XDR vs SIEM vs SOAR: Strengthening Cybersecurity

What Is SIEM?

According to Microsoft, security information and event management is a software solution that helps organizations detect, analyze and report security threats. SIEM is essentially a platform for log management analysis and real-time monitoring. It collects and logs information and threat data from various sources within an organization’s IT infrastructure (end-user devices, servers, network equipment, firewalls, anti-virus software, etc.) and houses it all in one centralized environment to streamline security operations.

SIEM also helps ensure that organizations remain compliant with security policies and regulations. IBM adds that with its real-time monitoring capabilities, SIEM can help organizations recognize potential threats before they disrupt operations. It does this by combining two disciplines:

• Security information management (SIM), which involves collecting data from files for analysis and reports on security events
• Security event management (SEM), which conducts real-time monitoring and notifies IT operators of active threats

“The easiest way to think about it is that SIEM is used for the detection of threats,” says Chris Meenan, vice president of security product management at IBM.

It’s helpful to think of SIEM as a security room, says Fadi Fadhil, field chief technology officer at Palo Alto Networks. Picture a room that has a wall of screens displaying surveillance camera footage from all over a building. The cameras monitor everything going on in the building, and any movements, events or potential threats are logged by security guards in real time.

The same principles apply to SIEM, only its IT operators are working in a security operations center (SOC), not a security room, managing cyberthreats through a SIEM platform instead of monitoring physical threats.

What Is SOAR?

According to Palo Alto Networks, security orchestration, automation and response is a software solution that aims to execute and automate security operations on a single platform. By integrating with various tools to streamline security alerts and responses, SOAR can help organizations better respond to cyberattacks and understand existing vulnerabilities to prevent future incidents.

A SOAR solution is designed to lighten the burden on IT teams by activating automated responses to a number of security events. SOCs can use SOAR playbooks to create incident response workflows instead of dealing with every alert separately on a case-by-case basis.

An incident response playbook outlines steps to take in the event of a security event, including whom to inform and how to deal with particular attacks. SOAR solutions feature playbook automation and case management integration with external threat intelligence sources, and they ingest alerts and automate response workflows.

SOAR also uses machine learning to analyze threats and activate the appropriate incident response playbook. Essentially, SOAR automates what SOC analysts would do traditionally.

Fortinet adds that “SOAR combines three software capabilities: the management of threats and vulnerabilities, responding to security incidents, and automating security operations.”

LEARN MORE: Why some states are ramping up cyber incident reporting.

How Do Agencies Use SOAR vs. SIEM?

SIEM and SOAR are two sides of the same coin, with the former being about threat detection and analysis and the latter about incident response, Meenan says. SIEM responds to threats with a human-first approach, while a SOAR solution automates responses.

State and local governments often use SIEM and SOAR together. A SIEM solution can integrate with a SOAR solution, and agencies are beginning to see a convergence of SIEM and SOAR solutions, although some stand-alone SOAR tools remain available. When they’re connected, SOAR can take threat data that a SIEM solution collects and use it to trigger an automated incident response playbook to eliminate threats.

“SIEM is used for threat detection, and SOAR is used for the response,” Meenan says. “The SIEM solution is generating alerts, while the SOAR solution typically is taking those alerts, then providing tasks and automation for the analysts to effectively resolve them.”

In today’s threat landscape, SOAR is needed for effective cybersecurity, experts say.

The concept of SIEM solidified in 2005 when Gartner coined the term in a report. As years went by, SIEM’s functionality became limited; there were no SIEM playbooks or workflow automations to help IT analysts triage and respond to threats. Playbooks became imperative from both a regulatory and risk management perspective. SIEM also couldn’t capture metrics — such as how many attacks an organization faced, the kind of attacks, and how long it took to respond — but SOAR can do these things.

“Security is much bigger than it was back in 2005 or 2006,” Meenan says. “The implications of a security incident are far broader and far more impactful for businesses. SIEMs didn’t have playbooks, and that became a big missing piece. The second piece was automation, and the third was measurement.”

EXPLORE: Why smart city strategies must balance progress and privacy.

What Is XDR?

Extended Detection and Response is an evolved version of endpoint detection and response. Whereas EDR protects only a particular device (the endpoint), XDR provides holistic protection against cyberattacks, focusing on threat detection and response across multiple security layers, integrating and analyzing data from various security tools such as endpoints, network traffic and cloud security platforms.

