Skip to main content

The IT industry just loves a good acronym; SDN, NBAD, SASE, CTI, and OSINT, to name a few. One of these now finding some marketspace is XDR (eXtended Detection and Response). If you were to read some of the puff pieces, publicity articles, and general sales pitches out there, XDR brings with it the promise of solving all your security-related ills swiftly, efficiently, and automatically, like it’s supposed to be SIEM’s (Security Information and Event Management) coming of age. 

So, is XDR SIEM at ‘Sweet 16’? Or is it just a raging case of overconfidence? Maturity requires an understanding of context, and cyber is no different.

Why SIEM has ruled the roost

For almost 20 years, the cornerstone of your average security operations centre (SOC) has been implemented SIEM. Much like the acronym suggests, the basic tenet was to centralise security information and events from various sources across the network for collation, correlation, and security-related analysis. From a log management, historical investigation, and compliance reporting perspective, SIEMs were the bee’s knees. 

But SIEM wasn’t just about storing data. SIEM offered a near real-time analysis of security events. This gave security teams a holistic view of what was happening across their network and enabled them to focus on potential incidents rather than wasting time on irrelevant data. Next came EDR (endpoint detection and response), which took over the anti-virus function and added user endpoint logs. SIEM was now learning to talk as well as walk. But data storage costs, a lot, and this led to spiralling costs of ownership. 

Enter XDR 

In comes XDR, the shiny new kid on the security information block. Taking its cue from EDR, and adding in endpoint service association, XDR should be considered a valid evolution. SIEM took the approach of, ‘Give me everything now, so you can use it later.’ XDR instead says, ‘It’s the user, stupid! If the user registers a red flag, I’ll go collect the stuff related to that flag later.’

To achieve these ends, XDR adopted the latest IT acronym ‘AI’, in the limited form of machine learning and behavioural analytics. Using these, XDR systems can theoretically identify anomalies and otherwise seemingly benign activities that might slip through the cracks of a log-centric approach. Things like unusual logins, data exfiltration attempts, or unauthorised access to critical systems. 

Where XDR falls short 

Machine learning and behavioural analytics require both processing power and large datasets on which to learn and base their analyses and predictions. Analysis based on one environment isn’t a large enough reference set. This means co-locating datasets to achieve collation. In this manner, alerting rules and triggers can be based on globalised machine learning of patterns, semantics, etc. For example, vendors have to push everyone’s data into their cloud so they can apply their AI logic to achieve their alerting ends. 

However, the one thing you can’t control in an IT environment is the human element. One company’s usage patterns don’t necessarily match another’s and XDR’s over-confidence starts to show through in its failings. XDR systems lack both the added historical data that SIEMs contain and the complex correlation engines for which SIEMs are known. Like a bad case of acne, without ongoing maintenance and tuning of their detection logic and filtering out of irrelevant noise, XDR systems can easily lead to information overload and alert fatigue. 

Cyber burnout is absolutely a thing, and in a time when it can be hard to find staff with the right skills, a lack of expertise in interpreting data, configuring alerts, and orchestrating incident response actions can lead to missed detections or wasted resources on false positives. Maturity is nothing without context. 

Conclusion 

At the time of writing this article, there has been a lot of amalgamation in the security analysis market space. Are the XDR vendors trying to sell the marketplace on the idea that SIEM is dead and the SIEM vendors reading the wind? Maybe so. But does that, by virtue, also mean that XDR (in a vendor cloud) is the answer to holistic security nirvana? 

As in life, all things in moderation. The reality is you probably want both… working in unity. XDR doing its thing in terms of advanced threat detection and pattern matching, making use of SIEM’s historical information. If you’re still relying on security information only, you’re still missing the full picture. What’s needed still is context.

Taking the Buddhist analogy a little further, the melding of SIEM and XDR still won’t get you to nirvana, but it might get you to a state of ‘increased mindfulness’. From there, enlightenment beckons.