- News & Resources: Listings >
- Blog
- Microsegmentation: Protecting Data from Cyber Threats
- Retail shoplifting and loss prevention: How to protect your business
- Generative AI Cost Optimization Strategies
- Why Do I Need to Protect My Cloud?
- 10 Reasons for Engaging Outside Experts to Manage Your Cybersecurity
- Why Hiring a 3rd Party MSP Expert Makes Sense and – and Cents (MANY cents!)
- Brand and Network Considerations When Adopting AI Corporately
- Integrating XDR, SIEM, and SOAR
- 3-2-1 –Go? Not so quick, this time.
- 5 Things a CISO Shoud Know
- 10-Step Patch Management Checklist
- Penetration Testing vs. Breach Attack Simulation
- Current big cyber breaches and impact on businesses
- Smart Infrastructure Gets Lit Up!
- Securing Industrial IoT: The Missing Puzzle Piece
- 7 Common Cybersecurity Mistakes Made by SMBs
- The Future of Physical Security: Cloud-Based Systems
- Autonomous and Sensor Technology Use Surging
- 2024 Facilities Trends Will Require Facilities and IT Teams to Work in Tandem
- NGFW vs. WAF. What’s the Right Firewall for You?
- Chris Hadfield’s Words To Live By
- Industrial Revolution 4.0 + IIoT
- Digital Fluency Drives Innovation
- Your Cloud Needs Protecting, Too
- Your building alarm systems could become obsolete. In 2024!
- Zero Trust 2.0: Zero Trust Data Resilience (ZTDR)
- We just got, or got used to, Wi-Fi 6. What is Wi-Fi 7?
- What Does the Board Need to Know? Business Metrics that CISOs Should Share – 4th and Last in a Four-Part Series
- Why 2024 is the Year for AI Networking
- International Women’s Day is Tomorrow – Great Time to Think About…
- Data-Centric Security Step One: Classifying Your Data
- The Network – Unsung Hero of Super Bowl LVIII
- What Does the Board Need to Know? Business Metrics that CISOs Should Share – Third in a Four-Part Series
- Boosting IT Team Performance by Fostering Intuition, Curiosity and Creativity
- Breach Remediation Costs Can Wipeout Bottom Line and Business
- Hoodied Hackers Now Favour Hugo Boss
- What Do You Need to Tell the Board? Business Metrics that CISOs Should Share – Second in a Four-Part Series
- How to Get People to Re-Engage After the Holidays
- What Does the Board Need to Know? Business Metrics that CISOs Should Share – First in a Four-Part Series
- Android Devices MUST be Updated + IT Departments Being Cut as Privilege Escalation Escalates
- Today’s Common Cloud Migration and Management Concerns
- Protect Your Healthcare Network from Cyberattack – Lives are at Stake
- Happy Halloween: Black Cats Lead to Boo….Hoo.
- Insurance Underwriters are Protecting Their Flanks
- Insurance Companies Cracking Down as Cybercriminals Become Better Business Builders
- Scary Cyberattacks Stats
- Parents, Profs and IT Professionals Perceive Back-to-School Through Different Lens
- Zscaler’s new IDTR and other tools that leverage generative AI
- Vanquish Vaping, Vandalism and Villainy
- Fabric for Fast-Paced Environments
- Changes to Cyber Insurance Requirements – What you Need to Know
- Cybersecurity Readiness – Newly Released Report
- Passwords Leaked…Again
- 10-Step Patch Management Checklist
- Remote – Again – For Now… and Still Maintaining Engagement
- Protecting Pocketbooks, Passwords and Property from Pilfering
- Raspberry Robin: Highly Evasive Worm Spreads over External Disks
- Cisco Introduces Responsible AI – Enhancing Technology, Transparency and Customer Trust
- Managing Customer Trust in Uncertain Supply Chain Conditions
- Hope on the Horizon
- Toys of Tomorrow… What will spark your imagination? Fuel your imagination?
