How XDR can help to extract more value from your SIEM

As an emerging security technology, extended detection and response (XDR) is gaining the attention of organisations around the world.

XDR involves bringing together telemetry from endpoints, networks and cloud resources, and combining it with context such as user activity patterns. It allows security teams to have a better focus on detecting and responding to incidents such as compromised credentials that could lead to a security breach.

As such, XDR can be seen as an important extension of the established endpoint detection and response (EDR) capability that’s already in place within many organisations. Should they have a network detection and response (NDR) tool, organisations will not miss an attacker that may be trying to get a foothold via their network infrastructure.

The need for XDR capability continues to grow because phishing attacks are increasing in number and sophistication, as are the threats posed by hacking and ransomware. As a result, organisations need the capability to automatically scan for threats and alert security teams should action be required.

The importance of XDR is also being driven by wider adoption of cloud-based resources. Security teams need to have a way to bring more telemetry signals to the central system of a security information and event management (SIEM) to monitor a complex and expanded IT infrastructure.

A third driving force is the chronic shortage of IT security professionals around the world. This is leading existing teams to have to do more with less and find additional ways to improve their productivity. XDR is primarily designed for deep set analytics, to first rapidly identify a threat and then rapidly remediate it. Security teams who are seeing more alerts than they can handle from their legacy SIEMs will benefit greatly from an XDR.

A complementary tool

XDR is not a single technology but rather a combination of different tools and techniques. It can also complement a range of other security platforms that an organisation may already have in place.

VIEW ALL

For a security team to be able to rapidly identify a threat, it needs access to large amounts of data. This includes security device logs, application logs, machine data and network traffic.

Data can be drawn from many locations within an IT infrastructure – and ingested into an advanced SIEM – and the sophisticated analytics capabilities of XDR can then be used to sift through it and identify any security issues.

Using XDR, security teams can gain a much clearer picture of what is happening across their organisations. This, in turn, means they will be able to respond more quickly should an attack take place.

Threat detection

The team also needs visibility into all cloud resources in use across the organisation. Without this visibility, it is impossible to have a complete picture of what is going on and who might have gained access to the IT infrastructure.

Another area in which the security team requires effective visibility is their user base. The team needs to understand what represents usual working patterns so that unusual and potentially disruptive activity can be readily identified and investigated. Hybrid XDRs give the option of either using the user and entity behaviour analytics (UEBA) capability within the platform or go with the team’s preferred UEBA tool.

Once all this data is available from a SIEM, XDR can be put to work to monitor and respond to attacks. According to industry research, organisations with an automated threat hunting solution in place can reduce the time taken to detect an incident from 41 hours to 10 hours and the time taken to investigate from 38 hours to 16 hours.

Augmenting SIEM

SIEM platforms have already been deployed by many organisations as part of a comprehensive protection strategy. For this reason, XDR should be seen as an additional element that augments a SIEM rather than something that replaces it.

By itself, a SIEM delivers centralised visibility, however it can be limited by wide and shallow data sets and high volumes of alerts. With XDR in place, fewer and more contextualised alerts are sent to the SIEM for human investigation. In this way, SIEM and XDR can work together to deliver a much better security outcome.

With the volume of cyber threats increasing by the day, security teams need to be as efficient and responsive as possible. By taking advantage of XDR, they will be much better placed to provide their organisations with the protection and support that they require.

Joanne Wong, vice-president, international marketing APAC and EMEA at LogRhythm.