cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tater88er
Viewer

SIEM vs. XDR - In the modern day SOC, does SIEM have a place anymore?

In the modern day SOC, does SIEM have a place anymore?  Let me share my thoughts and then I would love to hear yours.

 

Given a mid-sized company with a small security staff, given said staff has top-of-line tools for XDR/EDR, CASB, DLP, Email SEC, DNS SEC, Firewall and Network SEC and a few others...

 

Given the fact that most modern-day SIEMs integrate with most if not all these tools, and so does the XDR tool...

 

Given the fact that the purpose of a SIEM is to stitch logs, scan logs, find anomalous activity, correlate and report or alert on said anomalous activity, use the integration to other tools to provide enrichment for said anomalous activity...

 

Given the fact that most modern day SIEMs don't seem to work this way anymore - for example many will simply forward on alerts from third-party integrated tools but don't necessarily correlate - it seems those integrations are kind of worthless because now you are getting double alerts...

 

Given the fact that modern day XDR/EDR tools have agents on endpoints that gather as much and even more data than collecting the logs...

 

Given the fact that modern day XDR/EDR tools have better interfaces than SIEM tools for diving into alerts...

 

Given the fact that most modern day SIEM tools require dedicated staff to maintain the tools...

 

Is there a place for a SIEM tool in a modern day SOC - especially one running with minimal staff - and one that makes heavy use of a high end XDR/EDR tool?

1 Reply
Caute_cautim
Community Champion

@tater88erIn my view it is an evolution, SIEM is at the core, but these days should be fed with Attack Security Management (ASM) input of the current organisation on a 24x7 basis, so any unknown vulnerabilities are detected and evaluated from a risk and threat management perspective.  A continuous threat intelligent feed from approved sources, so that proactive Incident Response Use Cases can be applied appropriately to reduce the impact and associated costs associated with a compromise.

 

Yes, add the EDR, MDR and XDR extensions, but make sure you evolve to a full SOAR with full automation and orchestration via "augmented intelligence" to assist the security analyst to stay sane and provide guidance and a long history of attack patterns to assist them.

 

Plus the fact the SIEM will no longer be hitched to a particular Data Centre, it will be cloud based and portable, it will probably be managed through Managed Security Services.  The costs of having your own Security Operations Centre (SOC) and maintaining it are sky high, and likely to be an even bigger burden in the years to come.

 

Regards

 

Caute_Cautim