It’s easy to get whiplash with the erratic pace of information security; part of what makes it both exciting and difficult to keep up with all of the latest industry trends and terminology. You or your team is trying to put out fires, stay up to date with the newest threats while also balancing other security and IT initiatives.
At the end of the day, it’s your job to protect, defend and respond – and how you do it is what can make a significant difference in how effectively or quickly you can put out those fires. If you’re running lean with a team of one or two split between both IT and security, you want to know how to consolidate and get visibility over many different security tools. You also need a way to automate the remediation process to contain or block threats.
There are many different tools to achieve these objectives, and they’ve evolved a bit over the years. Here’s a rundown of some basic detection and response terms you may run into during your research:
SIEM – Security Information and Event Management
SIEM solutions have been around for decades, with varying degrees of functionality based on which product or vendor you choose. This is the most recognizable term for a centralized log management tool that integrates with your different applications, systems, servers, etc. to take in data from each service.
SIEMs are used for real-time security event analysis to help with investigation, early threat detection and incident response. They also support compliance use cases, as many data regulatory frameworks require organizations to keep audit logs for up to one year.
SIEMs can be hosted in the cloud or on-premises; the former is considered a more modern deployment as more organizations move to a remote work model. A modern SIEM should be able to centralize cloud data and detect malicious behavior such as lateral movement or privilege escalations. Other characteristics of a modern SIEM such as Blumira include:
- Automated threat detection with pre-tuned rules to reduce alert fatigue
- The ability to investigate and respond to a potential threat — from initial discovery to resolution — with one tool, rather than relying on multiple solutions
- Correlate findings with multiple risk intelligence feeds to pinpoint new and evolving threats
The scope of what you should log in a SIEM can be a contentious issue. When you’re first getting started with your SIEM deployment, get to know the most important log sources to prioritize.
Our guide gives you a criterion checklist to help you select a modern security platform that can meet your organization’s needs, without significant overhead.
What is a SIEM, and why do you need one? We answer these questions and more in our complete guide to SIEM technology.
SOC – Security Operations Center
A security operations center is a centralized location run by a security operations (SecOps) team that continuously monitors, analyzes and responds to security incidents. It takes in data from an organization’s networks, devices, servers, etc., then it requires SOC analysts to determine next steps for remediation.
Many organizations can’t afford to keep an in-house SOC or SecOps team on staff, as it requires extensive training and hiring in a time of talent shortage. The infosec industry has responded by creating managed detection and response (MDR) services that are meant to enhance or replace a SOC.
What makes SecOps successful is how much of the network you can see and how quickly you can respond to security events.
Hiring a full security operations team isn’t an option for small businesses. Learn how to automate security with a modern SIEM to alleviate the pain of infosec staffing.
SOAR – Security Orchestration, Automation and Response
Traditional SIEMs often require a lot of manual work. Teams to regularly fine-tune rules to prevent false positives and alert fatigue, a process that is often time-consuming. Other manual tasks include data correlation, which involves searching through logs and comparing data from different sources to determine if there’s a credible threat.
SOAR solutions evolved as a way to help SOC analysts become more efficient, allowing for more automated prioritization and processing of security events and incidents.
The key capabilities of SOAR solutions include:
- Integrating disparate tools such as firewalls, SIEM platforms, endpoint detection and response (EDR) and external threat intelligence feeds in an attempt to bring all cybersecurity platforms into a single pane of glass
- Pre-built automated workflows to streamline the process of responding to an alert
- Playbooks — guides for response procedures and threat analysis — are a key component of automation in SOAR platforms and can automatically trigger responses, which helps reduce the amount of manual investigation and decision-making during stressful times.
- Evidence stacking, or automatically searching for all relevant data to provide more useful, actionable context for a responder. For example, a platform can point users towards an affected IP address or host that they should investigate.
- Automated containment actions, such as a dynamic blocklist
Response: SOAR use cases often include post-incident response, with capabilities such as reporting, analysis and case management.
SOAR tools are often used to enhance traditional SIEM platforms that lack these types of capabilities. However, many modern SIEMs, such as Blumira, are blurring the lines of SOAR vs. SIEM by offering many of the capabilities listed above in one integrated solution. The difference between SOAR and SIEM has become less distinct as the cybersecurity market matures and converges.
Security Orchestration, Automation & Response (SOAR) solutions are the future – but there are limitations. Here’s how to leverage SOAR with lower overhead.
EDR – Endpoint Detection and Response
EDR (endpoint detection and response) continuously monitors endpoints (desktops, laptops, mobile devices, servers, or any device connected to an organization’s network) to detect malicious behavior. As the name implies, EDR systems help users respond to threats; with some tools, this process is automated.
