Similarities And Differences Between XDR And SIEM

by: Andrew Hollister, 

The technology industry in general — and cybersecurity in particular — is awash with jargon, abbreviations and acronyms. One of the acronyms currently gaining traction is XDR (extended detection and response).

On the face of it, XDR appears to have very similar aims to a security information and event management (SIEM) platform, so let’s take a look at the similarities and differences to see if we can cut through the jargon and provide some clarity.

SIEM as a technology has been around for a long time, having evolved from log management and event management. SIEM collects, aggregates, analyzes and stores large volumes of log data from across the enterprise. SIEM started its journey with a very broad approach — collecting available log and event data from almost any source across the enterprise — and over time, it has extended its reach from the office to the manufacturing floor and beyond.

This gives SIEM an unmatched level of visibility across the landscape, from firewalls to switches, and from operating systems to applications. However, the level of detail in the data coming from each source is typically low; hence, we have a very wide dataset, which is also typically quite shallow.

In the earlier days of SIEM, the use case for collecting all this data was typically compliance-driven — likely PCI DSS, ISO 27001 or a government-imposed best practice. These requirements typically demanded log data collection at a general information level from across the environment being monitored — hence the focus on breadth of vendor log source support.

As time has gone on, in addition to building out infrastructure, organizations have added more and more security solutions addressing different elements of the threat landscape. With this, the need for centralized visibility and analysis across a wide variety of tools has led to SIEM becoming the platform of choice to provide “single pane of glass” visibility. It has also provided the ability to draw analysis from across the entire environment, whether based on the findings of security tooling, from the infrastructure itself or a combination of both.

In a world where organizations have many different security and management tools, being able to bring data from those tools — as well as directly from infrastructure itself — into a single platform enables that data to be used in many useful ways. This includes highlighting attacker techniques aligned to the MITRE ATT&CK framework, surfacing multiple related activities not evident through single purpose tooling, and providing a solid platform for threat hunting, incident response and general operational and risk management.

SIEM has a natural relationship to endpoint detection and response (EDR) and network detection and response (NDR) due to the consumption of log data generated by those solutions. EDR and NDR probe deep into endpoint and network activity. The wealth of data generated for detection is impractical to send in raw form to a SIEM platform, so EDR and NDR platforms summarize the data into alerts or a subset of metadata that is forwarded to the SIEM. This data can form the basis for threat-oriented use cases that leverage EDR, NDR and, perhaps, threat intel or firewall information.

SIEM, both by its very nature and evolution, is well suited to a wide variety of use cases, and it remains the central platform of choice for organizations that need to address compliance, operational and security use cases.

XDR is an emerging concept with a definition that is still taking shape. Some consider XDR a logical evolution from either NDR or EDR, which probe very deeply into endpoint and network activity and generate detection information that is highly detailed and voluminous. The XDR concept builds on this granularity, focusing on a narrow set of data sources, from which it resolves an extremely detailed level of information about activity taking place typically in the cloud or at the endpoint, network or user level. This detailed information is used to detect threats at the point of interaction with the environment with a high degree of accuracy.

Why the focus on such deep and narrow information sources? It essentially enables multiple detection methodologies to be applied to those sources to surface suspicious behavior with a higher degree of efficacy. For example, machine learning approaches are heavily dependent on well-known, clean data sets, and having a deep and thorough understanding of a narrow range of information can make the output of these approaches much more effective.

The “R” in XDR is all about a timely and appropriate response to detected threats. Low-volume, high-accuracy detections provide an ideal basis for automated remediation.

SIEM and XDR provide value in two different but potentially complementary ways, with SIEM having had its genesis in compliance and evolving to serve as a broader threat and operational risk platform, while XDR had its genesis specifically focussed on threats and provides a platform for deep and narrower threat detection and response.

Organizations seeking a threat-oriented detection and response solution that do not have wider compliance and operational requirements may wish to consider XDR solutions.

Organizations that have compliance and operational risk management requirements in addition to threat detection may require SIEM to deliver on those wider reporting and data collection demands, but they may also consider XDR for the threat detection element. Some organizations may regard XDR as the “easy” button compared to a full SIEM deployment. This could provide a good starting point for a broader security program, in which XDR is used to address threat detection and response, and a SIEM solution can be integrated later should broader compliance and operational risk requirements arise.


Logrhythm is a valued sponsor of Camp Secure Sense! Register now to attend Logrhythm’s presentation Day 1 at 11:50am in the Idea Loft. Mike Villavicencio, Enterprise Sales Engineer will be presenting Past, Present, Future of SIEM.

As technology evolves in the security industry, we must construe how SIEM and XDR impact the market and unravel their similarities and differences. This is a great opportunity to define XDR and become thought leaders in the space.

XDR is a targeted set of threat detection and response cases driven by telemetry collected from endpoint, network, cloud, and user activity. SIEM solves similar use cases through the collection of logs and applies threat detection models. SIEM typically provides long-term retention of logs, compliance reporting, and customizable use cases.

In this presentation, we will cover the evolution of SIEM and our vision for the future, plus focus on what matters most to security professionals and end users of SIEM technologies.

Camp Secure Sense is the leading IT Security Networking Event in Canada for the information technology leaders some of North Americas largest corporations. Register now to join decision makers and the Secure Sense team this year on September 28th & 29th.