XDR vs SIEM vs SOAR: Strengthening Cybersecurity


What Is SIEM?

According to Microsoft, security information and event management is a software solution that helps organizations detect, analyze and report security threats. SIEM is essentially a platform for log management analysis and real-time monitoring. It collects and logs information and threat data from various sources within an organization’s IT infrastructure (end-user devices, servers, network equipment, firewalls, anti-virus software, etc.) and houses it all in one centralized environment to streamline security operations.

SIEM also helps ensure that organizations remain compliant with security policies and regulations. IBM adds that with its real-time monitoring capabilities, SIEM can help organizations recognize potential threats before they disrupt operations. It does this by combining two disciplines:

  • Security information management (SIM), which involves collecting data from files for analysis and reports on security events
  • Security event management (SEM), which conducts real-time monitoring and notifies IT operators of active threats

“The easiest way to think about it is that SIEM is used for the detection of threats,” says Chris Meenan, vice president of security product management at IBM.

It’s helpful to think of SIEM as a security room, says Fadi Fadhil, field chief technology officer at Palo Alto Networks. Picture a room that has a wall of screens displaying surveillance camera footage from all over a building. The cameras monitor everything going on in the building, and any movements, events or potential threats are logged by security guards in real time.

The same principles apply to SIEM, only its IT operators are working in a security operations center (SOC), not a security room, managing cyberthreats through a SIEM platform instead of monitoring physical threats.

What Is SOAR?

According to Palo Alto Networks, security orchestration, automation and response is a software solution that aims to execute and automate security operations on a single platform. By integrating with various tools to streamline security alerts and responses, SOAR can help organizations better respond to cyberattacks and understand existing vulnerabilities to prevent future incidents.

A SOAR solution is designed to lighten the burden on IT teams by activating automated responses to a number of security events. SOCs can use SOAR playbooks to create incident response workflows instead of dealing with every alert separately on a case-by-case basis.

An incident response playbook outlines steps to take in the event of a security event, including whom to inform and how to deal with particular attacks. SOAR solutions feature playbook automation and case management integration with external threat intelligence sources, and they ingest alerts and automate response workflows.

SOAR also uses machine learning to analyze threats and activate the appropriate incident response playbook. Essentially, SOAR automates what SOC analysts would do traditionally.

Fortinet adds that “SOAR combines three software capabilities: the management of threats and vulnerabilities, responding to security incidents, and automating security operations.”

LEARN MORE: Why some states are ramping up cyber incident reporting.

How Do Agencies Use SOAR vs. SIEM?

SIEM and SOAR are two sides of the same coin, with the former being about threat detection and analysis and the latter about incident response, Meenan says. SIEM responds to threats with a human-first approach, while a SOAR solution automates responses.

State and local governments often use SIEM and SOAR together. A SIEM solution can integrate with a SOAR solution, and agencies are beginning to see a convergence of SIEM and SOAR solutions, although some stand-alone SOAR tools remain available. When they’re connected, SOAR can take threat data that a SIEM solution collects and use it to trigger an automated incident response playbook to eliminate threats.

“SIEM is used for threat detection, and SOAR is used for the response,” Meenan says. “The SIEM solution is generating alerts, while the SOAR solution typically is taking those alerts, then providing tasks and automation for the analysts to effectively resolve them.”

In today’s threat landscape, SOAR is needed for effective cybersecurity, experts say.

The concept of SIEM solidified in 2005 when Gartner coined the term in a report. As years went by, SIEM’s functionality became limited; there were no SIEM playbooks or workflow automations to help IT analysts triage and respond to threats. Playbooks became imperative from both a regulatory and risk management perspective. SIEM also couldn’t capture metrics — such as how many attacks an organization faced, the kind of attacks, and how long it took to respond — but SOAR can do these things.

“Security is much bigger than it was back in 2005 or 2006,” Meenan says. “The implications of a security incident are far broader and far more impactful for businesses. SIEMs didn’t have playbooks, and that became a big missing piece. The second piece was automation, and the third was measurement.”

EXPLORE: Why smart city strategies must balance progress and privacy.

What Is XDR?

Extended Detection and Response is an evolved version of endpoint detection and response. Whereas EDR protects only a particular device (the endpoint), XDR provides holistic protection against cyberattacks, focusing on threat detection and response across multiple security layers, integrating and analyzing data from various security tools such as endpoints, network traffic and cloud security platforms.

Essentially, XDR consolidates all of this information to give administrators a holistic view of potential threats across all security layers, enabling centralized investigation, response and automation to address sophisticated threats. According to CrowdStrike, XDR streamlines security data collection, analysis and prevention workflows across an agency’s security stack and provides IT teams with a single console to view and act on threat data.

Say a government IT specialist detects a compromised device that’s infecting other devices. The specialist quarantines the device and tracks that the infection came through network traffic. The specialist then blocks a certain website or set of packets that is being spread through a cloud resource — not only treating the symptoms of the infection but also snuffing out its source.

“You’re only able to do this by having all these elements working together,” Fadhil says. “XDR is comparable to a home security system that goes beyond just cameras and implements motion sensors and door and window alarm systems. These systems work together to detect any unusual activity and get an immediate response.”


Leave a Reply

Your email address will not be published. Required fields are marked *