Working hand in hand to strengthen security defenses — SIEM and EDR

The cyber threat landscape can be daunting. Often, you’re faced with challenges –

• Can an organization solely rely only on security information and event management(SIEM)?
• Does endpoint detection and response(EDR) alone suffice all the requirements that an organization needs to be secure?
• How do we decide which technology is best suited for an organization — SIEM or EDR?

So here I share a gist of my experience working together on both technologies, based on this, one can determine how their organization can benefit.

SIEM and EDR both have special characteristics of their own. However, individually they both still fall short. The capabilities of both these tools, when used together, are skilled to form a solid base of safety defense for an organization. They complement one another,help detect and expedite any incident investigation to be contained at the earliest.

Detecting threats using SIEM

In an organization, there are several devices, it is not possible to individually track the logs of all these devices. Monitoring each system individually requires manual efforts to comply with activity from other devices would increase the time of identification and investigation, resulting in high risk and unmanaged consequences. This in turn increases the number of anomalies to a great extent. This is where the SIEM comes in, where all devices’ logs can be collected at one place. All these logs are analyzed and correlated to be monitored for impactful detection. SIEM can correlate logs from multiple devices and identify potential threats that will otherwise go undetected. Intel feeds can be integrated to enrich raw data while writing rules on SIEM providing a proactive way to identify threats.

While these functionalities are accustomed to detect potential threats, they also assist in the initial investigation. When an incident is raised due to suspicious behaviors, one can obtain the appropriate information needed for triage from the abnormal log based on a detection rule. Since SIEM would have logs for every captured device, analysts can collect as much information as possible. At one location alone, one can know the abnormalities that are happening with the infected device. Given a specific timeline captured logs will be formulated together, which will precisely facilitate the analysts to understand the reason behind the infection, contacted machines, etc. Communication details from proxy logs will help to verify if there have been any network communications, attainable sites visited that would have borne malware within the machine. Additionally, there would be a tremendous amount of noise alongside the incident logs, which can be filtered to concentrate on minute details to help you finetune and identify the infected machine that would need deeper investigation. Once we fathom the one machine that is inflicting such abnormal behavior one can dig in deeper with more assistance.

Investigating threats using EDR

EDR is an endpoint protection platform that gathers all data from endpoints that can be used for ongoing monitoring and deep analysis. While SIEM is the key to detection, EDR is the solution for investigating and reaching the root cause of the suspected anomaly. The suspicious element detected by SIEM can be leveraged using EDR and dug deeper. EDR will provide a wider perspective and a transparent image of what precisely happened that triggered the alert. Using the exact time frame of the incident on the targeted system, it will list out the processes running on the host at that time. Analysts can then examine the connections made to other machines on the same network along with external connections to identify the presence of any malicious entity. The size transmitted data could be used to identify if any malicious files have been dropped on the user’s machine. The host can be connected remotely and the file can be downloaded and analyzed in a sandbox to identify whether the file was the real cause of the suspicious activity that triggered the alert. Since all endpoints’ logs are related here, the outcome would let one explore every single detail that occurred at that time. It helps to determine the root cause of the alert and accelerate the containment time of every incident.

Marrying SIEM and EDR

This is how both SIEM and EDR complement and go hand in hand with each other. You can’t say one is enough and choose between each, as both have their unique characteristics and together work like magic in defending security for any business. Using SIEM and EDR together, the detection of incidents will be streamlined and the investigation can be eased with minimum staffing. Together, the outcome of both technologies is reliable, cost-effective, and offers robust protection for an enterprise.

Blog by: Sharron Quadros