EDR can either refer to a suite of tools or a single platform.
EDR is often referred to as a natural evolution of antivirus software because both tools perform similar functions. Traditional antivirus, however, typically relies on signature-based detection to spot known threats. EDR uses behavior-based detection to detect emerging attacks such as advanced persistent threats (APTs) and fileless malware, whereas traditional antivirus typically does not. EDR software, however, can be a component of next-generation antivirus products.
However, when it comes to taking a more holistic approach to defensive security, EDR is limited to only endpoints. For complete coverage across modern, hybrid environments, you need to collect, analyze and correlate data from many different sources for the most effective detection and response capabilities. A modern SIEM hooks into all of these different tools, including EDRs, to provide deeper visibility, automatically correlate data and send you contextual findings on high-confidence indicators of threats in your environment.
It’s important to test antivirus software to see if it can detect malicious activity. Two testing phases ensure that tools can handle security threats.
Watch this on-demand webinar with a penetration tester and incident detection engineer to learn how to test your EDR tool’s effectiveness.
XDR – Extended Detection and Response
Extended detection and response (XDR) tools are often considered the successor to EDR. Rather than just detect threats at the endpoint level, XDR tools are more holistic, gathering information from endpoints, networks, servers, cloud applications, and more. While similar to SIEM and SOAR tools, XDRs are differentiated by their level of integration at deployment and ability to address threat detection and incident response use cases, according to Gartner.
XDR products evolved to solve challenges that organizations have with traditional SIEMs – failed, incomplete or immature SIEM deployments (only using SIEM for log storage and compliance).
XDRs centralize normalized data, mostly focusing on products from their own ecosystem. They provide correlated data and alerts into security incidents, and they provide an incident response functionality that can be carried out via security policies.
Forrester does not recommend replacing SIEM with XDR, as it doesn’t meet the needs of all of the different SIEM or security analytics use cases today, including compliance, reporting, long-term forensics, triage, patching and vulnerability management.
XDR uses cases include real-time threat hunting, in-queue alerts, helping determine what’s real or not in attack scenarios, indicators of compromise (IoCs), and deeper investigation and response.
While XDR and SIEM are on a collision course in the near future, they are considered complementary and can work well together. Some XDR vendors may only provide platforms that work natively with that vendor’s own suite of tools, while others provide hybrid options to integrate with third-parties.
MDR – Managed Detection and Response
MDR is a managed service that often combines technology with outsourced analysts to detect and respond to malicious behavior on a network. MDR providers offer technology that covers endpoints, networks, cloud services, operational technology and internet of things (IoT), as well as collecting other sources like logs and data, according to Gartner’s Market Guide for Managed Detection and Response Services.
The premise of MDR is similar to MSSP (managed security service provider) in that both solutions offload cybersecurity tasks to a third-party provider. However, MDR and MSSPs have a few key differences:
- MSSPs typically do not weed out false positives; they simply forward alerts to the in-house IT team who must then determine how to respond to them. In general, MSSPs do not focus on the response component of cybersecurity; they use firewalls, antivirus, and other tools to prevent threats.
- Threat analysis and intelligence is often a component of MDR. MSSPs generally work with a rule-based system to identify known threats and focus less on analysis.
- MSSPs may mainly focus on helping their clients meet compliance. Using an MDR platform can inadvertently achieve compliance, but it is not a main priority.
Some traditional MSSPs now offer MDR services as part of their portfolios, through acquisitions and building their own services.
MDR can help provide containment actions as part of incident response to help customers without internal security operations centers (SOC) functionality to provide immediate action.
Best Tools for Lean Security Teams
These days, consolidating your toolset while making the most out of your current investments is the best strategy for bootstrapping security and/or IT teams. Blumira combines the best of the above technologies to provide more value to lean teams, including:
- An easy-to-use cloud SIEM platform that reduces deployment times down to hours and days, not months or years
- Wide coverage for your existing tech stack with integrations for endpoint protection, cloud infrastructure, firewalls, identity providers and more
- Automated threat detection that includes ongoing parser development to centralize and normalize your data, saving you time and resources
- Prioritized, contextualized security findings that help reduce alert fatigue and inform your team of what’s critical and needs immediate attention
- Built-in detection rules and tuning by Blumira’s security analyst team that perform proactive threat hunting on your behalf and automatically integrate them into Blumira’s platform
- Automated threat response with step-by-step playbooks that walk your team through next steps in remediation, whether to block or contain identified threats
- Honeypots to help you quickly detect lateral movement or unauthorized access attempts in your environment