remains a problem for security teams as modern IT infrastructures and applications continue to sprawl. In addition, a drawback of SIEM and SOAR platforms is they rely heavily on siloed security products. This can lead to alerts based on incomplete or poorly correlated information, often causing unnecessary disruption to systems and users.

/ Will XDR replace or unite with SIEM and SOAR?

XDR is the latest attempt by security vendors to improve threat detection and response times. Emerging in 2018 and gaining steam over the past year, it centralizes and normalizes data from all connected sources, including users, the network, and wherever data and applications reside. XDR's goal is to correlate all security data and alerts and provide a centralized incident detection and response capability with comprehensive monitoring across the entire attack surface.

 

XDR integrates a range of investigative tools, behavioral analytics and automated remediation capabilities -- which have traditionally been point security products -- into a single platform with a strong focus on advanced threat detection and tailored responses.

While the latest generation of SIEM tools may offer XDR capabilities, they -- like SOAR platforms -- are often add-ons and plugins that require configuring and tuning. However, XDR does not have the log management, retention and compliance capabilities of SIEM, so it's important to find an XDR platform that can integrate with existing security controls or has an open architecture.

 

Whether organizations choose to deploy a disparate set of products or a unified platform, they will need log management and retention tools and an automated threat detection and response capability to keep systems and data secure and compliant. The systems chosen will also need some integration, configuration and fine-tuning to detect and respond to security incidents effectively and efficiently.

XDR will compete head to head with security analytics platforms (and SIEMs) for threat detection, investigation, response, and hunting. Security analytics platforms have over a decade of experience in data aggregation they apply to these challenges, but have yet to provide IR capabilities that are sufficient at enterprise scale, forcing enterprises to prioritize alternate solutions. XDR is rising to fill that void through a distinctly different approach anchored in endpoint and optimization.

Gartner has proposed a new vision for security orchestration that aims to overcome the limitations of SIEM, SOAR and XDR.

Called the cybersecurity mesh, the vision – not yet an actual product – combines core distributed policy enforcement and “pluggable, composable tools that can be plugged anywhere into the mesh,” Gartner analyst Ruggero Contu said at last year’s Gartner Security & Risk Management Summit.

The mesh fabric enabler technology uses foundational services such as:

• Centralized policy management and orchestration
• Security analytics, intelligence and triggers
• A distributed identity fabric

Gartner analyst Felix Gaehtgens says the strategy better aligns organizations with threats by eliminating the siloed focus of current cybersecurity tools. The mesh approach could reduce the cost of security incidents by 90%, he says.
Instead of SIEM, SOAR and XDR integrating security tools, the security mesh will use security analytics, intelligence, identity, policy, posture and a dashboard layer.