What is XDR and what’s the difference with SIEM?
XDR (Extended Detection and Response) is a new trend by large security vendors, and too often people find themselves asking “okay, what’s the difference with SIEM?”.
According to Gartner, the main difference is that it is natively integrated with products, typically from the same vendor, which helps in providing better detection and response capabilities. But let’s take a look into what this means in practice.
First, Gartner has refused to define “next-gen SIEM”, and over the years SIEM has started including UEBA, SOAR, NTA, machine learning threat detection, threat intelligence and other capabilities. Legacy SIEM might have been just “log collection and correlation rules”, but that’s not the case anymore, so any comparison with “legacy SIEM” should be taken with a grain of salt. Well, with the same grain of salt that we should take the claims by SIEM vendors.
So, the fact that XDR integrates everything and provides every possible threat detection and response capability does not make it different from what a modern (next-gen) SIEM claims to be. If a SIEM can’t receive and correlate data from Firewalls, CASBs, EDRs, email gateways and whatever other security tools an organization has purchased over the years, it’s not an actual SIEM.
The main differentiation, then, remains the native, out-of-the-box integration with other security products. If all of your security products are from the same vendor than that vendor’s XDR will probably be easier to set up and will provide fewer false positives. Probably. Because let’s get down to how this actually works – big security vendors fill their portfolio by building new products over the years or by acquiring smaller vendors (startups) for their product. In both cases, these products have been developed with different architectures by different teams. The fact that they have the same logo doesn’t mean the integration is not “jolted on” after the fact. It might benefit from a better alignment in future developments and feature coordination, but the technical details underneath are probably the same old syslog and CLIs (or APIs if you’re lucky).
Integration means two things in a security context – how you collect the data (logs, telemetry, activity) and how you execute response actions (blocking, disabling, shutting down, creating tickets, etc.) A SIEM does collection in exactly the same way as an XDR product would do – it would tap into the existing logs generated (hopefully in a standard format, but it shouldn’t really matter if the SIEM has good collection tools). And apart from undocumented internal APIs, SIEM’s incident response capabilities would tap into the exact same tools that an XDR would use – invoking CLI commands or publicly accessible APIs. Cloud adds no difference here, as it usually has APIs for everything anyway, so both the SIEM and XDR vendors consume these APIs.
Top 3 XDR Advantages
So an XDR might be differentiated by better access to internal documentation, the knowledge of weird, non-standard log formats, and possibly – the use of internal APIs. What XDR does is really vendor-lock in (again, pointed out by Gartner). Setup can indeed be easier, and SIEM projects fail often at that stage, but we are yet to gather data about failed XDR projects in order to be able to do a comparison.
An XDR trend can actually be bad for the industry – if “native integration” is better than “publicly available integration”, this means fewer public APIs and fewer common log and event formats that a SIEM can tap into. If only the vendor’s XDR product speaks the language of the other tools by the same vendor, that’s bad design. And the assumption that organizations will have only (or mostly) products by a single vendor is too often wrong.
What’s the future of XDR?
What will probably happen, is that SIEM vendors will rightly claim XDR capabilities. And XDR will become a “capability” rather than a product category. XDR products will then have to merge into the SIEM category and compete there – if they are better, so be it. But SIEM is better positioned to provide 360-degree visibility into diverse IT ecosystems. And whether the “response” part is better or worse, comes down to feature-level comparison, not to fundamental differences in the category definition.
Bozhidar Bozhanov is co-founder and the CEO at LogSentinel. He is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency and information security.