-
- Home
>
-
- Blog
>
-
- SIEM Trends
The Differences Between SIEM and Open XDR
- Sep 21, 2021
- Gorka Sadowski
- 3 minutes to read
Table of Contents
The term “security information and event management” (SIEM) was coined in 2005 as an evolution of “central log management” (CLM). Since then, SIEM tool workloads have grown in scope and complexity, leading to the tools that we know today, which offer many capabilities to solve a broad set of problems for customers. Analyst firm Gartner has tracked SIEM industry vendors in their SIEM Magic Quadrant for more than a decade.
The term “extended detection and response” (XDR) was coined in 2018. XDR tools were designed with a narrower purpose than SIEMs, and have not seen their capabilities morph like SIEMS have — yet..
We have written about XDR in these previous posts:
- The difference between open XDR and native XDR
- Content as a key requirement for XDR success (for both open XDR and native XDR, as well as SIEM)
Today, we compare SIEM versus open XDR from several different angles.
Key differences between SIEM and open XDR
The table below captures some key differences between SIEM and open XDR tools.
| SIEM | Open XDR | |
|---|---|---|
| Domain coverage | Multi-domain coverage: – Threat detection, investigation, and response (TDIR) – Compliance – Centralized storage – Reporting | Single domain coverage: TDIR |
| Design approach | Designed for customization, primarily for log and alert sorting | Designed to be focused on efficient TDIR |
| Data location | Typically assumes that the data needs to be centralized in the SIEM | Typically assumes that data could be stored anywhere and/or doesn’t need to be stored for the long term |
| Delivery model | Can be on-prem, cloud-delivered or both | Cloud-delivered |
| Storage requirement | Offers an infinitely scalable storage | Doesn’t always offer long-term storage |
| Detection approach | Typically focuses on correlation-based analytics | Typically offers machine learning-based advanced analytics |
| Automation approach | Typically offers very flexible orchestration, automation, and playbooks for TDIR and non-TDIR use cases. | Typically offers prepackaged, use case–specific TDIR with prescriptive orchestration, automation, and playbooks |
| GTM motions | Typically replaces or displaces legacy SIEMs, CLMs and/or data lakes | Typically augments legacy SIEMs, CLMs and/or data lakes |
Although both SIEM and open XDR do share some characteristics (e.g., both can do TDIR), their design philosophy and core capabilities make them different.
Which tool do I need for my organization?
SIEM and open XDR are best suited for different situations.
If the functional coverage is focused only on TDIR across a heterogeneous stack, then a tool focused on that function (open XDR) might be a better alternative with a shorter time to value than a general-purpose tool such as a SIEM.
If the functional coverage goes beyond TDIR, for example including centralized storage, or compliance, then a SIEM is in order, as XDR may or may not be able to address these additional requirements.
Some organizations may want to start small with a specific requirement on TDIR and then plan on expanding their scope to other areas of security operations, such as compliance or log centralization. These organizations should look for vendors that offer open XDR with an easy upgrade path to a full-featured SIEM, for example by adding storage, compliance packages or non-TDIR dashboarding capabilities.
Regardless, organizations should prioritize tools that offer prepackaged content for common and advanced use cases that can deliver at scale with an outcomes-based approach.
In conclusion, SIEM and open XDR might appear similar at first glance, but actually differ on many key criteria. Don’t hesitate to visit our products page to learn more about what Exabeam offers in each of these categories.
Want to learn how XDR can improve your SIEM?
Read our white paper, Top 10 Reasons to Augment Your Legacy SIEM with XDR.
While legacy SIEM technology is an established part of any security operations team, it has limitations.
For many organizations, legacy SIEM cannot absorb all the logs from both cloud and on-premises sources, and it becomes complicated and expensive to tailor the rules and events of interest to the point where indications of compromise (IOCs) are quickly and routinely dealt with — or automated. In other cases, SIEM scope creep has made a once fast, nimble solution slow and unresponsive to the simplest of queries.
XDR provides the missing link between collecting and processing mountains of logs, offering SOC teams:
- Quick and simple timelines of attacks that demonstrate risk
- End-to-end attack methodologies
- Automated case management.
Gorka Sadowski
Chief Strategy Officer | Exabeam | Gorka Sadowski is Chief Strategy Officer at Exabeam. In his role, Gorka assists the executive team and functional leaders across the company with developing, communicating, executing, and sustaining corporate strategic initiatives. Gorka has more than 30 years of security experience spanning leadership roles across product management, sales, marketing, and operations. Most recently, he was senior director and security and risk management analyst at Gartner driving coverage for security information and event management (SIEM), security operation center (SOC), and managed detection and response (MDR), while also leading research for IT leaders on emerging topics. Prior to Gartner, he led business development at Splunk where he established and built the Splunk security ecosystem. Prior to Splunk, he established presence for LogLogic in Southern Europe, ran security activities for Unisys in France and launched the first partner-led intrusion detection and prevention system (IDPS) in the industry as lead for NetScreen’s Emerging Technology efforts. A certified CISSP, he received a computer science degree from Universite de Pau in France before moving to the U.S. as a Ph.D. candidate in network security at the University of Miami.
More posts by Gorka SadowskiLearn More About Exabeam
Learn about the Exabeam platform and expand your knowledge of information security with our collection of white papers, podcasts, webinars, and more.
