SlideShare a Scribd company logo

SIEM vs EDR

D
DanielAgent1

SIEM (security information and event management) technology collects and analyzes log and event data from across an organization's IT infrastructure to provide visibility into security threats and other events. EDR (endpoint detection and response) technology focuses specifically on monitoring endpoints like desktops and servers to detect and respond to threats. Using both SIEM and EDR provides a more complete picture of an organization's security posture and cybersecurity threats. Together, they can improve threat detection, response, investigation and remediation compared to using either technology alone. Leading security service providers use both SIEM and EDR solutions to more effectively protect their clients.

1 of 10
Download to read offline
Advanced Cybersecurity & Threat Protection ConnectWise eBook Series SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats
SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Table of Contents Contents Introduction............................................................................................................................................................3 Chapter 1: What is SIEM technology and how would you use it?.................................................4 Chapter 2: What is EDR technology and how would you use it?...................................................6 Chapter 3: A quick comparison of capabilities: SIEM vs. EDR.......................................................8 Chapter 4: How SIEM and EDR help TSPs protect clients more effectively.............................9 Chapter 5: Develop a more complete security picture with SIEM and EDR...........................10
SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Introduction << Back to Table of Contents 3 SIEM and EDR are acronyms that get kicked around a lot in discussions about cybersecurity, but what do they really mean? More important, what do these technologies do—and do you need to have both in the security technology stack your organization relies on every day for protection? You’ll get answers to these questions and more in this eBook. It offers a quick primer on SIEM and EDR to help demystify these terms. It also highlights the differences between—and underscores the value of—these different but complementary security controls in the following sections. Introduction
SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 1 << Back to Table of Contents 4 A security information and event management (SIEM) system collects log and event data that an organization’s network devices, systems, and applications and services generate. It then brings all that information together into one platform. A SIEM provides security teams with greater visibility into what’s happening with all the elements in the IT ecosystem through a“single pane of glass.” Technicians use automation to run the data in the SIEM against various prebuilt security rules. They can swiftly navigate through all the“white noise”from these various data sources—which include everything from web servers to hypervisors—to identify real and actionable events. The SIEM serves as a critical layer in an organization’s technology stack because it amplifies threat detection. With a SIEM, you can learn very quickly if a malicious actor has breached your traditional perimeter defense, so you can move fast to respond. SIEM: An old tool made better by the cloud SIEM technology is by no means new; it’s been around since 2000. And over time, it’s become a fundamental tool for a Security Operations Center (SOC) to provide 24/7/365 monitoring and logging of security event alerts. SIEM helps security teams focus on identifying, analyzing, and responding to the threats and other alerts that matter most. Today’s next-generation, cloud-based SIEMs make it easier for technology service providers (TSPs) to provide SIEM capabilities—including visibility—to their clients. When you work with a SOC using a modern SIEM solution, you can typically get full access to view your alert data. And your team can work right alongside the technicians in the SOC to identify and address critical issues as quickly as possible. Chapter 1: What is SIEM technology and how would you use it?
SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 1 << Back to Table of Contents 5 What are some use cases for SIEM technology? An organization that wants full visibility into its entire IT infrastructure will adopt a SIEM platform, or it will work with a TSP that provides SIEM capabilities as part of its cybersecurity offerings. With advanced SIEM technology, security teams can: • Conduct strategic detection: Today’s SIEM solutions can provide real-time visibility into security threats, like malware or suspicious network traffic, impacting network devices, systems, and applications and services. Security teams can use SIEM technology to stay focused on the organization’s most critical IT assets and prioritize the response to any alerts related to them. • Analyze event data: Security teams can use SIEMs to analyze event data in real time; this increases the ability to detect threats early, including advanced threats and targeted attacks. The“single pane of glass”view a SIEM provides also helps teams to hunt proactively for threats across the entire organization and shift away from a reactive approach to cybersecurity • Enrich logs: Event logs from security controls like endpoint solutions, web filters and firewalls, as well as from other devices like routers and from applications, offer a wealth of information