SecPro Community Wisdom #6: How does XDR really differ from a good EDR/SIEM/SOAR implementation?
Hey !
Hello and welcome to another Community Wisdom!
Here is another issue, filled to the brim with wisdom from people who have been working in cybersecurity and related industries for a long time. In this issue, we focus on how does XDR really differ from a good EDR/SIEM/SOAR implementation?
Thank you to everyone who responded – we will be selecting winners from the pool of respondents tomorrow and sending out emails to the winners of our competition.
As always, if you have any extra comments that you would like to share, send them to me and I will try to work them into our newsletter. We are grateful for all the replies we receive and want to make sure that our community sees its voice represented in everything we put out.
Cheers,
Austin Miller
Editor-in-Chief
Top Questions This Week
1. Blue Team
Q: How does XDR really differ from a good EDR/SIEM/SOAR implementation? Is it worth adopting?
XDR differ from a good EDR/SIEM/SOAR: In my honest opinion, XDR v. EDR/SIEM/SOAR implementations adds a bit more on top of what these three things already do and I wouldn’t pass on adopting XDR at this point in time. EDR is necessary in my opinion as we currently reside in a place in time where a lot of professionals in a lot of company’s work from home and are exposed to default and unconfigured networks and systems alongside some endpoints being personal devices as well as workplace devices.
SIEMs are great for capturing events happening within your environments for things such as malicious activity within a SaaS platform’s network but is limited in reach. This is made up for with SOARs being able to cover more ground than that of SIEMs and EDRs on top of being able to provide orchestration and automation as it stands within the name of the acronym.
However, all this aside, what makes XDR worth adopting on top of a good EDR, SIEM, and SOAR implementation is being able to connect the dots and see trends and give a better visual representation of what’s happening as well as being able to get rid of a lot of fluff you might encounter when digging through logs upon logs of data during an incident. And while SOARs are capable of doing this, they aren’t great at it.
Sure, with the typical automation and orchestration tactics available from SOARs, event ingestion from SIEMs and endpoint monitoring from EDRs you can get by without having an XDR, but these leave you blind to potential changes and pivots that bad actors may be making. You essentially could be leaving money on the table when it comes to hardening your systems and environments. So sure, an XDR could be one more tool to throw money at, but the potential it has to bringing more insight and reducing time spent investigating is worth it in my opinion.
- Patrick, Product Security Engineer
XDR differ from a good EDR/SIEM/SOAR
XDR is going to integrate the investigation and auto response based on the traditional EDR and SIEM. For responding part, the SOAR system is going to receive alerts from SIEM and perform playbook actions. Such action would be well defined by some security experts. XDR is the solution that integrates the three systems into single product.
To decide if it is worth to adopting it, it should based on the current effort that the IT team and should judge if the solution is suitable for the organization. For example, if the organization had SOC service, it is not that worth for pushing to XDR. So, it should be check case-by-case.
- Sam, Purple Team Leader
Q: How could quantum computing affect the future of cybersecurity?
Quantum computing would greatly affect cryptography. It would be able to defeat systems such as RSA and ECC which have been key to maintaining networks secured. It can definitely cripple online banking and e-commerce.
- Angelo, Cybersecurity Auditor
In this day and age, cybersecurity to me feels like an on-going marathon. It’s you competing within a sea of competitors and bad actors. And, while I can’t say that quantum computing has applications for every SaaS company, computing specific and complex actions and functions may be a viable reason for adopting quantum computing in cybersecurity.
To put it into perspective, we have bad actors who like to break in and abuse our platforms. These bad actors do this everywhere and its safe to say that no one is safe from bad actors trying to get their hands on something. That being said, it’s also very easy to get your hands on compute instances and servers nowadays and it’s relatively affordable, especially in small intervals.
Should access to quantum computing fall into the hands of an adversary, who knows what could be possible. If the limitations of supercomputing are surpassed by that of quantum computing then there is definitely a need to improve and harden security on all levels and in all departments of company’s. It feeds into a personal paranoia while playing this game, the more advances we make in technology and security, the more advances our adversaries make in finding out how to bypass and evade the blocks and counter-measures put in place to secure environments and data.
- Patrick, Product Security Engineer
QC will solve issues far too complex for classical computers to figure out, including solving the algorithms behind encryption keys that protect our data and the Internet’s infrastructure.
- Gonzalo, Cybersecurity Professional
2. DevSecOps
Q: How would you approach fighting ransomware at a hardware level?
One way to fight the growing threat of ransomware is with Intel’s Threat Detection Technology, an innovative technology at the chip-level.
- Angelo, Cybersecurity Auditor
Cryptography and Machine Learning techniques can be accelerated at the hardware level as well as enable software running on it to identify threats faster and more accurately.
- Gonzalo, Cybersecurity Professional
Q: What has been the most successful thing for you in reducing the human element in a cybersecurity system?
If by human element we mean human error, such as writing your own authentication system for instance, then my answer would be vetting and integrating well-known and accredited vendors and products.
And even though these vendors and products are still created with a human element, I would trust something like an authentication software created by security minded individuals within a security focused company more than an authentication software created by individuals who lack security awareness.
- Patrick, Product Security Engineer
Introducing automation in the workflows. Such auto testing could mitigates the human errors and could ensure the application and product security.
- Sam, Purple Team Leader
3. Threat Intelligence
Q: How do you gain threat intelligence as the adversary turns to new platforms such as Telegram?
As some of the telegram channel contains dark web links, and not just telegram thread actors are also using discord to host their malicious file. It’s a great task to look into deep in this social media.
- John, Cloud Security
As the adversary turns to new platforms for communication, most of us still have our current platforms of communication as well as the new platforms. Again, this is a marathon and where one goes, so will others in the race.
Having those open channels spread out amongst security professionals and ethical hackers who can act as whistleblowers and alert of new threats are great resources to have. Sure, there are a large amount of these platforms and forums now, but information spreads and travels fast. So, I would say as the adversary turns to new platforms, so do I.
- Patrick, Product Security Engineer
4. IoT Security
Q: How is medical device cybersecurity being monitored in this high-stress time? Do you think there is more that people should be doing?
Unfortunately, I don’t have enough context around this topic to give a decent answer. But, with speculation based on the question, I would say if not many people are monitoring medical device security, assuming this is endpoints within a hospital or embedded biotechnology gathering data, then there is a potential for breaching things like HIPAA as well as potentially exposing various types of data depending on how these devices are created and maintained.
- Patrick, Product Security Engineer
DevSecOps and ICT personnel should be focused on applying defense-in-depth strong techniques and strategies.
- Gonzalo, Cybersecurity Engineer
Medical should be operate in the highest cyber security standard with most of the protection method should included. Also, monitor is not a good way to trying protects, but should only enable the checkup connection in certain areas only.
- Sam, Purple Team Leader