- Protecting Purses and Digital Wallets
- The Password that Felled the Kingdom + MFA vs 2FA
- The MOE’s RA 3.0 and Zscaler
- 7 Critical Reasons for MS Office 365 Backup
- Penetration Testing Important, but…
- Social Engineering and Poor Patching Responsible for Over 90% of Cybersecurity Problems
- Breach Incidence and Costs On the Rise Again + 5 Ways to Reduce Your Risk
- Cybersecurity Insurance Policies Require Security Audits and Pen Testing
- Wireless strategies for business continuity gain importance as enterprise expand IoT, cloud, and other technologies
- How Cybercrooks are Targeting YOU
- Enabling Digital Transformation with Cisco SD-WAN
- WFH Post Pandemic – What It Will Look Like. What You’ll Need.
- Leaders to looking to the IoT to improve efficiency and resiliency
- Cyber Security Vernacular – Well, some of it, for now
- Why You Need Disaster Recovery, NOT Just Back-Ups
- 10 Reasons Why Having an Expert Manage Your Cybersecurity Makes Sense and Saves Dollars
- Converting CapEx IT Investments into Manageable OpEx
- The Hybrid Workplace – Planning the Next Phase
- Cisco Cloud Calling: Empowering Customers to Thrive with Hybrid Work
- When You Can’t Access the Cloud
- How to Keep On Keeping On
- New Cisco Research Reveals Collaboration, Cloud and Security are IT’s Top Challenges
- Threats from Within on the Rise
- Cloud Covered? If Not, Take Cover!
- Zero Trust and Forrester Wave Report
- Password Based Cyber Attack: Like Leaving Keys Under Doormats
- So, What’s Up With Sensors?
- Sensors and Systems Create a Digital “Last Mile” and Help Skyrocketing Costs
- Scanners Provide Peace of Mind for Returning Students and Workers
- Sensors Improve Operations and Bottom Line… Easily and Cost-Affordably.
- Cisco Meraki Looks at 2021
- 2020 Holiday Shopping: Cybersecurity and Other Tips to Safeguard Wallets and Systems
- How to make the most of the technology you have
- Personnel, Planet and Business Progress: More Interdependent Than Ever Before
- Sure… you can get them all in the boat – but can you get them to work well together?
- Pushing the Zero Trust Envelope – Cisco is Named a Leader in the 2020 Forrester Zero Trust Wave
- Cloud Data Must be Protected, Too!
- Don’t Let Anyone Get the Dirt on You – Make It Instead!
- How IoT Devices Can Help You and Your business
- WebEx – A World of Possibility
- Creating Your Breach Response Plan Now Will Save You Thousands Down The Road
- Been hacked? Here’s what you must do next.
- The Need for Pen Testing is At an All-Time High
- 5 Ways an IT Reseller Improves Your Performance and Peace-of-Mind
- 5G and Wi-Fi 6: Faster, more flexible, and future ready. Are you?
- Network and Data Security for Returning and Remote Workers + Disaster Recovery Symposium
- Collaboration and Cisco WebEx: Protecting Your Data
- Thursday’s Virtual Conference Tackles Today’s Supply Chain Trials and Tribulations
- 10 Tips to Reduce Cloud Storage Risk
- COVID-19 Crisis Fuelling IT Spending
- Supply Chain/Logistics Experts Share Their Expertise
- Cisco Breach Defence Overview
- Announcing Our New Website and Blog
Kunal Hatode, Cyber Operations Lead, CX – Security Centre of Excellence, is a Senior Technical Leader specializing in solution integration of Cloud services, Wide Area Network and Cyber Security with Cisco. On July 10, 2024, he wrote:
“In the ever-evolving landscape of cybersecurity, the integration of cutting-edge technologies has become paramount to stay ahead of sophisticated threats. One such powerful combination that is revolutionizing security operations is the integration of Extended Detection and Response (XDR), Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR). Let’s delve into the trifecta effect of integrating these technologies and how they can enhance your organization’s security posture.
Security Information and Event Management (SIEM)
SIEM solutions play a crucial role in centralizing and analyzing security event data from various sources within an organization. They provide real-time monitoring, threat detection, and incident response capabilities. By aggregating logs and data from security and non-security disparate systems, SIEM enables security teams to detect anomalies, investigate security incidents, and comply with regulatory requirements.
Extended Detection and Response (XDR)
XDR represents a holistic approach to threat detection and response by consolidating multiple security layers into a unified platform. It provides enhanced visibility across endpoints, networks, and cloud environments, enabling security teams to detect and respond to threats more effectively. By leveraging advanced analytics and machine learning, XDR can correlate and analyze vast amounts of data to identify complex threats in real-time.
