Videos
What is the difference between EDR and XDR?
Is XDR better than EDR?
What is MDR, and how does it relate to EDR or XDR?
As you can probably infer from the title, I’m wondering what the key differences are between running SIEM + EDR vs. an XDR platform (for example, Defender XDR, Sophos intercept X advanced, etc.)
I feel like there’s a LOT of snake oil in the cybersecurity market today. Does an XDR platform replace the need for a SIEM? I’m under the impression that it doesn’t, but the way in which some popular vendors describe their XDR platforms, they make it sounds as if XDR is a one stop shop for all your typical SIEM and EDR needs…
Does anyone have hands-on experience with XDR platforms and can highlight their shortcomings compared to popular SIEM tools?
I’ve been trying to wrap my head around how much overlap there really is between a traditional SIEM + EDR setup and XDR.
Some platforms pitch XDR like it’s an all-in-one replacement. But if you already have a solid SIEM and EDR in place, is there any real benefit to switching to XDR? Or is it mostly just bundling, branding, and dashboards?
Would love to hear from anyone who’s actually worked with both. What limitations did you run into with XDR that a traditional SIEM setup handled better (or the other way around)?
First of all, sorry for the lack of a better title. What I want to discuss in this post is where the Threat Detection and Response (TDR) market is headed.
I use TDR to describe the ability to detect and respond to a breach, wether that's through the use of SIEM, EDR, NDR, XDR, SOAR, internal SOC, MDR service etc.
I am also aware that there is not a single right solution and it will be depend on the environment.
Before the golden era of EDR began, Detection and Response capabilities were centralized on a traditional SIEM solution like Splunk, ingesting and normalizing system event logs like windows event log, sysmon, firewall logs etc. and then building detection rules on these.
With the evolution of EDR, it has become a central part of TDR for some organisations while for some, the SIEM is still the central part. Before you comment that it doesn't have to be one or the other, read the whole post.
You always have to consider what is enough and what is the ROI.
Using an EDR tool like Crowdstrike, Sentinelone or Defender for Endpoint is almost plug and play (compared to SIEM) and creates relatively few, high value alerts to investigate. Using a SIEM requires a lot of work (to be done right) configuring and tuning detection rules. It also very expensive, both license cost and time spent managing it. You will probably produce a lot more alerts than an EDR to investigate as well.
If you are an inhouse SOC and you have very good control of what's going on in your network and spend a lot of time developing anomaly detections in the SIEM you can get a lot of value there. What I'm interested in is a MSSP that creates "general" detections that are applicable to all your customers.
Based on incidents you've had and purple team exercises, do you have a touch idea of how much is detected by EDR vs by SIEM detection? Supose you're running Crowdstrike+Splunk, Defender+Sentinel or similar. My experience is that the majority of attacks are detected by the EDR. Considering the investment in the SIEM platform is much bigger than the EDR, this makes it hard to justify the ROI on SIEM. Maybe we can say that EDR is "enough" for TDR and spend the SIEM budget on a different area of cybersecurity than TDR and getting a better ROI with the return being how secure we are in total.
What I haven't factured in here is investigation and threat hunting capabilities. Here we have lots of value in the SIEM but still, with EDRs like CS, S1 and MDE (especially S1) you have a lot of endpoint activity logs to use for investigation at a substantially lower price than SIEM logs. And the amount of information and visualisation of alerts in the EDR platforms can not be compared to the endpoint visibility you get with windows event logs or even sysmon in a SIEM. Despite that, if you still think the main value of a SIEM is the visibility for investigation and threat hunting since you can ingest all types of logs, EDR vendors are looking to solve this with both S1, CS and other vendors releasing "next-gen SIEM" solutions that have cheaper log storage, giving us a much simpler SIEM but fully capable of fast log search for investigation and threat hunting.
The evolution of these EDR vendors to XDR vendors, adding capabilities for a larger attack surface like email, identity and network. SOAR capability, third party alert and response action integrations etc. is further taking away the selling points for traditional SIEMs like Splunk and Sentinel. These functionalities are developed by the vendors and are easy to set up compared to configuring it in SIEMs or developing it in SOARs like Swimlane or Google secops.
With that said, can you justify the spend on traditional SIEMs like Splunk and MS Sentinel compared to XDR solutions like Crowdstrike and Sentinelone?
Microsoft is a bit special since they are coming from both SIEM Sentinel and EDR->XDR with Defender.