Essentially, XDR consolidates all of this information to give administrators a holistic view of potential threats across all security layers, enabling centralized investigation, response and automation to address sophisticated threats. According to CrowdStrike, XDR streamlines security data collection, analysis and prevention workflows across an agency’s security stack and provides IT teams with a single console to view and act on threat data.

Say a government IT specialist detects a compromised device that’s infecting other devices. The specialist quarantines the device and tracks that the infection came through network traffic. The specialist then blocks a certain website or set of packets that is being spread through a cloud resource — not only treating the symptoms of the infection but also snuffing out its source.

“You’re only able to do this by having all these elements working together,” Fadhil says. “XDR is comparable to a home security system that goes beyond just cameras and implements motion sensors and door and window alarm systems. These systems work together to detect any unusual activity and get an immediate response.”

How Do Agencies Use XDR vs. EDR?

XDR was born out of necessity, similar to how SOAR came to life. Moving beyond EDR to XDR is a response to growing cybersecurity threats and changes in how government offices work. Offices now use multiple devices, connecting to multiple networks with remote work, and use the cloud to store data.

These changes increase the attack surface tremendously; as a result, a holistic approach to threat detection and response is necessary.

“There are a lot of things that have expanded beyond your laptop,” Fadhil adds. “It’s like if you went from playing one sport to playing every sport in the Olympics. That’s why EDR — which is only on the endpoint — and network security can’t work separately.”

What Challenges Do Agencies Face with SIEM, SOAR and XDR?

Agencies must deal with more regulations and compliance requirements, making it increasingly difficult for government organizations to create effective response playbooks. Attack vectors can also be different for government organizations — threats during election time, for example — which might make response workflows more complicated. Government agencies also reckon with large swaths of data and are often the target of bad actors because of a lack of cybersecurity resources. These circumstances might generate a large volume of attacks that could overwhelm a SOC. It could also cause organizations to lag behind on modernizing security operations.

“Governments, states and educational institutions are going to be at risk if they don’t act and transform and catch up, because the bad guys are going at a very, very high pace.” Fadhil says. “In 2020, everything exploded in the cybersecurity world. Agencies found out overnight that they’re running bigger, more sophisticated operations with limited budgets and staff. It’s a challenge to hire more people and keep up with change.”

According to Fadhil, it’s an absolute necessity to switch from a human-first to an automation-first approach to cybersecurity to keep up with evolving threats. This will frees up workers to manage other things, improving staff retention and mitigating burnout.

DISCOVER: What should state and local governments prioritize as IT spending grows?

What Are Key Differences Between SIEM, SOAR and XDR?

SIEM, SOAR and XDR all work to bolster an agency’s security posture through detection or response.

But SIEM and SOAR are generally for medium to large organizations because they need to be customized to the organization to be effective, Meenan says. Depending on the industry, organizations may have custom playbooks that are specific to industry standards or regulations. In these cases, SIEM and SOAR solutions are the right fit.

XDR solutions are often better suited for small organizations looking for turnkey threat detection and response solutions. XDR tools often have limited customization capabilities and are focused on a specific set of threats.

XDR can’t fully replace SIEM and SOAR. As CrowdStrike explains, XDR is only about threat detection and response, while SIEM has use cases outside of those disciplines, including log management, compliance and nonthreat data management.

DIVE DEEPER: How state and local agencies can help cybersecurity hiring efforts.

How Can Governments Leverage SIEM, SOAR and XDR?

SIEM, SOAR and XDR can work together. Administrators may go back to the SOC and all of the data that’s sitting in the SIEM solution, and they can throw automation and XDR at it, Fadhil says.

SIEM in particular is vital for government agencies, Meenan adds.

“We see that SIEM is big in the public sector because of the need to secure population data and public service infrastructure. It’s a unique kind of attack surface,” Meenan says. “When SIEM is implemented, we see a lot of custom use cases around public service infrastructure and services.”

Agencies need a centralized cybersecurity platform with streamlined security operations to protect themselves, which SIEM, SOAR and XDR can provide.

“When you’re dealing with multiple tools, screens, different logs, different philosophies, different vendors, it actually makes things worse, as opposed to centralizing on a unified platform that gives you the breadth of all these capabilities,” Fadhil says.