When you start reading cybersecurity articles or watching videos on the subject, it won't be long before you run into the terms SIEM, EDR, and MDR. But what do they mean, how do they differ, and which do you need? In this article, we'll dig into those questions.
What is SIEM?
SIEM is an acronym for Security Information and Event Management. It is a term first coined and popularized in 2005 by Gartner analysts. They started using it to describe the reality emerging in the cybersecurity sector of solutions that combined the functionality of Security Information Management (SIM) and Security Event Management (SEM) tools. SIEM tools and solutions use automation to collect security data from across an organization and then analyze it to spot patterns or anomalies that might be indicators of compromise from cyberattack activity.
We have a comprehensive article called What is SIEM? in the Critical Insight resource library. You can read it at https://www.criticalinsight.com/blog/what-is-siem.
We won't repeat the information in that article, but here is a summary of what SIEM offers.
SIEM solutions include various products and services ranging from technology-only solutions, technology with administrative management, and managed IT event processing and alerting offerings. SIEM solutions integrate data about network traffic & events from multiple sources and analyze that data to highlight items that require further investigation. Who does this investigation will depend on how an organization has decided to operate its cybersecurity defense. Increasingly for many small to medium entities, the SIEM management and any responses will be outsourced to a managed service provider (MSP).
In summary, a SIEM collects relevant data from across the network, systems, and cloud services to allow it to be analyzed to give a complete picture of the security situation.
What is EDR?
EDR stands for Endpoint Detection and Response. EDR solutions focus on endpoint devices like PCs, laptops, tablets, and smartphones. Servers are also often classified as endpoints by EDR solutions and included in the monitoring activity. EDR is one of the core parts of any cybersecurity strategy and day-to-day defensive operations. An EDR solution usually has an agent that gets installed on endpoint devices that collects information to be centralized and analyzed with a tool integrated with the SIEM. Most analysis done by an EDR solution uses pattern matching for known threats via malware or signatures. However, unknown but suspicious activity on an endpoint can also usually be detected. This can trigger an automated response that isolates endpoint devices from the network to prevent the spread of malware or other cybercriminal activities.
EDR monitoring is best delivered from a 24x7x365 Security Operations Center (SOC) to be effective. Building and maintaining a team of professionals and a SOC is challenging for most organizations. Critical Insight can help bridge this gap, as outlined later.
What is MDR?
MDR means Managed Detection and Response. It is a cybersecurity service offered by experienced security professionals to organizations to allow them to replace or augment their internal IT cybersecurity teams. MDR removes the burden of cybersecurity protection from organizations that have IT teams that are already busy on other business improvement activities or provides an expert cybersecurity team to organizations that don't have one.
Good MDR services use a combination of software-based detection and response tools that can act instantly whenever a threat is detected. These tools get backed by human cybersecurity experts who can analyze events and ensure any security gaps get fixed. A combined MDR service like this has the best of both worlds. Automated machine-based rapid response backed with decades of human experience. This ensures that cyberattacks get mitigated in real-time and that protections are updated to prevent future attacks from succeeding.
MDR ensures that cyberattacks are detected and nullified in hours rather than the very long time it can often take to detect many successful breaches. Dwell time (the period that cybercriminals have access to systems before they are detected) is typically measured in months when there isn't an MDR service in use.
How do SIEM, EDR, and MDR differ?
In a nutshell, the differences are:
- SIEM - a solution that aggregates security information from logs, events, and other data-capturing services on the network to centralize and analyze it for suspicious behavior. SIEM automates threat detection.
- EDR - monitors computing devices on the network for suspicious activity and alerts a centralized management tool when anything untoward is detected. Most also have automatic quarantine capabilities to isolate an endpoint device from the network until system admins can investigate any suspicious activity.
- MDR - a cybersecurity service that provides the tools and human experts needed to protect a network and the systems running on it. It is usually a managed service provided by an expert third-party MSP.
Which do I need?
To protect the complex multi-cloud and multi-site computing environments that are now the norm, a question such as which of these three cybersecurity tools or services do we need is not the right approach. It isn't a choice between these three things. All three and other technologies and solutions are required to deliver protection from cybercriminals in 2023.
The threat landscape all organizations face is so complex and rapidly changing that dealing with the risks is a full-time task for cybersecurity professionals with decades of experience plus up-to-date knowledge of the current threat landscape. Finding and retaining people with the skills to do this work is beyond most businesses and public-sector organizations.
People with the required skills tend to gravitate to companies that are focused 100% on cybersecurity protection, as it is in these companies that they get to work on the most interesting projects using the latest technology. These businesses can also spread the cost of hiring and retaining cybersecurity experts across their broad client bases.
Cybersecurity-as-a-Service (CSaaS) offerings are an increasingly popular way for organizations from all sectors and of all sizes to procure the expertise they need to deliver cybersecurity protection.
Critical Insight has a comprehensive CSaaS offering that includes SIEM, EDR, MDR, and much more. By partnering with us and using our CSaaS, you have access to experts who can work with your leadership team to prepare, detect, and respond to any cybersecurity incidents that may arise. All via a pre-agreed and predictable budget.