Security evolution – ‘defensive reaction’ to IT evolution

Increasingly complex threats have required multiple security solutions to take a coordinated approach to correlate multiple events across different threat vectors to “detect early” and to “respond fast”. Over the years, security solutions have achieved this coordination in two ways:

• Native integration of “front end” security solutions within the same family e.g., Endpoint protection solutions (Anti-virus, desktop firewall, etc.), and network security solutions (Firewall, VPN, Intrusion Prevention Systems). XDR solutions are the result of such an integrated approach.
• Use an external tool at the “back end” to collect & correlate the relevant data in real time, from disparate systems and (as much as possible) provide a coordinated response. These “back-end” external tools have also evolved and integrated more and more capabilities over the years. SIEM and SOAR solutions are the results of this approach.

All the security solution vendors are working passionately and feverishly to protect their customers. In that quest, they obviously play to their strengths and strive very hard to “differentiate” their XDR, SIEM, and SOAR solutions from the “generic” solution definitions given below.

Definitions

1. Extended Detection and Response (XDR) solution integrates multiple security technologies for threat detection, investigation, and response. It combines data from various sources such as endpoint detection and response, network traffic analysis, and cloud-based security technologies into a single platform. It may use advanced analytics, machine learning, and automation to facilitate faster and more efficient incident response.
2. Security Information and Event Management (SIEM) aggregates and analyzes security data from multiple sources, including network devices, servers, and applications, to provide centralized monitoring, threat detection, and incident response. It may also use machine learning and advanced analytics to identify patterns and anomalies in data and provide security teams with insights and recommendations to respond to potential security threats.
3. Security Orchestration, Automation, and Response (SOAR) platforms integrate security tools and technologies, such as SIEM, threat intelligence feeds, and multiple detection and response systems, into a single platform to automate and streamline incident response workflows. It may leverage machine learning and artificial intelligence to analyze security events and automate incident response actions.

Begin with the end in MIND! – what problem do you want to solve?

Start with XDR if you need

• Enhanced real-time visibility into security events and threat detection capability
• Protection against advanced and sophisticated threats that often evade detection by traditional security technologies

Start with SIEM if you need

• Centralized monitoring and alerting for security events
• Comprehensive view of an organization’s security posture by collecting, normalizing, and correlating vast amounts of security data from various sources, including network devices, servers, and applications
• Forensic analysis capability
• Compliance reporting capability

Start with SOAR if you need

• To automate and orchestrate tasks such as triaging alerts, gathering threat intelligence, and executing response actions, to improve the speed and efficiency of incident response
• To reduce the time to resolution, and to mitigate the impact of security incidents

Some practical considerations

1. Skill Fit – Solution acquisition planning should be done in tandem with appropriate resource planning as well.
   • XDR solution deployment and operations requires
     – Expertise in security technologies such as endpoint security, network security, cloud security, etc.
     – Automation and scripting capabilities.
   • SIEM solution deployment and operations requires
     – Security Analytics capability to ensure that the security events and logs are correctly analyzed and anomalies are correctly detected.
     – Log Management capability to ensure that the logs are correctly collected, stored, and analyzed.
     – Knowledge of relevant regulatory compliance requirements
   • SOAR solution deployment and operations requires
     – Workflow Automation expertise to create and maintain automated incident response workflows.
     – Expertise in orchestration to ensure that the security processes are correctly orchestrated across different security tools.
     – Expertise in integration to ensure that the solution can correctly integrate with the existing security infrastructure of the organization.
     – Expertise in scripting to create and maintain custom integrations and automated response capabilities.
2. Availability of in-house skills
   • Some customers may find taking managed security services (MSS) or managed detection and response (MDR) as a better option, especially if they are stretched for skilled resources

Conclusion

Throughout the evolution of the security industry, two approaches have been vying for customer attention:

• First involving tighter native integration across “front-end” detection and response technologies. XDR has gained momentum in recent years based on this thought process
• Second involves a “back-end” application that collects and correlates data across multiple sources and provides comprehensive visibility of security posture. It also helps in providing better orchestration of incident response. While SIEM has been around for a few years already, it has been evolving to include more advanced functionalities including UEBA and even XDR or SOAR capabilities.

Which way the pendulum will swing will depend on each customer’s priorities. XDR will be the starting solution of choice to protect against advanced threats. SIEM will be the starting solution of choice to provide better forensic and compliance capabilities. SOAR will be the starting solution of choice if the customer is mostly concerned about faster incident response through automation.