Recent moves by Cisco, Microsoft, and other security providers suggest that big bets are being placed on the merger of XDR and SIEM. And, on paper, this merger may seem to make sense. After all, both XDR and SIEM serve as consolidated repositories of the data that enterprises need to maintain their digital health. So why not consolidate them? Isn’t a single version of the truth better than two parallel versions? And won’t enterprises save money if their platform vendors can offer them two for the price of one?
No. Because in the real world, unifying XDR and SIEM rarely align to the outcomes that organizations seek. Organizations contemplating a closed, integrated XDR/SIEM architecture should think twice. Why?
- Security and compliance are two distinct business needs performed by two distinct teams with two distinct sets of requirements.
- Best-practice enterprises achieve a single version of the truth with best-practice data management, not by forcing their business functions into a single, complex technical architecture.
- Closed platform vendors consolidate solutions to gain account control and optimize their financials, not to save you money or to empower you to freely chart your own course.
Given that security and compliance—or, to be more precise, cybersecurity and cyber compliance—are two very distinct business functions, let’s consider them in a bit more depth.
Cybersecurity and XDR
Cybersecurity is a highly specialized technical discipline that implements technical defenses and controls in order to mitigate the business risks posed by external and internal cyberthreats.
At its highest level, your cybersecurity team’s mission is to constantly map what it knows about cyberthreats (threat intelligence) against what it knows about your IT environment (endpoints, networks, cloud, etc.) in order to interpose the right cyber defenses. Your cybersecurity team also has to map threat intelligence to any behaviors it detects in your IT environment so they can quickly detect indicators that your primary cyber defenses may have failed—and then respond rapidly and appropriately to neutralize that active malfeasance.
And this, of course, is what XDR is designed to do. The Secureworks® Taegis™ XDR platform is designed to transform new threat intelligence into new highly sensitive threat detection and to facilitate rapid response via automation and guided action. It does this while only generating a low volume of false positive alerts, keeping analysts focused on priority true positive alerts and investigations.
Cyber compliance and SIEM
Cyber compliance, in marked contrast, is a rather straightforward data management discipline implemented as part of a broader program to mitigate business risks posed by failure to comply with regulatory mandates.
At its highest level, your compliance team’s mission is to constantly map what it knows about regulations against what it knows about your business process data flows to implement the right data controls. Your compliance team also has to 1) detect anomalous events requiring attention and 2) present evidence of its data oversight to auditors in the form of event logs.
And this, of course, is what SIEM is designed to do. SIEMs are event repositories. They have to be complete in order to fulfill their function as systems of record for auditors. And as data repositories they can also be queried for anomaly and pattern detection.
A Clear Distinction
Unlike XDR, SIEMs don’t have to constantly refine their heuristics to detect cybercriminals’ ever-evolving tactics, techniques, and procedures. SIEMs also get pretty big and pretty expensive in order to fulfill their auditability function. And that cost is going to vary significantly based on whether an organization is in a highly regulated market such as healthcare or finance.
An organization’s XDR costs, on the other hand, are driven by very different factors—such as size of its IT environment and its tolerance for risk. XDR doesn’t need to retain all the extraneous data required by SIEM. It doesn’t require a massive budget to keep logs focused on security-related telemetry. Unless, of course, they are consolidated with SIEM.
In other words, closed platform vendors may try to convince IT decision makers that XDR and SIEM should be unified simply because they share some data. But they are two distinct technologies used by two distinct sets of stakeholders to achieve two distinct business objectives.
Convergence or Divergence?
From an organizational perspective, the empirical evidence is that cybersecurity and cyber compliance are diverging rather than converging. Few organizations are merging their cybersecurity and cyber compliance functions. On the contrary, more organizations are recognizing that the magnitude of their cybersecurity risks warrant a CSO and/or CISO to address those risks exclusively.
Meanwhile, as concerns about all types of regulatory risk also escalate, cyber compliance is increasingly being folded into the domain of CCOs and CFOs. To executives in these positions, the digital aspects of compliance with mandates such as HIPAA and SEC guidelines are merely a subset of their broader risk landscape—which include everything from mailing out required legal notifications to implementing anonymized hotlines for employee whistleblowers.
When looked at in this light, it doesn’t make sense for an organization’s software to go in the opposite direction from its business. Organizations that lack heavy cyber compliance use cases don’t need to invest in the higher cost of ownership of SIEM. Those with both cybersecurity and basic cyber compliance needs may consider XDR solutions that have some SIEM functionality included without the bloated associated expense.
For most organizations, the answer is to use XDR to achieve your cybersecurity objectives, and use SIEM to achieve your cyber compliance objectives, assuming your compliance needs make an investment in SIEM truly worthwhile.
To learn more if XDR or SIEM is the best choice for your organization, download the whitepaper: XDR vs. SIEM: A Cybersecurity Leader’s Guide.
Security and compliance are two very distinct business functions performed by two very distinct teams with two very distinct sets of requirements – the only thing similar is the data underneath.