3 April 2023
We often have inquiries from customers that state that they are looking for “a Managed SOC/SIEM” as if the two are inherently interchangeable. And yet they are not. So what are they?
SOC stands for Security Operations Center. A SOC typically focuses on not only security operations (such as security device management) but also threat and vulnerability management, proactive monitoring and incident qualification. But it can mean many things to many people. One thing is clear though – a SOC is a business function encompassing a combination of people, processes and technology (whether you provide that function using internal staff, procedures and tools or you outsource it).
SIEM on the other hand stands for “Security Information and Event Management”. This allows for not only standardized consumption of log data from multiple security tools but also extended monitoring using custom log sources such as bespoke applications or niche products that are not used by the wider market. A SIEM is a security operations technology. But it is just that – technology – it does not run itself.
So why do they appear so often in the same breath? We believe this is a legacy thing and slowly it is starting to change. When detection and response as a concept was born (out of the fact that 100% prevention is impossible) a SIEM was effectively the only way to deliver such a function and so SOC teams adopted the SIEM as their tool of choice. As time goes on, however, a multitude of options exists. Even the SOC itself starts to split out into some sub-functions.
Orange Cyberdefense splits this into three definitive functions:
Now we know the teams, what about the tools? We discussed the SIEM above, but it is no longer the only option for delivering effective detection and response. In fact, many organizations now start with the basics. This includes EDR.
EDR software monitors various endpoints (computers, servers, tablets, mobile phones, etc.), not the system network.
To do this, EDR software analyzes the uses made of the monitored endpoints, in particular through behavioral analysis. This enables the recognition of behaviors that deviate from a norm after a learning phase, or for behaviors that are consistent with common attacker behavior. EDR software is also capable of monitoring the exploitation of security flaws.
The advantage of EDR solutions is that they allow companies to protect themselves against both known (e.g., a virus) and unknown attacks by analyzing suspicious behaviors.
Complementing EDR in terms of delivering a basic detection and response functionality is NDR.
NDR software provides extended visibility to CyberSOC teams across the network to detect the behavior of potentially hidden attackers targeting physical, virtual, and cloud infrastructures. It complements the EDR and SIEM tools and more recently, these technologies have started to introduce selected log analysis using artificial intelligence and machine learning to complement the analysis of raw network traffic.
The NDR approach provides an overview and focuses on the interactions between the different nodes of the network. And where the network now extends beyond traditional data centers and into the cloud, into the world of Software-as-a-Service, this kind of visibility is crucial. EDR cannot be present everywhere.
XDR is an evolution of EDR and has now effectively replaced EDR in the security market. Using EDR as a base component, XDR software seeks to bring together the previously discussed approaches of EDR and NDR to help security teams solve threat visibility problems by centralizing, standardizing, and correlating security data from multiple sources. This approach increases detection capabilities compared to standalone endpoint detection and response tools (EDR) or network traffic analysis (NDR). For example, XDR provides complete visibility by using network data to monitor vulnerable (unmanaged) endpoints that cannot be seen by EDR tools, whilst it also allows suspicious network traffic to be viewed in context with visibility into some of the host behaviors that might be related to the suspicious network traffic.
XDR analyzes data from multiple sources (email activity, endpoints, servers, networks, cloud streams, identity technologies such as AzureAD or other SSO providers…) to validate alerts, reducing false positives and the overall volume of alerts. This stitching together of indicators from multiple sources allows XDR to improve the efficiency of security teams.
XDR does still, however, lack the depth of customization that can be achieved with SIEM tools, still focused more on time-to-value than longer term customization.
We have one final acronym for you.
The acronym MDR stands for managed detection and response. MDR brings together the SOC function and the various above solutions to enable end-to-end addressing of cyber threats. MDR provides an outcome.
So if you find your mind wandering to the thought of “I need a Managed SIEM/SOC”, what you really should be considering is MDR!