Last updated at Tue, 20 Aug 2024 21:23:09 GMT
Innovations solve longstanding problems in creative, impactful ways — but they also raise new questions, especially when they're in the liminal space between being an emerging idea and a fully fledged, widely adopted reality. One of the still-unanswered questions about extended detection and response (XDR) is what its relationship is with security information and event management (SIEM), a more broadly understood and implemented product category that most security teams have already come to rely on.
When looking at the foundations of XDR, it seems like it could be a replacement for, or an alternative to, SIEM. But as Forrester analyst Allie Mellen noted in her recent conversation with Rapid7's Sam Adams, VP for Detection and Response, the picture isn't quite that simple.
"Some SIEM vendors are repositioning themselves as XDR," Allie said, "kind of trying to latch onto that new buzzword." She added, "The challenge with that is it's very hard to see what they're able to offer that's actually differentiating from SIEM."
Where SIEM stands today
To really understand how the rise of XDR is impacting SIEM and what relationship we should expect between the two product types, we first need to ask a key question: How are security operations center (SOC) teams actually using their SIEMs today?
At Forrester, Allie recently conducted a survey asking SOC teams this very question. While some have focused on the compliance use case as a main driver for SIEM adoption, Allie found that just wasn't the case with her survey respondents. Overwhelmingly, security analysts are using their SIEMs for detection and response, making it the core tool within the SOC.
More than that, Allie's survey actually found the old adage that security teams hate their SIEMs just isn't true. The vast majority of analysts she surveyed love using their SIEMs (even if they wish it cost them less).
Together, for now
With SIEM claiming such an integral role in the SOC, Allie acknowledged that we likely shouldn't expect it to be simply replaced by XDR in the near term.
"For the time being, I definitely see SIEM and XDR solutions living together in a very cohesive fashion," she said.
She went on to suggest that maybe in 5 years or so, we'll start to see XDR offerings that truly tackle all SIEM use cases and fully deliver on some capabilities that are only in the realm of possibility today. But until XDR can fully address compliance, for example, we're likely to see it exist alongside and, ideally, in harmony with SIEM.
The SIEM and XDR opportunity
So, what will that coexistence of SIEM and XDR look like? Sam suggested it might be the fulfillment of the original vision of SIEM solutions like InsightIDR: to make the security analyst superhuman by enabling them to be hyper-efficient at detecting and responding to threats. Allie echoed this sentiment, noting that XDR is all about elevating the role of the SOC analyst rather than automating their tasks away.
"I am not a big believer in the autonomous SOC or this idea that we're going to take away all the humans from this process," she said. "At the end of the day, it's a human-to-human fight. The attackers are not automating themselves away, so it's very unlikely that we'll be able to create a product that can keep up with as many human beings as there are attacking us all the time."
For Allie, the really exciting thing about XDR is its potential to humanize security operations. By reducing the amount of repetitive work analysts have to do, it frees them up to be truly creative and visionary in their threat detection efforts. This can also help improve retention rates among security pros as organizations scramble to fill the cybersecurity skills gap.
"It's a lofty dream, a lofty vision," Allie acknowledged, "but XDR is definitely pushing down that path."
Want more XDR insights from our conversation with Allie? Check out the full talk.
Additional reading