Actionable XDR Telemetry vs. Uncorrelated SIEM Alerts

November 3, 2021 |

4 minute read

As a class of security tools, Security Information and Event Management (SIEM) finds itself in a curious position. On the one hand, the global SIEM market is expected to continue growing over the next few years.

PRNewswire reported that the market is expected to reach $6.4 billion by 2027. Such growth implies a CAGR of 6.8% over the next six years. It also means that continuous monitoring, incident response, regulatory compliance, and log management will remain priorities for organizations during that period.

On the other hand, organizations are dissatisfied with the lack of performance by SIEM solutions. Why? Because “traditional SIEM platforms no longer meet the growing needs of security practitioners who face new and emerging threats,” as noted by Help Net Security. Specifically, 18% of security professionals surveyed said that it had taken them more than 12 months to deploy and implement their organization’s SIEM.

Many weren’t impressed once they got their SIEM up and running apparently. Nearly half (46%) of respondents said that the cost vs. capabilities of the SIEM did not align with their employer’s priorities. A quarter of survey participants went on to highlight the delivery of too many alerts as the biggest problem with their SIEM platform.

SIEMs as Imperfect Solutions

The findings discussed above tie in with why many security professionals are unsatisfied with their SIEM’s visibility. Indeed, SIEMs were originally designed to ingest a wide range of telemetry from various sources (security tools, logs, etc.), but that’s about it. All they really do is present the analysts with an “organized mess” that lacks the necessary context and correlations across the telemetry an analyst needs to answer the question, “Are we under attack?”

Most everything is in one place that security teams need, but it’s still just raw data they need to manually sift through, assess, and then correlate with other telemetry in order to make a judgement call—all of which is heavy on human resource consumption and cannot scale effectively or provide the level of automation the modern enterprise requires for a robust security posture.

Of course, that’s assuming that a SIEM is even capable of handling all that data. We noted previously that no one uses a SIEM to understand what’s happening on their endpoints because no SIEM solution can handle the volume of logs that security teams need to effectively analyze endpoint data. This means that many security teams lack visibility into what’s going on with their endpoints using SIEM, and a SIEM can’t correlate that intelligence with other non-endpoint telemetry.

Using Endpoint Detection and Response (EDR) solutions to compensate doesn’t always work, either. EDR offerings – and even most XDR solutions – don’t have the ability to ingest all available telemetry for their EDR tools, so they are forced to use “data filtering,” a process which involves the elimination of telemetry even though it might be useful for detection. They need to engage in this practice because they need to send all their data to the cloud for analysis before they can return a detection.

Acknowledging the shortcomings of supplemental EDR tools, SIEMs remain what we like to think of as really expensive log reporting systems used primarily for compliance purposes, yet don’t do much to actually improve security posture. Security teams need something a little more sophisticated sooner or later. Hence the need for organizations to shift to a more effective security approach.

Advanced XDR (Extended Detection and Response) to the Rescue

Extended Detection and Response (XDR) is a security approach that requires the collection of all relevant security telemetry from not only endpoints, but also application suites, user personas, cloud workloads and more. And this telemetry needs to be comprehensive and granular, down to items like configuration changes for cloud workloads, attachment metadata for email messages, and all network traffic – without unnecessary “filtering” of any telemetry.

If an EDR or XDR solution provider is trying tout “smart filtering” of telemetry as a feature, this is a big red flag indicating they cannot deliver Advanced XDR (or even EDR for that matter).

Furthermore, the real value of an Advanced XDR solution is that it takes a step beyond simply collecting and organizing telemetry. It makes the logical correlations between otherwise disparate intelligence sources and then provides the analyst with a comprehensive view of how all those activities are connected to reveal the attack timeline, as well as automated and guided one-click remediation options to deliver effective security at scale.

The Cybereason Advanced XDR Advantage

Cybereason delivers an Advanced XDR solution that enables organizations to embrace an operation-centric approach to security because where other XDR solutions limit critical data collected because they can’t process or store it, Cybereason Advanced XDR is designed to collect and analyze 100% of event data in real-time, processing more than 23 trillion security-related events per week, with absolutely no “dumb filtering.” This allows customers to improve their detection and response intervals by 93%.

The Cybereason Advanced XDR Platform comes with dozens of out-of-the-box integrations and is designed to provide visibility organizations require to be confident in their security posture across all network assets, and delivers the automated responses to halt attack progressions, eliminating the need for both SIEM and SOAR solutions. Organizations can enjoy these benefits whether they drop their SIEM and SOAR entirely or augment it with Cybereason Advanced XDR.

Cybereason Advanced XDR:

    • Delivers Enterprise-Wide Security: Cybereason Advanced XDR reverses the attacker advantage and returns the high ground to the defenders by extending detection and response capabilities across the broader IT ecosystem that makes up modern enterprise environments. Defenders can pinpoint, understand and end any MalOp™ (malicious operation) across the entire IT stack whether on premises, mobile or in the cloud.
    • Enables Visualized Investigations: Cybereason Advanced XDR eliminates obstacles to effective detection and response, including log management and data collection tasks, agent deployment and maintenance cycles, and convoluted syntax languages for data extraction and behavioral detections. Advanced XDR breaks through data silos and unifies device and identity context in a single, visual investigation experience. Empower your curious analysts to remain focused on the mission without being distracted by manual tasks.
    • Reverses the Adversary Advantage: Cybereason Advanced XDR enables frictionless adoption of advanced detections built by and shared with the larger community of defenders. United in our efforts we can increase the burden on the attackers so they are forced to relinquish the advantage they have enjoyed for too long.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about Cybereason Advanced XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team

November 3, 2021 |

4 minute read

As a class of security tools, Security Information and Event Management (SIEM) finds itself in a curious position. On the one hand, the global SIEM market is expected to continue growing over the next few years.