about potential threats. But they need to be enriched— that is, given more context—to be understood. An example of this process is enriching a log that contains IP addresses with relevant geolocation data for those addresses. A leading SIEM platform can be integrated with other systems using APIs to collect and correlate event and non-event data for enriching logs. • Meet compliance requirements: Real-time correlation and analysis of data, plus data retention and report automation, make it easier for businesses to stay in compliance with mandates like the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). • Accept data from many sources in the network: Because a SIEM has access to multiple and diverse sources of data in an organization’s IT ecosystem, and it offers visibility into event data through a single pane of glass, security teams can gain a much better picture of what their various security tools are“seeing”and reacting to. That gives them more insight into potential threats, including their severity and what they’re targeting in the network.
SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 2 << Back to Table of Contents 6 As its name suggests, endpoint detection and response (EDR) solutions are endpoint-focused security technology. Endpoints essentially served as gateways to a network. They include hardware devices such as desktops, smartphones, Internet of Things (IoT) devices, and servers—and they are all prone to vulnerabilities. Malicious actors target endpoints relentlessly in hopes of infiltrating the network. Like SIEM technology, EDR technology isn’t new— although the term“endpoint detection and response” was only coined in the past decade.1 EDR technology, also like SIEM, can serve as a critical layer in an organization’s security technology stack. But EDR solutions don’t look at the entire network like SIEM tools do. An EDR solution monitors and collects data about endpoint activity and analyzes it to determine what activity is normal—or not. Many EDR tools are agent-based, meaning they require the installation of software or a sensor on an endpoint device to enable monitoring and data gathering. This software is what allows EDR tools to provide advanced and comprehensive threat detection and response. AI and ML accelerate threat identification and response Modern EDR solutions are cloud-based and use artificial intelligence (AI) and machine learning (ML) for behavioral analysis and threat detection. They can continuously monitor each running process and map it to malicious behavior and quickly identify the root causes for those behaviors by diagnosing corrupt source processes and system settings. Leading EDR tools can also recognize virus and malware variants. When an AI-driven EDR platform identifies a threat, it can automatically respond to block, remove, or contain the threat and notify security staff so they can investigate the threat further, if needed. Leading EDR tools also provide forensics and analytics capabilities that allow security teams to research identified threats and even search for suspicious activities through threat hunting. Today’s cloud-based EDR tools are easy to integrate with other systems, manage, and keep up to date. Because endpoints are under constant attack by an ever-changing array of threats with varying degrees of severity, many organizations outsource the work of triaging EDR alerts and remediation to a SOC provider, rather than burdening their IT personnel or hiring more security talent. Chapter 2: What is EDR technology and how would you use it? 1 “Named: Endpoint Threat Detection & Response,” by Anton Chuvakin, Gartner, July 26, 2014: https://blogs.gartner.com/anton-chuvakin/2013/07/26/named-endpoint-threat-detection-response/.
SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 2 << Back to Table of Contents 7 What are some use cases for EDR technology? An organization that wants to detect and assess suspicious activity on the endpoints that can access its networks will implement an EDR solution, or work with a TSP that provides EDR capabilities as part of its cybersecurity offerings. With advanced EDR technology, security teams can: • Benefit from vendor-driven analysis: An EDR platform can collect data from endpoints and transmit it back to the vendor for analysis. If the data is determined to be a threat, the vendor will block the threat and create an alert. Security administrators can typically view these alerts in the dashboard for the EDR solution and decide how to respond. Importantly, vendors can also identify false positives, so security teams don’t waste time chasing threats that aren’t real. • Use rollback capabilities: A modern EDR tool can provide advanced visibility into devices. And in the event of a threat, they can quickly roll back files to previous safe versions through tracking changes in the devices and restoring them to an acceptable risk state. Rollbacks remediate the damage done to endpoints by attacks from threats like ransomware. • Query endpoint data quickly: Security teams can swiftly search information collected by the EDR platform to understand the risk and scope of threats. And they can search the EDR database for indicators of compromise. They can also directly query endpoints in real time. • Contain threats at the endpoint: EDR tools use event and behavior analysis to detect threats, whether those threats are known or zero- day vulnerabilities. If an event is found to be suspicious—either immediately or at a later time— the EDR platform will stop running processes to contain the threat, block further events, and alert the security team. This quick action at the endpoint level is critical for containing fast-moving threats like ransomware. • Control and monitor device use: Advanced EDR platforms allow organizations to control what the devices connected to their network—including USB and wireless Bluetooth devices—can access while on the network. They can also monitor how those devices are being used while they are active in the IT environment.
SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 3 << Back to Table of Contents 8 Chapter 3: A quick comparison of capabilities: SIEM vs. EDR SIEM • Sees the“whole picture”of a network • Detects events based on data input • Provides some automatic response, depending on integrations • Offers massive detection capabilities • Useful for analysis and compliance • Not typically used for threat prevention EDR • Focuses only on endpoints • Detects events on endpoints (e.g., file written, file executed) • Responds to threats either automatically or with security team intervention • Features built-in machine learning and behavioral analysis capabilities • Allows cybersecurity experts to proactively threat hunt across endpoint devices • Protects endpoints even if they’re not on the network
SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 4 << Back to Table of Contents 9 Leading TSPs know that prevention isn’t enough to stop all threats. For example, EDR solutions are limited in their ability to detect and deflect highly sophisticated fileless malware. This malware is dangerous, as it exploits vulnerabilities that can give attackers administrative control and the ability to gather data to use in future attacks—like a highly targeted phishing attack. The fileless malware threat is just one reason more TSPs are starting to use advanced SIEM and EDR platforms together. Adding these layers of advanced defenses to their security technology stack help TSPs develop a more complete picture of the threats targeting their clients—in real time. With EDR, TSPs can detect, block, contain, and remediate the threats targeting their clients’endpoints faster. They can also analyze and investigate these threats, and if needed, roll back files to“safe”versions. And SIEM technology helps TSPs protect their clients more effectively by providing full visibility into an organization’s IT infrastructure and collecting data from multiple sources for analysis. That helps security teams catch events when prevention measures fail. Also, companies that need to meet compliance and regulatory mandates can benefit from the log capture, retention, and review capabilities in a modern SIEM platform. Clients with highly valuable data, like sensitive financial information and intellectual property, are better protected, too, because SIEM technology can highlight unusual activity related to the systems and devices storing that data. The value for companies working with a TSP that provides these additional layers of security—aside from being better protected from the latest threats and malicious actors—is the ability to leave this defensive work in the hands of experienced experts who can focus on alerts and threats 24/7/365. They can keep their own security resources focused on high-value work. Also, they don’t need to worry about finding, hiring, and retaining more security talent to help them make sense of the constant“white noise”coming from SIEM and EDR tools. Chapter 4: How SIEM and EDR help TSPs protect clients more effectively
SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 5 << Back to Table of Contents Updated: 05/27/21 ConnectWise.com 10 SIEM and EDR are two technologies that, when used together, can help organizations gain a more complete picture on the state of their security. One technology is not a substitute for the other; think of SIEM and EDR as complementary controls. They are also an important part of an organization’s overall security strategy, which includes employing an array of other security controls (technological, physical and logical), adopting best practices and leading frameworks, implementing and enforcing effective policies, creating and testing business continuity management plans, providing relevant end user training, and much more. Even though a SIEM solution can cover for instances when threat prevention fails, a well-designed EDR platform should still outperform a SIEM tool in prevention. EDR technology should also make it simpler for security teams to react to events. Likewise, a well-designed SIEM platform should outperform an EDR tool in detection. And it should make it easier for security teams to sift through multiple data sources. Additionally, it should support log enrichment and provide more context about potential threats. A case for complementary tools So, what can happen when you don’t have EDR and SIEM tools in your technology stack, working together? Consider the following real-world example of a missed opportunity to contain a threat fast: An organization’s web servers were hit with web shells—malware that enables remote access and control—leading to defacements. The organization had an EDR platform. But because that tool can only detect when something happens on the endpoint, like the execution of a file, it only detected the threat and triggered an alert after the attacker tried to escape the website. If the organization had an advanced SIEM platform in place, its security team could have detected the malicious traffic as soon as the initial exploit occurred and moved quickly to reduce its impact. Chapter 5: Develop a more complete security picture with SIEM and EDR

