Q: How does XDR really differ from a good EDR/SIEM/SOAR implementation? Is it worth adopting?
Here is the answer from the community members of the SecPro on Does XDR make a difference:
In my honest opinion, XDR v. EDR/SIEM/SOAR implementations adds a bit more on top of what these three things already do and I wouldn’t pass on adopting XDR at this point in time. EDR is necessary in my opinion as we currently reside in a place in time where a lot of professionals in a lot of company’s work from home and are exposed to default and unconfigured networks and systems alongside some endpoints being personal devices as well as workplace devices.
SIEMs are great for capturing events happening within your environments for things such as malicious activity within a SaaS platform’s network but is limited in reach. This is made up for with SOARs being able to cover more ground than that of SIEMs and EDRs on top of being able to provide orchestration and automation as it stands within the name of the acronym.
However, all this aside, what makes XDR worth adopting on top of a good EDR, SIEM, and SOAR implementation is being able to connect the dots and see trends and give a better visual representation of what’s happening as well as being able to get rid of a lot of fluff you might encounter when digging through logs upon logs of data during an incident. And while SOARs are capable of doing this, they aren’t great at it.
Sure, with the typical automation and orchestration tactics available from SOARs, event ingestion from SIEMs and endpoint monitoring from EDRs you can get by without having an XDR, but these leave you blind to potential changes and pivots that bad actors may be making. You essentially could be leaving money on the table when it comes to hardening your systems and environments. So sure, an XDR could be one more tool to throw money at, but the potential it has to bringing more insight and reducing time spent investigating is worth it in my opinion.
- Patrick, Product Security Engineer
XDR is going to integrate the investigation and auto response based on the traditional EDR and SIEM. For responding part, the SOAR system is going to receive alerts from SIEM and perform playbook actions. Such action would be well defined by some security experts. XDR is the solution that integrates the three systems into single product.
To decide if it is worth to adopting it, it should based on the current effort that the IT team and should judge if the solution is suitable for the organization. For example, if the organization had SOC service, it is not that worth for pushing to XDR. So, it should be check case-by-case.
- Sam, Purple Team Leader
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes. Join the newsletter here.