Security Orchestration, Automation, and Response (SOAR)
SOAR platforms empower security teams to automate repetitive tasks, orchestrate incident response workflows, and streamline security operations. By integrating with XDR and SIEM, SOAR can enhance the efficiency and effectiveness of incident response processes. It enables teams to respond to security incidents rapidly, reduce manual errors, and improve overall response times.
How XDR, SIEM, and SOAR Complement Each Other
The trifecta effect of integrating XDR, SIEM, and SOAR brings together the best of all three worlds, creating a comprehensive and synergistic security solution. Here’s how the components of each technology complement each other:
- XDR and SIEM: XDR’s advanced analytics, machine learning, and threat detection capabilities are integrated with SIEM’s centralized log management and real-time monitoring. This combination enables organizations to detect and respond to both known and unknown threats more effectively, as well as comply with regulatory requirements. SIEM’s pattern recognition capabilities can help XDR identify threats through pattern recognition, while XDR’s API data access and stealth threat detection capabilities can enhance SIEM’s detection capabilities. XDR and SIEM can work together in a security architecture to provide a more robust and mature security posture. For instance, XDR can provide real-time visibility, and SIEM can provide forensic search, data archival, and customization. XDR can reduce the number of contextualized alerts sent to the SIEM for prioritized investigations, enabling security teams to respond to security incidents more efficiently.
- XDR and SOAR: XDR’s response integrations can have similar functionality to SOAR platforms, with the potential to make SOAR a native part of XDR platforms in the future. This integration allows for automated threat response, enabling security teams to automatically remediate threats in their environment without human intervention. SOAR’s orchestration and automation capabilities can also enhance XDR’s response capabilities, providing a more proactive defense posture.
- SIEM and SOAR: SIEM and SOAR can integrate best-of-breed components without vendor lock-in, allowing for more flexibility in security operations. SOAR’s incident response capabilities, such as use-case-based playbooks, can orchestrate response actions across the environment, assign tasks to personnel, and incorporate user inputs to augment automated actions. This integration can help SOAR platforms focus on incident response, while SIEM solutions can focus on data collection and analysis.
Case Study: Credential Stuffing Attack
Let’s walk through a scenario of a credential stuffing aAttack and model how this trifecta could come into play:
Phase 1: Attack Initiation and Initial Detection
An attacker begins a credential stuffing attack by using previously breached username and password pairs to gain unauthorized access to the organization’s web applications.
- XDR Role: XDR monitors the endpoints and detects a high volume of failed login attempts from various IP addresses, which is unusual and indicative of a credential-stuffing attack. XDR can also identify successful logins from suspicious locations or devices, adding this information to the incident details.
- SIEM Role: The SIEM system, collecting logs from web application firewalls (WAF), authentication servers, and user databases, notices an abnormal spike in authentication requests and login failures. This complements the XDR’s endpoint visibility by providing a network-wide perspective and helps to confirm the scale of the attack.
Phase 2: Alert Correlation and Confirmation of the Attack
The attack continues as the attacker tries to automate login requests to bypass security controls.
- XDR Role: XDR correlates the failed authentication attempts with geographic anomalies (such as logins from countries where the company does not operate) and reports these findings to the SIEM.
- SIEM Role: SIEM cross-references the XDR alerts with its log data, confirming the attack pattern. It leverages its correlation rules to identify legitimate accounts that may have been compromised during the attack, which XDR might not be able to determine on its own.
Phase 3: Automated Response and Mitigation
With the attack confirmed, rapid response is necessary to minimize damage.
- SOAR Role: Upon receiving alerts from both XDR and SIEM, the SOAR platform triggers a predefined response playbook that automatically enforces additional authentication requirements for the affected accounts, such as multi-factor authentication (MFA), and blocks IP addresses associated with the attack.
- XDR Role: XDR can automatically enforce endpoint-based security controls, like updating access policies or locking down accounts that have shown suspicious login activities.
- SIEM Role: SIEM supports the response by providing additional context for the SOAR to execute its playbooks effectively, such as lists of affected user accounts and their associated devices.
