We are delighted to feature this guest blog from Sam Curry, Chief Security Officer at Cybereason.
Cybersecurity is often seen as a battle. And in a battle you need to equip the right people in the right places, to do the right things to be successful.
That means that you need to understand the fight you face and the strengths of the tools and resources you have at your disposal. But, when we look at how rapidly technology in the cybersecurity space is changing it’s no surprise that there is some debate about which technologies are the best for helping organizations respond to the threats they face.
The debate around whether Security Information and Event Management (SIEM) technologies have been superseded by Endpoint Detection and Response (EDR) technologies is one such example of these technology debates that continues today. So let us look at the relative strengths of SIEM and EDR.
SIEM has been the go-to tool in the past, partly because it was the established intelligence tool in the industry and partly because of the context and enrichment capability it provides by having your data in one single repository. However, there is an argument to say that SIEM alone is not enough to stay ahead of the rapidly evolving threats that organizations face today.
SIEM systems have traditionally collected data from other systems that were designed for purposes other than collecting data; the consequence of this is that SIEM systems do not always have visibility of all of the data that a system can provide.
“Noise” levels are also higher with SIEM systems; every event, good or bad, can potentially register with up to 200 systems making the reconstruction of events difficult because of the greater number of potentially irrelevant recordings, and the encryption of data can slow SIEM systems down.
EDR, on the other hand, addresses some of the challenges outlined for SIEM tools. EDR has a single-minded purpose to map the compute relationships that make-up a pool of incidents, good or bad. That means that EDR tools are better placed for real-time threat detection and can optimize the contextual information provided to an analyst to enable quicker investigation of an incident or threat.
This makes EDR tools ideal for alerting and triage, and threat hunting meaning that EDR plays a prominent role in threat prevention. However, EDR is an endpoint-focused technology so by design it is tied to the endpoint and cannot provide the wide visibility that a SIEM system can.
That wider visibility is crucial for organizations as they seek to meet ever-more rigorous compliance demands.
Clearly, both SIEM and EDR have some huge benefits when it comes to protecting your organization from threats and future threats. But, if neither is the perfect fit which one should you opt for?
The answer is that both have a role to play and should complement each other. However, before you consider what technologies you should be using and the balance of those technologies you need to consider one more fundamental question.
What are you trying to achieve?
Finding the right mix
To be effective, organizations need to know the goal of implementing either of these systems and what problem they are trying to solve before they can decide if they need either of these technologies.
Inextricably tied to that is the question of “Who you are trying to enable?” The user of these technologies has to be a consideration in all of this because they are the ones that need to be equipped with the information these tools provide, and they need to be able to use it to best effect.
From our experience of working with customers and industry-leading vendors to provide secure and resilient systems we recommend the following four things to consider when finding the right balance of technologies:
- Understand what you’re trying to achieve
It may sound simple but it is easy to lose sight of the actual business challenge. Goals can range from bolstering compliance and reporting capabilities to enhancing real-time response capabilities. Investment decisions must be based on a good understanding of what you are trying to achieve by using these technologies.
- Put the users at the forefront of the decisions you make
These technologies are there to help security professionals keep the organization safe from attacks that can cause reputational, operational and financial damage. Any new technology needs to make the users more effective, so they need to be consulted in these decisions and trained to use the solutions.
- Remember that not everything is a nail
Many good security solutions on the market today address specific security challenges very effectively. However, these technologies do not solve the entire security challenge and should not be treated as the silver bullet.
- Let the tools play to their strengths, cohesively
Building real cyber resilience comes from understanding the strengths of each solution you use, plugging the gaps that are not filled and then using everything for the right purpose. However, the biggest benefit comes from ensuring that everything works together cohesively – sharing information – to deliver accurate and actionable information. This is where technologies like Security Automation, Orchestration and Response can help.
This debate of SIEM v EDR is an important one. Not because it defines which technology is better but because it helps organizations understand what they need.
SIEM and EDR technologies do have some overlap but they are not competing technologies, and when used in cooperation they are a powerful combination in the battle against the threats to your organization.
The key to all of this is to understand the balance of these technologies that you need.