Recommended

The SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guideThe SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guide
roongrus
 
Ijetr042329
Ijetr042329Ijetr042329
Ijetr042329
Engineering Research Publication
 
Need Of Security Operations Over SIEM
Need Of Security Operations Over SIEMNeed Of Security Operations Over SIEM
Need Of Security Operations Over SIEM
Siemplify
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
Sandip Juthani
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
QRadar-XDR-Solution.pdf
QRadar-XDR-Solution.pdfQRadar-XDR-Solution.pdf
QRadar-XDR-Solution.pdf
ssuserf5beb3
 
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Leslie McFarlin
 
Prezentare_ANSSI.pptx gfdsry crsru drdrsy
Prezentare_ANSSI.pptx gfdsry crsru drdrsyPrezentare_ANSSI.pptx gfdsry crsru drdrsy
Prezentare_ANSSI.pptx gfdsry crsru drdrsy
Azim191210
 

Recommended

The SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guideThe SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guide
roongrus
 
Ijetr042329
Ijetr042329Ijetr042329
Ijetr042329
Engineering Research Publication
 
Need Of Security Operations Over SIEM
Need Of Security Operations Over SIEMNeed Of Security Operations Over SIEM
Need Of Security Operations Over SIEM
Siemplify
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
Sandip Juthani
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
QRadar-XDR-Solution.pdf
QRadar-XDR-Solution.pdfQRadar-XDR-Solution.pdf
QRadar-XDR-Solution.pdf
ssuserf5beb3
 
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Leslie McFarlin
 
Prezentare_ANSSI.pptx gfdsry crsru drdrsy
Prezentare_ANSSI.pptx gfdsry crsru drdrsyPrezentare_ANSSI.pptx gfdsry crsru drdrsy
Prezentare_ANSSI.pptx gfdsry crsru drdrsy
Azim191210
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
EMC
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
Happiest Minds Technologies
 
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptxSeceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
CompanySeceon
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
ASPEN Brochure
ASPEN BrochureASPEN Brochure
ASPEN Brochure
Florin Hoinarescu
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptx
Ajit Wadhawan
 
Soar cybersecurity
Soar cybersecuritySoar cybersecurity
Soar cybersecurity
Securaa
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
itnewsafrica
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOAR
Siemplify
 
Cybersecurity leaders guide to xdr for business
Cybersecurity leaders guide to xdr for businessCybersecurity leaders guide to xdr for business
Cybersecurity leaders guide to xdr for business
filin5
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?
John Gardner, CMC
 
Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...
IJECEIAES
 
finalreportsoarnew.pdf
finalreportsoarnew.pdffinalreportsoarnew.pdf
finalreportsoarnew.pdf
Firozkumar2
 
finalreportsoarnew (1).pdf
finalreportsoarnew (1).pdffinalreportsoarnew (1).pdf
finalreportsoarnew (1).pdf
Firozkumar2
 
IBM Security Immune System
IBM Security Immune SystemIBM Security Immune System
IBM Security Immune System
Juan Pablo Coelho
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
Camilo Fandiño Gómez
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
CA_Module_2.pdf
CA_Module_2.pdfCA_Module_2.pdf
CA_Module_2.pdf
EhabRushdy1
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 

More Related Content

Similar to SIEM vs EDR

Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
EMC
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
Happiest Minds Technologies
 
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptxSeceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
CompanySeceon
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
ASPEN Brochure
ASPEN BrochureASPEN Brochure
ASPEN Brochure
Florin Hoinarescu
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptx
Ajit Wadhawan
 
Soar cybersecurity
Soar cybersecuritySoar cybersecurity
Soar cybersecurity
Securaa
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
itnewsafrica
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOAR
Siemplify
 
Cybersecurity leaders guide to xdr for business
Cybersecurity leaders guide to xdr for businessCybersecurity leaders guide to xdr for business
Cybersecurity leaders guide to xdr for business
filin5
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?
John Gardner, CMC
 
Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...
IJECEIAES
 
finalreportsoarnew.pdf
finalreportsoarnew.pdffinalreportsoarnew.pdf
finalreportsoarnew.pdf
Firozkumar2
 
finalreportsoarnew (1).pdf
finalreportsoarnew (1).pdffinalreportsoarnew (1).pdf
finalreportsoarnew (1).pdf
Firozkumar2
 
IBM Security Immune System
IBM Security Immune SystemIBM Security Immune System
IBM Security Immune System
Juan Pablo Coelho
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
Camilo Fandiño Gómez
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
CA_Module_2.pdf
CA_Module_2.pdfCA_Module_2.pdf
CA_Module_2.pdf
EhabRushdy1
 

Similar to SIEM vs EDR (20)

Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
 
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptxSeceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
Seceon's aiXDR_ Automating Cybersecurity Threat Detection in 2023 - Seceon.pptx
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
ASPEN Brochure
ASPEN BrochureASPEN Brochure
ASPEN Brochure
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptx
 
Soar cybersecurity
Soar cybersecuritySoar cybersecurity
Soar cybersecurity
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOAR
 
Cybersecurity leaders guide to xdr for business
Cybersecurity leaders guide to xdr for businessCybersecurity leaders guide to xdr for business
Cybersecurity leaders guide to xdr for business
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?
 
Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...
 
finalreportsoarnew.pdf
finalreportsoarnew.pdffinalreportsoarnew.pdf
finalreportsoarnew.pdf
 
finalreportsoarnew (1).pdf
finalreportsoarnew (1).pdffinalreportsoarnew (1).pdf
finalreportsoarnew (1).pdf
 
IBM Security Immune System
IBM Security Immune SystemIBM Security Immune System
IBM Security Immune System
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Whitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security IntelligenceWhitepaper IBM Qradar Security Intelligence
Whitepaper IBM Qradar Security Intelligence
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
CA_Module_2.pdf
CA_Module_2.pdfCA_Module_2.pdf
CA_Module_2.pdf
 

Recently uploaded

Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 

Recently uploaded (20)

Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 

SIEM vs EDR

  • 1. Advanced Cybersecurity & Threat Protection ConnectWise eBook Series SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats
  • 2. SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Table of Contents Contents Introduction............................................................................................................................................................3 Chapter 1: What is SIEM technology and how would you use it?.................................................4 Chapter 2: What is EDR technology and how would you use it?...................................................6 Chapter 3: A quick comparison of capabilities: SIEM vs. EDR.......................................................8 Chapter 4: How SIEM and EDR help TSPs protect clients more effectively.............................9 Chapter 5: Develop a more complete security picture with SIEM and EDR...........................10
  • 3. SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Introduction << Back to Table of Contents 3 SIEM and EDR are acronyms that get kicked around a lot in discussions about cybersecurity, but what do they really mean? More important, what do these technologies do—and do you need to have both in the security technology stack your organization relies on every day for protection? You’ll get answers to these questions and more in this eBook. It offers a quick primer on SIEM and EDR to help demystify these terms. It also highlights the differences between—and underscores the value of—these different but complementary security controls in the following sections. Introduction
  • 4. SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 1 << Back to Table of Contents 4 A security information and event management (SIEM) system collects log and event data that an organization’s network devices, systems, and applications and services generate. It then brings all that information together into one platform. A SIEM provides security teams with greater visibility into what’s happening with all the elements in the IT ecosystem through a“single pane of glass.” Technicians use automation to run the data in the SIEM against various prebuilt security rules. They can swiftly navigate through all the“white noise”from these various data sources—which include everything from web servers to hypervisors—to identify real and actionable events. The SIEM serves as a critical layer in an organization’s technology stack because it amplifies threat detection. With a SIEM, you can learn very quickly if a malicious actor has breached your traditional perimeter defense, so you can move fast to respond. SIEM: An old tool made better by the cloud SIEM technology is by no means new; it’s been around since 2000. And over time, it’s become a fundamental tool for a Security Operations Center (SOC) to provide 24/7/365 monitoring and logging of security event alerts. SIEM helps security teams focus on identifying, analyzing, and responding to the threats and other alerts that matter most. Today’s next-generation, cloud-based SIEMs make it easier for technology service providers (TSPs) to provide SIEM capabilities—including visibility—to their clients. When you work with a SOC using a modern SIEM solution, you can typically get full access to view your alert data. And your team can work right alongside the technicians in the SOC to identify and address critical issues as quickly as possible. Chapter 1: What is SIEM technology and how would you use it?
  • 5. SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 1 << Back to Table of Contents 5 What are some use cases for SIEM technology? An organization that wants full visibility into its entire IT infrastructure will adopt a SIEM platform, or it will work with a TSP that provides SIEM capabilities as part of its cybersecurity offerings. With advanced SIEM technology, security teams can: • Conduct strategic detection: Today’s SIEM solutions can provide real-time visibility into security threats, like malware or suspicious network traffic, impacting network devices, systems, and applications and services. Security teams can use SIEM technology to stay focused on the organization’s most critical IT assets and prioritize the response to any alerts related to them. • Analyze event data: Security teams can use SIEMs to analyze event data in real time; this increases the ability to detect threats early, including advanced threats and targeted attacks. The“single pane of glass”view a SIEM provides also helps teams to hunt proactively for threats across the entire organization and shift away from a reactive approach to cybersecurity • Enrich logs: Event logs from security controls like endpoint solutions, web filters and firewalls, as well as from other devices like routers and from applications, offer a wealth of information about potential threats. But they need to be enriched— that is, given more context—to be understood. An example of this process is enriching a log that contains IP addresses with relevant geolocation data for those addresses. A leading SIEM platform can be integrated with other systems using APIs to collect and correlate event and non-event data for enriching logs. • Meet compliance requirements: Real-time correlation and analysis of data, plus data retention and report automation, make it easier for businesses to stay in compliance with mandates like the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). • Accept data from many sources in the network: Because a SIEM has access to multiple and diverse sources of data in an organization’s IT ecosystem, and it offers visibility into event data through a single pane of glass, security teams can gain a much better picture of what their various security tools are“seeing”and reacting to. That gives them more insight into potential threats, including their severity and what they’re targeting in the network.
  • 6. SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 2 << Back to Table of Contents 6 As its name suggests, endpoint detection and response (EDR) solutions are endpoint-focused security technology. Endpoints essentially served as gateways to a network. They include hardware devices such as desktops, smartphones, Internet of Things (IoT) devices, and servers—and they are all prone to vulnerabilities. Malicious actors target endpoints relentlessly in hopes of infiltrating the network. Like SIEM technology, EDR technology isn’t new— although the term“endpoint detection and response” was only coined in the past decade.1 EDR technology, also like SIEM, can serve as a critical layer in an organization’s security technology stack. But EDR solutions don’t look at the entire network like SIEM tools do. An EDR solution monitors and collects data about endpoint activity and analyzes it to determine what activity is normal—or not. Many EDR tools are agent-based, meaning they require the installation of software or a sensor on an endpoint device to enable monitoring and data gathering. This software is what allows EDR tools to provide advanced and comprehensive threat detection and response. AI and ML accelerate threat identification and response Modern EDR solutions are cloud-based and use artificial intelligence (AI) and machine learning (ML) for behavioral analysis and threat detection. They can continuously monitor each running process and map it to malicious behavior and quickly identify the root causes for those behaviors by diagnosing corrupt source processes and system settings. Leading EDR tools can also recognize virus and malware variants. When an AI-driven EDR platform identifies a threat, it can automatically respond to block, remove, or contain the threat and notify security staff so they can investigate the threat further, if needed. Leading EDR tools also provide forensics and analytics capabilities that allow security teams to research identified threats and even search for suspicious activities through threat hunting. Today’s cloud-based EDR tools are easy to integrate with other systems, manage, and keep up to date. Because endpoints are under constant attack by an ever-changing array of threats with varying degrees of severity, many organizations outsource the work of triaging EDR alerts and remediation to a SOC provider, rather than burdening their IT personnel or hiring more security talent. Chapter 2: What is EDR technology and how would you use it? 1 “Named: Endpoint Threat Detection & Response,” by Anton Chuvakin, Gartner, July 26, 2014: https://blogs.gartner.com/anton-chuvakin/2013/07/26/named-endpoint-threat-detection-response/.
  • 7. SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 2 << Back to Table of Contents 7 What are some use cases for EDR technology? An organization that wants to detect and assess suspicious activity on the endpoints that can access its networks will implement an EDR solution, or work with a TSP that provides EDR capabilities as part of its cybersecurity offerings. With advanced EDR technology, security teams can: • Benefit from vendor-driven analysis: An EDR platform can collect data from endpoints and transmit it back to the vendor for analysis. If the data is determined to be a threat, the vendor will block the threat and create an alert. Security administrators can typically view these alerts in the dashboard for the EDR solution and decide how to respond. Importantly, vendors can also identify false positives, so security teams don’t waste time chasing threats that aren’t real. • Use rollback capabilities: A modern EDR tool can provide advanced visibility into devices. And in the event of a threat, they can quickly roll back files to previous safe versions through tracking changes in the devices and restoring them to an acceptable risk state. Rollbacks remediate the damage done to endpoints by attacks from threats like ransomware. • Query endpoint data quickly: Security teams can swiftly search information collected by the EDR platform to understand the risk and scope of threats. And they can search the EDR database for indicators of compromise. They can also directly query endpoints in real time. • Contain threats at the endpoint: EDR tools use event and behavior analysis to detect threats, whether those threats are known or zero- day vulnerabilities. If an event is found to be suspicious—either immediately or at a later time— the EDR platform will stop running processes to contain the threat, block further events, and alert the security team. This quick action at the endpoint level is critical for containing fast-moving threats like ransomware. • Control and monitor device use: Advanced EDR platforms allow organizations to control what the devices connected to their network—including USB and wireless Bluetooth devices—can access while on the network. They can also monitor how those devices are being used while they are active in the IT environment.
  • 8. SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 3 << Back to Table of Contents 8 Chapter 3: A quick comparison of capabilities: SIEM vs. EDR SIEM • Sees the“whole picture”of a network • Detects events based on data input • Provides some automatic response, depending on integrations • Offers massive detection capabilities • Useful for analysis and compliance • Not typically used for threat prevention EDR • Focuses only on endpoints • Detects events on endpoints (e.g., file written, file executed) • Responds to threats either automatically or with security team intervention • Features built-in machine learning and behavioral analysis capabilities • Allows cybersecurity experts to proactively threat hunt across endpoint devices • Protects endpoints even if they’re not on the network
  • 9. SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 4 << Back to Table of Contents 9 Leading TSPs know that prevention isn’t enough to stop all threats. For example, EDR solutions are limited in their ability to detect and deflect highly sophisticated fileless malware. This malware is dangerous, as it exploits vulnerabilities that can give attackers administrative control and the ability to gather data to use in future attacks—like a highly targeted phishing attack. The fileless malware threat is just one reason more TSPs are starting to use advanced SIEM and EDR platforms together. Adding these layers of advanced defenses to their security technology stack help TSPs develop a more complete picture of the threats targeting their clients—in real time. With EDR, TSPs can detect, block, contain, and remediate the threats targeting their clients’endpoints faster. They can also analyze and investigate these threats, and if needed, roll back files to“safe”versions. And SIEM technology helps TSPs protect their clients more effectively by providing full visibility into an organization’s IT infrastructure and collecting data from multiple sources for analysis. That helps security teams catch events when prevention measures fail. Also, companies that need to meet compliance and regulatory mandates can benefit from the log capture, retention, and review capabilities in a modern SIEM platform. Clients with highly valuable data, like sensitive financial information and intellectual property, are better protected, too, because SIEM technology can highlight unusual activity related to the systems and devices storing that data. The value for companies working with a TSP that provides these additional layers of security—aside from being better protected from the latest threats and malicious actors—is the ability to leave this defensive work in the hands of experienced experts who can focus on alerts and threats 24/7/365. They can keep their own security resources focused on high-value work. Also, they don’t need to worry about finding, hiring, and retaining more security talent to help them make sense of the constant“white noise”coming from SIEM and EDR tools. Chapter 4: How SIEM and EDR help TSPs protect clients more effectively
  • 10. SIEM vs EDR: Why Using Both Gives You a More Complete Picture of Cybersecurity Threats Chapter 5 << Back to Table of Contents Updated: 05/27/21 ConnectWise.com 10 SIEM and EDR are two technologies that, when used together, can help organizations gain a more complete picture on the state of their security. One technology is not a substitute for the other; think of SIEM and EDR as complementary controls. They are also an important part of an organization’s overall security strategy, which includes employing an array of other security controls (technological, physical and logical), adopting best practices and leading frameworks, implementing and enforcing effective policies, creating and testing business continuity management plans, providing relevant end user training, and much more. Even though a SIEM solution can cover for instances when threat prevention fails, a well-designed EDR platform should still outperform a SIEM tool in prevention. EDR technology should also make it simpler for security teams to react to events. Likewise, a well-designed SIEM platform should outperform an EDR tool in detection. And it should make it easier for security teams to sift through multiple data sources. Additionally, it should support log enrichment and provide more context about potential threats. A case for complementary tools So, what can happen when you don’t have EDR and SIEM tools in your technology stack, working together? Consider the following real-world example of a missed opportunity to contain a threat fast: An organization’s web servers were hit with web shells—malware that enables remote access and control—leading to defacements. The organization had an EDR platform. But because that tool can only detect when something happens on the endpoint, like the execution of a file, it only detected the threat and triggered an alert after the attacker tried to escape the website. If the organization had an advanced SIEM platform in place, its security team could have detected the malicious traffic as soon as the initial exploit occurred and moved quickly to reduce its impact. Chapter 5: Develop a more complete security picture with SIEM and EDR