Will Extended Detection and Response (XDR) supplant SIEM solutions in enterprise cybersecurity? What does the future hold for threat hunting and detection-oriented security technologies?
XDR is carving out space in the cybersecurity marketplace both wholly new and yet recognizable from other categories. It offers capabilities reminiscent of SOAR, EDR, and even SIEM. Yet at the same time, it is a category all its own and growing. Yet because it is such a new category, it remains something of a mystery to both outside observers and cybersecurity professionals
What is XDR? How might it supplant SIEM? What does the future hold?
Will XDR Supplant SIEM?
What is XDR?
XDR refers to a unified security incident and response platform that automatically collects and correlates data from proprietary security components. In other words, you can think of it as a platform that aggregates the security events collected by SIEM, EDR, and identity management tools; it puts them under a single pane of glass, offering a holistic cybersecurity perspective over the entire network.
Further, XDR can cross environments and centralize normalized data, bridging potential gaps in security visibility.
According to Mr. Valovcin, “XDR pulls together proprietary sensors. Some might be good on the endpoint, others on the network. But because they are siloed, you see them as individuals, not as part of a broader event.”
Additionally, Mr. Chesla states, “The main idea is to find advanced attacks hidden in silos.” XDR, in his expert opinion, answers questions such as “who are all the entities involved as part of this attack? What is the relationship between them? What are their roles? Do they carry sensitive information? So it provides an element of contextualization.”
XDR and SIEM
So the relationship between XDR and SIEM proves a little difficult to parse. XDR relies on SIEM to some degree, pulling critical information from it. Yet XDR provides the overarching visibility that only comes from uniting multiple security solution findings under a single pane of glass. It interacts with more tools and aggregates more security events.
XDR also solves a critical challenge prevalent throughout most SIEM solutions: alerting and context. SIEM generates alerts to help investigators find the sources of security events faster, thus also speeding up response times. However, without contextualization and configuration capabilities in place, SIEM can easily detect a non-malicious activity as a security event.
False positive alerts clog up security workflows and investigations, wasting valuable time and energy and potentially obscuring real attacks. So XDR’s greater contextualization can help prevent that from happening, or at least severely reduce the amount of false positives received.
So the reality is that your enterprise could benefit from both SIEM and XDR, with neither looking to supplant the other. However, the future holds infinite surprises, and it’s certainly worth watching these cybersecurity categories closely.
For more, check out the SIEM Buyer’s Guide.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021