As the list of cybersecurity acronyms and their functionalities, what cyber security tools are truly best for your organisation? In this blog post, we explore the security technologies used by a SOC today and the differences between Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Security Orchestration, Automation, and Response (SOAR) and security information and event management (SIEM). We also look at the two different outsourced services, Managed Detection and Response (MDR) and SOC as a Service (SOCaaS), that wrap around these solutions.
Security operations centres (SOCs) have become essential to many companies’ security infrastructure in recent years. By collecting and analysing data from various systems and sources within your organisation, a SOC offers insight into what is going on with your security and helps you react more effectively to threats, including network outages and other incidents.
Cybersecurity solutions are constantly evolving to reduce risk and help a SOC to modernise its defences, but there is no one-size-fits-all approach to security technology. EDR, XDR, SOAR, and SIEM, are all solutions that help SOCs do their job, and each has unique functionality tailored to the needs of an organisation. However, some of these solutions have overlapping capabilities, which can cause confusion among buyers and IT decision-makers. Let us clear the air and break down the key differences between these solutions.
Differences between EDR, XDR, SOAR, and SIEM:
A SIEM is a security information and event management system. It is a central platform that collects, monitors, and analyses data from a variety of sources to identify threats and vulnerabilities. The primary data source has been time-series-based log data, but there are also advanced SIEM solutions that monitor logs in real-time and use other types of data (e.g., Active Directory, configuration management database, vulnerability management data, HR (Human Resources) information, and threat intelligence) to add context about users, IT (Information Technology) assets, data, applications, threats, and vulnerabilities.
The primary purpose is to provide alerting on threats so the SOC can respond. They are also useful for investigations when an organisation wants more insight into what transpired on a certain date or what specific users did on their devices during a given timeframe. SIEMs can use artificial intelligence or machine learning algorithms to determine patterns or predict future events. Although SIEM is primarily deployed as a cloud-based service, it may support on-premises deployment.
The purpose of Endpoint Detection and Response (EDR) is to monitor an endpoint device, such as a laptop or tablet, for any suspicious activity. This can be done through software installed on the device or through a third-party service that monitors all devices connected to an internet connection. The goal is preventing any security incidents before they happen. Most EDR solutions include anti-malware and anti-ransomware protection and report data back to a centralised interface or dashboard.
According to Gartner, EDR solutions must provide the following four primary capabilities:
- Detect security incidents
- Contain the incident at the endpoint
- Investigate security incidents
- Provide remediation guidance
Commonly known as the evolution of EDR, Extended Detection and Response (XDR) is a network-based intrusion detection system that and can monitor the entire enterprise. XDR can detect malware by monitoring traffic, data, and code on computers and servers. It then analyses this information to identify attackers, compromised accounts, command-and-control servers, and other indicators of compromise. Both EDR and XDR report data back to a central repository like a SIEM (Security Information and Event Management). This provides a unified, single pane of glass view across multiple tools and attack vectors.
Mature security operations teams use Security Orchestration & Automated Response (SOAR) solutions to construct and run multi-stage playbooks that automate actions across an API-connected ecosystem of security solutions. Gartner states SOAR solutions can be used for many security operations tasks, including:
- To document and implement processes.
- To support security incident management.
- To apply machine-based assistance to human security analysts and operators.
- To better operationalize the use of threat intelligence.
Workflows can be orchestrated via APIs or integrations with other technologies, and automated to achieve desired outcomes — example use cases include:
- Incident triage.
- Incident response.
- Threat intelligence (TI) acquisition curation and management.
The downside to SOAR is that it is complex, costly, and requires a highly mature SOC to implement and maintain partner integrations and playbooks.
Services offered around these security solutions:
There are two services offered around these solutions and can often making things even more confusing for the discerning IT (Information Technology) decision maker. The two services are MDR and SOC as a Service:
A managed detection and response (MDR) service is a type of cyber security service that you can use as an alternative to onsite or in-house SOC (Security Operations Centre). It provides a scalable, cost-effective, and high-performance way for SMEs and enterprises alike to detect and respond rapidly to threats. An MDR service can be run through a SIEM, EDR or XDR platform.
SOC as a Service
As we explained earlier a SOC, or security operations centre, is a physical location where an organisation’s security analysts monitor network traffic and system logs to detect malicious activity. However, it can also be virtual and managed as a service. This makes it easier for organisations of all sizes to have a dedicated team that can analyse data without the need for expensive hardware purchases. SOC-as-a-Service (SOCaaS) is a subscription-based model for managed threat detection and response that brings a best-in-class security operations centre at a cost that most organisations can afford.