error_outlineWEBSITE HACKED ? sos@getsecureworld.com

Can XDR survive outside of SIEM?

blog + security solutions + SOC Z. Oualid today

Background
share close

The XDR technology is one of the most confused not well-defined solutions that actually exist in the market. This technology has evolved from EDR and NDR to reach some SIEM capabilities for broader detection and response. However, can an XDR survive outside of SIEM?

If the main focus of a company is to reduce the time to detect and respond to treats, then an XDR solution can survive in the network without a SIEM. However, if the main focus of the company is the compliance part, then having a SIEM is required to work side by side with the XDR solution.

The XDR and SIEM solutions are very complementary and need to work together in the company network for better results. In this blog post I am going to explain in detail why having just an XDR solution in the network can be in some cases sufficient and when it is not.

When XDR can survives outside SIEM and why?

XDR and SIEM solutions are complementary and need to be implemented side by side. However, an XDR solution can be implemented alone before a SIEM. This implementation can be done if the company does not care too much about compliance.

The SIEM solution is based on the collection of information from multiples devices in the network and generates an incident whenever an event matches a rule. Then the Analyst should investigate those incidents using the available tools to eliminate false positives.

The main difference between a SIEM and XDR is the cross-domain correlation. In general when we talk about XDR, then we have multiple security solutions that first communicate with each other to get the context of each event and that communicate also with the XDR through alerts.

This kind of communication gives the XDR the cross-domain ability to automatically detect and investigate events to produce only one alert for multiples events happening in the network. In the case of a SIEM, that will generate an alert for each suspicious event happening in the network.

Let me illustrate what I have just said by a realistic example. For example, if a hacker used a malicious file sent by email to a user in the network. The user opens the file and a process in his computer starts scanning the network. Then another computer in the network starts brute-forcing another machine in the network.

In this case, the SIEM solution will probably generate at least 2 alerts one for scan and the other for brute force.

The XDR in this case will generate only one alert after correlating all these events that identify a cyber-breach that is ongoing in the network. In addition, the XDR will give you all the needed details that trace the different actions performed with deep granularities.

When having a SIEM beside an XDR is required?

One of the key elements in all standards and requirements to secure an Information system is to have a log management system. In this blog post, I will take as an example the ISO recommendations as it is the most popular between companies.

According to this standard, all the events about user access, errors, and all running application in the network needs to be registered in a safe place. In addition, the log data should not be altered or removed by unauthorized persons. Moreover, all the systems in the network should be synchronized to have the exact same time.

In most cases, XDR solutions do not offer all these aspects. For example, when we talk about log retention, the XDR solution usually saves the logs for a maximum of 6 months which is too short in case of a big breach where logs for the last 5 years might be required for investigations. Moreover, some XDR solutions save the logs in their own cloud solutions which may not be allowed by some country’s laws.

SIEM solutions offer all these capabilities with a local log management system that is well protected and usually with log retention of at least 5 years. For this reason, it is usually recommended to implement a SIEM solution to meet the standards and regulatory requirements.

However, SIEM solution is explicitly mentioned in any standard and it doesn’t mean that without a SIEM you are not compliant with ISO or any other standard or regulation.

What are the best XDR solution in the 2021?

The best thing about the XDR solution is the way most basic investigations and false positives elimination is done automatically. This automation help analysts to focus only on real threats and performing deeper investigations.

In this section of this blog post, I am going to give you a list of the best SIEM solution that actually exists in the market.

I have started with this solution as I know that most companies around the world, use windows in their infrastructure. This is comprehensible as it makes the infrastructure administration a lot easier to manage. By having most of your network based on Microsoft makes adopting and integrating this XDR solution very easy and quick.

This is one of the Palo Alto solutions. This is also one of the best XDR solutions in the market with different important features like:

  1. A machine learning driven threat detection
  2. Incident management
  3. Deep forensics capabilities
  4. A flexible response solutions that reduces the response rate.

Singularity XDR solution is one of the well-known sentinel products. I have never tested this solution before, but according to their descriptions and documentation, this solution can integrate the logs of any other technology. This eliminates what we call blind spots and give you cross-stack visibility.

This is also a well-known XDR solution with many features similar to those of singularity XDR or cortex.

Conclusion

The problem with all those XDR solutions is the cross-domain correlations. For Microsoft XDR, this is not a problem as all their solutions can easily communicate with each other to ensure this capability. But for the other XDR, this cannot be possible.

Collecting the logs from different solutions does not make your solution communicate with each other and will require additional work from your XDR to link each event to the other.

In my personal opinion, to have a very good XDR solution in your network, you should have at least all the security solutions coming from the same company. For this reason, XDR solutions are still not mature and will require a lot more time to find a solution for this problem as having the same technology everywhere is not a realistic thing.

Therefore, having a SIEM solution and enforce it with an XDR solution is the best thing to do.

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *