Companies face cyber threats all the time, from local healthcare providers to mega-corporations. For that reason, it is only logical to look for a security solution. However, it soon becomes apparent that there is a jumble of terms in the security software landscape that aren’t all that straight-forward. Is an XDR solution enough to protect your organisation? What does a SIEM or SOAR accomplish? And what’s the use of an EDR or NDR? To make sense of all these terms, we’re going to explain them below.
Guarding against cybercrime can take many forms and has changed over the years. From the early days of the public Internet, there were endpoint protection (EPP) solutions from parties such as McAfee and Symantec to protect endpoints. These worked on signatures, or behavioural patterns of known threats. At the time, security companies built their products based on the knowledge they had about existing threats, which quickly put any inventive cybercriminal one step ahead of them.
By now, it has long been clear that it takes more than detection, which is why many of the terms below have since added “& response.” Security products today are increasingly able to respond to patterns of new threats and pick up signals of dangers much earlier. That often starts with…
EDR
Without question, the immediate successor to EPP has been EDR, Endpoint Detection & Response. Instead of signatures, this technology zeroes in on the behaviour of a cyber threat. In real-time, it measures numerous events that take place on all of an organisation’s endpoints. Security teams can deploy it to get alerts in about unusual behaviour. CrowdStrike, one of the major players in this field, refers to a “VCR for the endpoint.” Such solutions don’t just stop at alerts: EDR solutions can have containment capabilities in addition to visibility. For example, an endpoint can be isolated from the rest of a corporate network to prevent ransomware propagation. Endpoints can certainly be the starting point of a cyber threat, such as when a criminal manages to get a piece of malware onto a desktop via a USB stick. Yet an attack usually doesn’t start from an endpoint, but from an action on the network.
Examples of EDR products can be found at SentinelOne, BlackBerry and CrowdStrike.
NDR
A Network Detection & Response (NDR) solution can monitor everything that happens on a network, just as an EDR monitors an endpoint. Cyber attacks often succeed by exploiting a software vulnerability to enter a corporate network. After that, criminals typically attempt to move laterally within an organisation to gain privileges and steal or encrypt data, among other undesirable moves. All of these actions can be seen by an NDR and provided with detailed responses. Examples include isolating a suspicious endpoint or shutting down a connection to an unknown IP address. Because an NDR solution specializes in networks, SOC teams can deploy it to secure their network in a sophisticated way.
The reason an NDR is only becoming more important today is because organisations are running more and more applications in the cloud. All this network traffic feeds potential vulnerabilities between cloud environments and dependencies and more related components. Now there are security solutions that specialize in on-prem and also cloud applications, in addition to hybrid environments.
Two examples of EDR vendors are Darktrace with DETECT+RESPOND and Cisco with Secure Network Analytics, although more are available.
XDR
Extended Detection & Response (XDR) can again be seen as a successor of sorts, this time to EDR. It extends information collection beyond endpoints and adds visibility for networks, emails, servers and cloud environments, among others. For example, if a cyber threat spills over from one endpoint to another, an XDR solution can create an alert that aggregates a number of events and may already be taking action against them. Thus, XDR can simplify security and provide visibility into active threats and potential misconfigurations through a “single pane of glass”. It is comprehensive, but will potentially have less detailed functionality for networks and endpoints, respectively, than dedicated products for them.
There are countless XDR solutions out there, that don’t all cover the same areas. However, unlike other products, they are truly platforms, with vendor lock-in as a potential problem. Indeed, as a customer of an XDR, you will more readily choose security applications that connect easily to the one you have. It may additionally use an external SIEM solution, which collects more data than what is relevant for security alone. Here it is important that the collected telemetry is well connected. For example, several parties are now embracing OpenTelemetry to ensure interoperability.
Tip: Cisco XDR aims to reduce alert fatigue, increase signal to noise ratio
Quite a few XDR parties are active, with Cisco as a relative newcomer. A well-known XDR vendor is CrowdStrike with Falcon. Other examples abound: Palo Alto, Trend Micro, SentinelOne and VMware are four of them.
SIEM
SIEM stands for Security Information & Event Management. In fact, this branch is not just focused on security; it collects much more data. For example, a SIEM solution can track whether a storage device is starting to fill up, that hardware resources are under heavy load or what network traffic is taking place. Some of these things can be taken over by an XDR solution, but a SIEM is more comprehensive. Thus, it remains necessary for larger organizations to keep both running. This is especially true now that many organizations are deploying cloud environments. These tend to be difficult to oversee and difficult to track. A SIEM can solve this problem.
Traditionally, Splunk has specialized in this, while Sumo Logic and Datadog also provide SIEM services.
SOAR
A lot is already possible in an XDR when it comes to automation: the “R” in the abbreviation stands for “response” for a reason. However, setting up a workflow within a SOAR is often a lot more detailed. The shortage of security professionals is forcing SOC teams to make choices: which alert is a concrete threat and what’s okay to respond to later? A SOAR solution can be of service here because it can respond in advance to known threat patterns. This creates a smaller number of issues for a SOC to actually address.
A SOAR triggers a playbook when certain alerts go off within an IT environment. For example, it can automatically isolate a threat, repair databases or restore files.
Examples of SOAR vendors include Rapid7, Trellix and IBM.
Also, do you really need everything?
From the above, it should hopefully be clear that many of these security issues overlap. An XDR can take on some of the functionality of an EDR, NDR and SOAR, but the more focused applications often have more depth in this regard. Incidentally, it is much more convenient for many organizations to outsource security tasks, such as securing corporate data with a server farm that contracts for this itself.
However, if a company has an actual SOC team, more is needed than just an XDR solution. The choice of partner may already determine which EDR and NDR fits the bill, as vendors have often added these tasks. SIEM can provide insights into data beyond security, while the workload of a security professional can decrease with a SOAR. SecOps is not getting any easier, partly because of a shortage of expertise and increasing cyber threats. The key then is not just to opt for clear products, but to carefully consider what you need to make your entire IT environment transparent. What that requires will vary from company to company.