Working hand in hand to strengthen security defenses — SIEM and EDR

  • Can an organization solely rely only on security information and event management(SIEM)?
  • Does endpoint detection and response(EDR) alone suffice all the requirements that an organization needs to be secure?
  • How do we decide which technology is best suited for an organization — SIEM or EDR?

Detecting threats using SIEM

In an organization, there are several devices, it is not possible to individually track the logs of all these devices. Monitoring each system individually requires manual efforts to comply with activity from other devices would increase the time of identification and investigation, resulting in high risk and unmanaged consequences. This in turn increases the number of anomalies to a great extent. This is where the SIEM comes in, where all devices’ logs can be collected at one place. All these logs are analyzed and correlated to be monitored for impactful detection. SIEM can correlate logs from multiple devices and identify potential threats that will otherwise go undetected. Intel feeds can be integrated to enrich raw data while writing rules on SIEM providing a proactive way to identify threats.

Investigating threats using EDR

EDR is an endpoint protection platform that gathers all data from endpoints that can be used for ongoing monitoring and deep analysis. While SIEM is the key to detection, EDR is the solution for investigating and reaching the root cause of the suspected anomaly. The suspicious element detected by SIEM can be leveraged using EDR and dug deeper. EDR will provide a wider perspective and a transparent image of what precisely happened that triggered the alert. Using the exact time frame of the incident on the targeted system, it will list out the processes running on the host at that time. Analysts can then examine the connections made to other machines on the same network along with external connections to identify the presence of any malicious entity. The size transmitted data could be used to identify if any malicious files have been dropped on the user’s machine. The host can be connected remotely and the file can be downloaded and analyzed in a sandbox to identify whether the file was the real cause of the suspicious activity that triggered the alert. Since all endpoints’ logs are related here, the outcome would let one explore every single detail that occurred at that time. It helps to determine the root cause of the alert and accelerate the containment time of every incident.

Marrying SIEM and EDR

This is how both SIEM and EDR complement and go hand in hand with each other. You can’t say one is enough and choose between each, as both have their unique characteristics and together work like magic in defending security for any business. Using SIEM and EDR together, the detection of incidents will be streamlined and the investigation can be eased with minimum staffing. Together, the outcome of both technologies is reliable, cost-effective, and offers robust protection for an enterprise.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
DNIF

DNIF

The “Open” Big Data Analytics platform that offers solutions to the world’s most challenging cyber security problems with real-time data analytics.