EDR or SIEM: Which Should You Choose?

EDR or SIEM: Which Should You Choose

Due to the rise in ransomware and malware attacks, many businesses are evaluating their network security technology stack. As you evaluate various technologies, you will undoubtedly identify SIEM and EDR solutions but which one do you need for your business? The answer does not need to be mutually exclusive. Let's dive deeper into what these solutions are and the advantages and disadvantages of each.

What is Endpoint Detection and Response (EDR)?

‍Endpoint Detection and Response (EDR) is defined by Gartner as a solution for recording endpoint-system-level behaviors, detecting suspicious behavior in a system, and providing information in context about incidents.

The primary functions of an EDR solution are:

• Collect and monitor network activity from endpoints
• Analyze this activity data to identify potential threats
• Automatically respond to identified threats in real-time to remove or quarantine them
• Notify security personnel of identified threats
• Enable threat hunting and research activity for security personnel through forensics tools

Advantages of EDR

With EDR being in place on the endpoints within a network, EDR is in an excellent position to detect advanced attacks early in the cyber kill chain and thus prevent widespread compromise and damage. Many EDR platforms come with forensics tools that allow security teams to not only detect and respond when a compromise occurs, but also to learn and understand how it occurred. This helps teams to be proactive instead of just reactive and improving their overall security posture.

Another advantage of EDR is its predictable pricing model. The industry standard for EDR is a flat cost per endpoint. When you purchase an EDR solution, the cost structure is much more predictable than other security solutions that rely on a cost model driven by data consumption.

Disadvantages of EDR

The disadvantages of EDR stem from its reliance on endpoint data. EDR solutions in general lack a holistic network view because they derive their data from the monitored endpoints, not your network as a whole.

EDR also needs to be deployed on every endpoint within your network to be the most effective. Ensuring 100% coverage can be very complicated for some enterprises to achieve.

Lastly, EDR is only as good as the security personnel using it. Unfortunately, many organizations lack the talent in-house to make full use of EDR and its forensics capabilities. An endpoint detection and response system without trained personnel to properly respond using the EDR is only half a solution. Ensuring you have both the capacity and technical capability in your personnel is an important consideration when deciding to implement an EDR system.

What is Security Information and Event Management (SIEM)?

Security Information and Event Management (SIEM) offers enterprises detection, analysis, and alerting for security events. SIEM is a combination of security information management (SIM) and security event management (SEM). This is accomplished by ingesting and analyzing network data, usually in the form of logs, and security events from tools and devices across the network in real-time.

Advantages of SIEM

The main advantage of SIEM is that it can ingest vast amounts of data from a myriad of network sources. SIEM can derive threat telemetry from across the network which can deliver rich analytics and give security teams context into the nature and progress of attacks in real-time. Because a SIEM is generating high-context alerts, there are generally fewer false positives compared to an EDR which relies only on endpoint data.

Due to its log-collection abilities and support for an array of data sources SIEM is an excellent tool for addressing many legal and regulatory compliance requirements an organization might have.

Disadvantages of SIEM

SIEM ingests large amounts of data and needs to be continuously tuned to avoid false positives. Data sources and requirements within an organization frequently change which makes maintaining the correlation rules within the SIEM a time-consuming task requiring specialized skills in your internal security personnel.

A SIEM solution is an aggregator and analyzer by nature. The solution aggregates logs from multiple sources across your network and the pricing model reflects this function. In general, SIEM solutions are priced based on the volume of data the SIEM consumes and analyzes. This can make costs unpredictable and make budgeting for this type of solution difficult.

Finally, SIEM is an analysis tool. It is meant to identify threats, not respond to them. Unlike EDR, SIEM systems have very limited abilities to act on the threats it identifies. Once security personnel are made aware of a threat by the SIEM solution, they need to use other tools to take actions to disrupt, contain or mitigate against it.

EDR or SIEM, A Misnomer

The question of whether to choose either EDR or SIEM is not a real dilemma. Each solution offers different capabilities and provides different benefits for your security team.

Endpoint security is vitally important to prevent and respond to threats like ransomware while managing data and security incidents detected by multiple sources, even outside the endpoints, is also crucial. EDR and SIEM can work together to create an effective, multi-layer defense.

It is important to keep in mind that both solutions require ongoing management, maintenance, and specialized training to use them properly and effectively. You need to have the right team in place to maximize your security spend.

Many organizations find orchestrating these complex systems and personnel difficult and excessively time-consuming and choose to partner with a managed services provider (MSP) like Viking Cloud to deploy and manage these solutions on behalf of their organization.

‍With Viking Cloud, you can have a turnkey security stack tailored to the exact needs of your organization managed on your behalf by our team of security experts. For more information, contact us.