From SIEM to MDR to XDR: The Evolution of Workflow Automation in Threat Hunting
Author: Dimitris Dorizas, Manager, Managed Security Services and Integration at Encode
From SIEM to MDR to XDR - Cyber Security operations have evolved fast over the second decade of the 21st century, and frankly, there was not much choice, given the pace of growth of the digital marketplace and the equally rapid proliferation of digital threats. This fast, exponential growth manifests itself not only in quantity but also in quality, and the sophistication constantly evolves and changes tactics.
Cybersecurity professionals long ago internalized that the only constant is change and movement. At the same time, far fewer cybersecurity engineers were available than were actually needed, which made the “time management” aspect ever more complicated.
Along the same lines, the traditional protection platforms have progressed from early-internet-era methodologies that mimic the physical world to flexible and modular object-oriented designs that employ artificial intelligence and minimize the decision factors left for humans to handle.
From SIEM to MDR to XDR - The SIEM era is long over
SIEMs have been an important foundation stone of modern cyber security operations. They have opened the pathway to centralizing and streamlining the incident flow, allowing organizations to set up SOCs and build workflows around this incident stream. In its early days, SIEM was robust enough in its raw form to manage the volume of logs and to rely on the judgment of SOC analysts and managers for prioritizing and classifying the incoming alerts and surfacing the real incidents.
As the quantity of incoming alerts witnessed an ever-accelerating growth rate, SOC teams rightfully devised methods to identify and prioritize, but still this approach was failing. The false-positive rates caused continuous elimination and exposed the need for immediate response actions, and this pushed forward a new development era.
From SIEM to MDR to XDR - How SOC as a Service SOARed to the top
SOC as a Service may be a successful paraphrase of Software as a Service, but the drivers behind its origins are slightly different. There could literally be no other evolution for Cyber Security Operations given the parameters at hand. SIEM could not support the threat threshold as it took new forms on an hourly basis and assumed its natural position as the base for analytics within the bigger scheme of things.
SOAR was the next layer, and it filled the gap for the much-needed coordination between all the moving parts of the operations, by then already a jungle of competing and overlapping controls and patches. This allowed the operations to confidently add an Incident Response layer on top of the 24/7 monitoring and connect all the dots between the existing IT systems and security controls. The need for an efficient SOAR that is truly adapted to the workflows and efficiency needs of large teams of analysts that work in shifts and push alerts up the echelon of decision making defined that once again, the landscape would fill with new category leaders.
Two main differences extenuated in the SOCaaS era, that we are still largely experiencing:
First, the emergence of Reporting and Compliance needs that change according to political and social parameters and not just “pure tech” ones and zeros. Attackers, as expected, learned to leverage these patterns to improve and sharpen their tactics and disguise their payloads.
Second, it is much harder to create a generic SOAR than a generic SIEM structure, and customization and flexibility became more important factors, putting companies with excellent developer teams at a considerable advantage, and bringing Machine Learning and Automation to the forefront within a comparably very short time-span, even in internet terms.
From SIEM to MDR to XDR - MDR to handle the pressure
The advent of automation and Machine Learning processes had a similar effect on many arenas. In financial trading, it minimized the response time to changes to nano seconds and made human buying moves practically irrelevant. The same for language processing, media optimization and any big-data process. In cyber-warfare, this expressed itself in the race for early detection. For obvious reasons, the earlier you know something is wrong, the lesser the damage, and MDR built itself on its capability to identify and contain before damage is done.
Early detection of user/endpoint compromises is the name of the game, and there are many paths to the same truth. The expertise level required of a CIO has risen considerably in order to make confident choices in the jungle of endpoint monitoring and detection solutions and Active Response options. Together with rising awareness on management boards to cyber threats and their destructive potential, pressure is also growing exponentially and MDR is currently the best tool to help security leaders distribute the pressure within their organizations in an effective and fruitful manner.
XDR - The natural evolution into a marketplace
In the ever moving scenery of cyber threats, some platforms have become standard or near to that for SIEM, some organizations have proven to be proficient at SOC as a Service within a given niche or industry, and the reality we are experiencing today, both on the attacking and the defensive side, is the marketplace model, where you find the tools that serve your targets and combine and patch them for the specific task at hand.
According to Gartner, Extended Detection and Response (XDR) is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
For MDR and SOCaaS, the new acronym (XDR) manifests the need for extended capabilities such as Automated Playbooks (SOAR like), Client tailored Threat Intelligence and Monitoring, continuous enhancements on visibility and collaboration methods, extended telemetry (endpoint, network, cloud, etc.) and more. On many occasions these days this is, and will continue to be, performed remotely on cloud-based environments from cloud-based next-generation AI platforms.
As organizations mature in their understanding and approach to cyber protection, they will realize that they need to play the game and buy “cheat codes” by engaging automation and artificial intelligence that will put them in an advanced position for some time. The most helpful mindset is that you must keep modifying, adapting and testing and it is advised to select security providers and partners who can support fast development and empower the need for automation.
Figure 1: Maturity Level - From SIEM to Managed Detection and Response to XDR
Follow Us
From SIEM to MDR to XDR: The Evolution of Workflow Automation in Threat Hunting
