- Lital Asher-Dotan, CMO
- July 26, 2021
Being in the security industry for more than a decade, I learned to respect the large, major players in the market. The SIEM category always seemed to me as a must-have component in the security stack of every mid to large-size company.
Little did I know about the increasing level of frustration organizations experience when they try to use their SIEM as a way to improve their security posture.
In the past year with the fast emergence of the Open XDR category, a true disruption to SIEM emerged. With the massive shift to the cloud, organizations are now looking both to offset the data cost and to have better security analytics, to improve their MTTD and MTTR. Dozens of the world’s largest organizations have now completed a transition of their security operations from SIEM to Hunters XDR.
We know that a transition like that is not exactly a walk in the park. From the decision-making, to planning, and all the way to execution, security leaders need a clear transition roadmap. That’s why we are hosting two virtual events that can help security leaders understand the journey of moving beyond they SIEM and switching to an Extended Detection and Response (XDR) solution.
This Wednesday, 7/28 at 12:30pm ET, we are hosting a LIVE webinar with Forrester’s Allie Mellen and Snowflake’s Omer Singer to discuss the journey for organizations considering the switch to an XDR approach.
And since there is nothing like a first-hand experience, we are hosting a Lunch & Learn on Thursday, August 5, 3:20pm-4:00pm ET with Pallavi Damle, Head of Global Cybersecurity at NETGEAR, who will discuss how her team implemented XDR as an alternative to SIEM. The Lunch & Learn is available FOR FREE as part of Black Hat Virtual Summit.
If you are considering XDR as an alternative to your SIEM, here are five major considerations to make:
1. Data Retention
Make sure the vendor provides you with long term data availability, preferably with an “always hot” model that is favorable for incident investigation and forensics, at a reasonable cost.
Look for solutions that enable the ingestion of as many data sources as possible, not compromising on specific data or cloud data sources. Consider a “vendor-agnostic” approach that will include out-of-the-box, seamless integrations with all of the data sources in your environment.
3. Data Normalization and Correlation
For effective security analysis, data engineering is critical. Look for a vendor that reduces the heavy-lift of data pipelining, normalization and correlation. The “lift and shift” of data from the SIEM to a cloud-based data lake is something that should be provided out-of-the-box by the XDR solution. This will enable to cross correlate all telemetry and make the data actionable for security analytics.
4. Automated, Centralized Detection & Investigation
The real added value of an XDR comes from its ability to automate at scale detections that are based on TTPs and leverage Threat Intelligence and to enable advanced threat hunting. As SIEM solutions were limited to the ability of security teams to build queries and rules, expect your XDR to come with built-in security content that’s delivered as SaaS and is always up-to-date. You should also look for a solution that makes incident investigation a simpler task: a platform that pulls together all relevant data, portraying a clear view of incidents' root cause, timeline and affected entities, for a fast and concise remediation.
5. Measuring the Success of the Project
Migrating your security operations from a SIEM to an XDR has to address some key KPIs that should be measured over time. This could include:
- Total cost of ownership (which tends to highly improve with the shift to an XDR due to data cost issues)
- MTTD and MTTR for an incident, and maybe most importantly: “Mean Time to Understand”, i.e. the amount of time it takes to understand whether an alert is an incident, and the entire scope of the attack within context.
- Better resource allocation, for example: less time spent on rule-writing.