Phase 4: Post-Attack Analysis and Strengthening Defenses
After blocking the immediate threat, a more in-depth analysis is conducted to ensure all compromised accounts are secured.
- SIEM Role: SIEM facilitates a detailed investigation by querying historical data to uncover the full scope of the attack, identifying compromised accounts, and understanding the methods used by attackers.
- SOAR Role: SOAR provides workflows and playbooks to automatically reset passwords and notify affected users, while also updating security policies based on the attack vectors used.
- XDR Role: The XDR platform assists with forensic analysis by leveraging its integrated view across endpoints, network, and cloud to pinpoint how the attacker could bypass existing security measures.
Phase 5: Continuous Improvement and Monitoring
To prevent future attacks, the organization needs to refine its security posture and implement new controls.
- SOAR Role: SOAR can automate the rollout of new security policies across the organization and conduct simulated phishing exercises to educate employees about security best practices.
- SIEM Role: SIEM takes charge of long-term data collection and analysis to monitor for new patterns that may indicate a repeat of the attack, ensuring continuous improvement in the organization’s security monitoring capabilities.
- XDR Role: XDR continuously monitors for any signs of a resurgence of the attack or similar tactics being used, ensuring ongoing vigilance and quick detection of any new threats.
In this scenario, XDR and SIEM play complementary roles where XDR’s real-time analysis and endpoint visibility are enhanced by SIEM’s ability to provide a broader view of the network and historical non-security context. The SOAR platform bridges the gap between detection and response, allowing for quick and efficient mitigation of the attack. This integrated approach ensures that no aspect of the attack goes unnoticed and that the organization can rapidly adapt to and defend against such sophisticated cyber threats.
Impact of Non-Integrated Approach
Removing either SIEM or XDR from the scenario would significantly affect the organization’s ability to effectively detect, respond to, and recover from a credential-stuffing attack. Let’s consider the impact of removing each one individually:
Removing SIEM
- Loss of Centralized Log Management: Without SIEM, the organization loses centralized visibility into the security data generated by various devices and systems across the network. This makes it more challenging to detect patterns and anomalies that are indicative of a credential stuffing attack, especially when they span across multiple systems and applications.
- Reduced Correlation and Contextualization: SIEM’s strength lies in its ability to correlate disparate events and provide context, such as flagging simultaneous login failures across different systems. Without SIEM, the organization may not connect related events that could indicate a coordinated attack.
- Inefficient Incident Management: SIEM platforms often serve as the hub for incident management, providing tools for tracking, investigating, and documenting security incidents. Without it, the organization may struggle with managing incidents effectively, potentially leading to slower response times and less organized remediation efforts.
- Difficulty in Compliance Reporting: Many organizations rely on SIEM for compliance reporting and audit trails. Without SIEM, they may find it more challenging to demonstrate compliance with various regulations, potentially leading to legal and financial consequences.
Removing XDR
- Reduced Endpoint and Network Visibility: XDR provides a detailed view of activities on endpoints and across the network. Removing XDR would leave a blind spot in detecting malicious actions occurring on individual devices, which are often the entry points for credential-stuffing attacks.
- Weakened Real-time Detection: XDR platforms are designed for real-time detection and response. Without XDR, the organization might not be able to detect and respond to threats as quickly, allowing attackers more time to exploit compromised credentials.
- Limited Automated Response: XDR can automate immediate response actions, such as isolating a compromised endpoint or terminating a malicious process. Without XDR, the organization would have to rely more heavily on manual intervention, potentially allowing the attack to spread further.
- Loss of Integrated Response Capabilities: XDR often integrates with other security tools to provide a coordinated response to detected threats. Without XDR, the organization may find it more difficult to execute a synchronized response across different security layers.
The Case for an Integrated Approach
The conversation should not be framed as “XDR vs. SIEM & SOAR” but rather as “XDR, SIEM and SOAR.” These three technologies are not mutually exclusive anymore; instead, they complement each other and serve to strengthen an organization’s security posture when integrated effectively.
In essence, the integration of XDR, SIEM, and SOAR technologies is not a competition but a collaboration that brings together the best features of all three worlds.”
To learn more, please contact us at [email protected], or 1.877.238.9944.