PRNewswire reported that the market is expected to reach $6.4 billion by 2027. Such growth implies a CAGR of 6.8% over the next six years. It also means that continuous monitoring, incident response, regulatory compliance, and log management will remain priorities for organizations during that period.

On the other hand, organizations are dissatisfied with the lack of performance by SIEM solutions. Why? Because “traditional SIEM platforms no longer meet the growing needs of security practitioners who face new and emerging threats,” as noted by Help Net Security. Specifically, 18% of security professionals surveyed said that it had taken them more than 12 months to deploy and implement their organization’s SIEM.

Many weren’t impressed once they got their SIEM up and running apparently. Nearly half (46%) of respondents said that the cost vs. capabilities of the SIEM did not align with their employer’s priorities. A quarter of survey participants went on to highlight the delivery of too many alerts as the biggest problem with their SIEM platform.

SIEMs as Imperfect Solutions

The findings discussed above tie in with why many security professionals are unsatisfied with their SIEM’s visibility. Indeed, SIEMs were originally designed to ingest a wide range of telemetry from various sources (security tools, logs, etc.), but that’s about it. All they really do is present the analysts with an “organized mess” that lacks the necessary context and correlations across the telemetry an analyst needs to answer the question, “Are we under attack?”

Most everything is in one place that security teams need, but it’s still just raw data they need to manually sift through, assess, and then correlate with other telemetry in order to make a judgement call—all of which is heavy on human resource consumption and cannot scale effectively or provide the level of automation the modern enterprise requires for a robust security posture.

Of course, that’s assuming that a SIEM is even capable of handling all that data. We noted previously that no one uses a SIEM to understand what’s happening on their endpoints because no SIEM solution can handle the volume of logs that security teams need to effectively analyze endpoint data. This means that many security teams lack visibility into what’s going on with their endpoints using SIEM, and a SIEM can’t correlate that intelligence with other non-endpoint telemetry.

Using Endpoint Detection and Response (EDR) solutions to compensate doesn’t always work, either. EDR offerings – and even most XDR solutions – don’t have the ability to ingest all available telemetry for their EDR tools, so they are forced to use “data filtering,” a process which involves the elimination of telemetry even though it might be useful for detection. They need to engage in this practice because they need to send all their data to the cloud for analysis before they can return a detection.

Acknowledging the shortcomings of supplemental EDR tools, SIEMs remain what we like to think of as really expensive log reporting systems used primarily for compliance purposes, yet don’t do much to actually improve security posture. Security teams need something a little more sophisticated sooner or later. Hence the need for organizations to shift to a more effective security approach.

Advanced XDR (Extended Detection and Response) to the Rescue

Extended Detection and Response (XDR) is a security approach that requires the collection of all relevant security telemetry from not only endpoints, but also application suites, user personas, cloud workloads and more. And this telemetry needs to be comprehensive and granular, down to items like configuration changes for cloud workloads, attachment metadata for email messages, and all network traffic – without unnecessary “filtering” of any telemetry.

If an EDR or XDR solution provider is trying tout “smart filtering” of telemetry as a feature, this is a big red flag indicating they cannot deliver Advanced XDR (or even EDR for that matter).

Furthermore, the real value of an Advanced XDR solution is that it takes a step beyond simply collecting and organizing telemetry. It makes the logical correlations between otherwise disparate intelligence sources and then provides the analyst with a comprehensive view of how all those activities are connected to reveal the attack timeline, as well as automated and guided one-click remediation options to deliver effective security at scale.

The Cybereason Advanced XDR Advantage

Cybereason delivers an Advanced XDR solution that enables organizations to embrace an operation-centric approach to security because where other XDR solutions limit critical data collected because they can’t process or store it, Cybereason Advanced XDR is designed to collect and analyze 100% of event data in real-time, processing more than 23 trillion security-related events per week, with absolutely no “dumb filtering.” This allows customers to improve their detection and response intervals by 93%.

The Cybereason Advanced XDR Platform comes with dozens of out-of-the-box integrations and is designed to provide visibility organizations require to be confident in their security posture across all network assets, and delivers the automated responses to halt attack progressions, eliminating the need for both SIEM and SOAR solutions. Organizations can enjoy these benefits whether they drop their SIEM and SOAR entirely or augment it with Cybereason Advanced XDR.

Cybereason Advanced XDR:

    • Delivers Enterprise-Wide Security: Cybereason Advanced XDR reverses the attacker advantage and returns the high ground to the defenders by extending detection and response capabilities across the broader IT ecosystem that makes up modern enterprise environments. Defenders can pinpoint, understand and end any MalOp™ (malicious operation) across the entire IT stack whether on premises, mobile or in the cloud.
    • Enables Visualized Investigations: Cybereason Advanced XDR eliminates obstacles to effective detection and response, including log management and data collection tasks, agent deployment and maintenance cycles, and convoluted syntax languages for data extraction and behavioral detections. Advanced XDR breaks through data silos and unifies device and identity context in a single, visual investigation experience. Empower your curious analysts to remain focused on the mission without being distracted by manual tasks.
    • Reverses the Adversary Advantage: Cybereason Advanced XDR enables frictionless adoption of advanced detections built by and shared with the larger community of defenders. United in our efforts we can increase the burden on the attackers so they are forced to relinquish the advantage they have enjoyed for too long.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about Cybereason Advanced XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team

*** This is a Security Bloggers Network syndicated blog from Blog authored by Cybereason Security Team. Read the original post at: https://www.cybereason.com/blog/actionable-xdr-telemetry-vs.-uncorrelated-siem-alerts