Most organizations rely on SIEM tools to monitor network events and manage security incidents. According to a study by Technavio, the SIEM market is expected to grow about 12% globally over the next five years,
Yet, as headlines about network attacks and data breaches increase, it becomes clear that the current incident response capabilities of SIEM providers are not meeting the needs of today’s security teams. Current SIEMs focus on monitoring real-time network activity and issuing alerts when suspicious activity is found. Verifying every threat is time consuming and resource intensive. By now, most of us are all too familiar with the concept of alert fatigue. With an average response time over 190 days to simply identify a breach, a more proactive approach to threat detection and IR is clearly needed.
An ecosystem of tools has been developed to work alongside―or even replace―SIEM systems. For example, many SOCs are incorporating EDR solutions into their workflow. The EDR market is reflecting that reality, with more than 45% projected annual growth expected for this category by 2020. Recently, Gartner reported that replacing overworked SIEMs with dedicated EDR systems is increasingly effective at securing networks, validating threats, responding to cyberattacks, and preventing new threats.
Expanding the Incident Response Toolbox
Despite them fitting into the same category, there are key differences in the capabilities of the platforms that comprise the EDR market. EDR tools add a wealth of data that would otherwise be missing in standard SIEM setups, and use that data for valuable insight within the SIEM toolbox. Monitoring endpoint and network activity in coordination builds context that can aid with validation, but doesn’t always reduce remediation time. For businesses, remediation is usually the most costly part of the process. In addition to any downtime or lost productivity, once the network has been secured again, public trust has to be rebuilt if sensitive customer data was compromised. Data breaches can also result in serious fines by regulatory agencies, especially for companies in the financial and healthcare sectors.
Some SIEM applications allow for EDR integration, but are slow and inefficient in using that volume of data. As mobile devices, IOT products, or even wearable technology connect to the network, this bottleneck only worsens. Using a dedicated EDR platform designed for continuous, active monitoring is an ideal solution to this problem. A tool specifically created for handling the volume and type of data that is generated by these devices allows for faster and more accurate analysis.
In the effort to replace or augment SIEMs, some organizations have considered or deployed Endpoint Protection Platforms. An extension of the antivirus software we’ve all been using for decades, EPPs focus on features like blocking malware and viruses, and encrypting and protecting device data. They are often an effective defense, but are limited to each device they’re installed on. Most importantly, there’s no network monitoring, so validating external threats remains just as time consuming. Further, response time isn’t shortened, and remediation is tedious.
Implementing an EDR system that continuously monitors and collects endpoint data and builds context around SIEM alerts by automatically analyzing them, can easily reduce detection time from months or weeks to just hours or minutes. Network data is used to correlate the full context for every alert with historical endpoint data to quickly determine the root cause of an incident, and then move on to assessing, curbing, and clearing up the damage.
Establishing the source of a breach in real time means the damage can be confined to a single machine rather than waiting for it to spread across multiple devices. Instead of constantly trying to determine if an alert actually represents a legitimate breach or not, a significant portion of threats will be actively prevented, and many more will be automatically validated. IT professionals can then focus on containing and securing real breaches―when they rarely occur.