The focus of cyber security operations centers (SOCs) has shifted to extended detection and response (XDR), according to experts in the field. When architected correctly, XDR can alleviate pressure and reduce costs for security information and event management (SIEM) systems, which are typically responsible for correlating complex security alerts. Additionally, XDR can provide a more streamlined and comprehensive view of ticketing, alerting, and automation and response processes.
Implementing XDR effectively requires organizations to embrace new principles that challenge traditional thinking about SOCs. One such principle is the use of intelligent data pipelines and data lakes. By managing the security data pipeline intelligently, organizations can significantly impact spending by preprocessing every log and eliminating excess waste. This becomes especially important when the primary cost driver is the amount of data processed per day. For example, by removing redundant and unnecessary fields from Windows Active Directory logs, organizations can reduce SIEM storage costs by 68.48%.
Another important principle is focusing detection and prevention closest to the source of the threat. Historically, SIEMs were the main tools used to correlate and analyze raw logs, making them essential for identifying and addressing security alerts. However, with the emergence of endpoint detection and response (EDR) tools, organizations have alternative options. EDR, essentially SIEM on the endpoint, has the ability to write detection rules directly on endpoints, eliminating the need to send every piece of telemetry data to the SIEM. Modern EDR tools have improved significantly in building out-of-the-box detections, leading to a decrease in detections and preventions attributed to SIEMs in recent years.
It’s also important to play to the strengths of SIEM tools. While certain architectural differences may make one SIEM tool a better fit for a particular environment, the specific SIEM tool chosen does not significantly impact detection capabilities. Instead, organizations should focus on creating processes, tuning systems, and regularly testing and benchmarking their detection capabilities.
In the future, XDR architecture will be closely aligned with security orchestration, automation, and response (SOAR) technologies. Automation and artificial intelligence (AI)-enhanced triage will play a crucial role in neutralizing threats quickly. However, it’s important to approach automation with caution and not exclude human involvement entirely. One recommended approach is to conduct a purple team exercise to identify optimized detections that have low false positive rates and can be trusted with an automated response. Then, organizations can create an automated response playbook that includes human intervention steps to ensure confidence before fully turning it over to automation.
Implementing XDR requires breaking away from legacy SIEM management philosophies and embracing new program design philosophies. By doing so, organizations can improve their capabilities and reduce costs. XDR is not just a buzzword; it is based on solid foundations and can provide real benefits when applied in a technology-agnostic manner.
About the Author:
Mike Pinch is a cybersecurity expert who joined Security Risk Advisors in 2018 after serving as the Chief Information Security Officer at the University of Rochester Medical Center for six years. He is nationally recognized as a leader in the field and has spoken at various conferences and contributed to national standards for cybersecurity frameworks. Mike focuses on helping SOC teams improve their capabilities, with a particular focus on GCP, AWS, and Azure security. He is also actively involved in developing modern AI technologies for cybersecurity challenges.