With the soaring popularity of SIEM in business and the rising necessity of confidentiality, SIEM tools are constantly sought after for monitoring the overall security infrastructure.
Based on how effectively we use SIEM, it can be classified into either legacy SIEM or NextGen SIEM. You’re probably wondering what’s the difference? To explain it simply, Legacy SIEM uses legacy technology of ‘lift and shift’ and is deployed in an on-premises environment in most cases, with a limited set of data sources and capabilities, whereas NextGen SIEM has a wide variety of capabilities to identify modern threats as well as handle a massive volume of data from different modern applications that have been implemented and can be deployed on-premises as well as in the cloud. The latest technology that have emerged in the market is Extended Detection and Response, or XDR, which contains packed functions that detect and analyze security threats & incident response coming from endpoints, networks, servers, cloud workloads, and SIEM to protect against modern threats and attacks. To provide rapid threat detection, it provides a single pane of glass view from multiple tools.
Despite companies taking great care in monitoring their security, some still struggle to effectively implement the necessary measures.
Challenges faced by the industry in the realm of security monitoring:
Too many alerts: With the data intake in SIEM being huge, the chances of number of false positives are higher, resulting in the analyst spending more time on an investigation that results nowhere.
Increase in attacks: Initially, we had only PCs and security appliances on-premises, but today we have security appliances both on-premises & in the cloud, as well as laptops, mobile phones, and PCs bought by people. As a result, the attack surface to be protected is increased which leads to modern attacks called Advanced Persistent Threats (APT).
Change in work culture: The world is evolving and so is the work culture we are in. No more working only 9-5 or working only on-site. Nowadays, people have no defined time to work and can flexibly do so from anywhere, in-home, coffee shop, client place, or in any coworking space. As a consequence, users will be utilizing company resources continuously, necessitating monitoring of their behavior as well.
| Issues with Legacy SIEM | Benefits of Next-Gen SIEM |
| Scalability is difficult | Easily done as it is in the cloud |
| Data ingestion capabilities are limited to on-premises appliances | Can handle a huge volume of data from various appliances in on-premises, cloud and hybrid |
| Providing actionable insights and analytics feature is limited | Support data correlation, static analysis of raw data, performing deeper investigation by integrating various tools |
| Maintenance and deployment of SIEM are difficult | Easy to deploy and maintain as it is in the cloud |
| Limited search, correlation and visualization capabilities | Provide out-of-the-box dashboards, use cases, correlation searches and reports |
Legacy SIEM Design vs Next-gen SIEM Design:
Legacy SIEM Design:
Next-Gen SIEM Design:
XDR Design:
Feature Comparison:
| Features | Legacy SIEM | Next-Gen SIEM | XDR |
| Infrastructure/Delivery model | Mostly on-premises deployment | SaaS model with other cloud components | A SaaS-based model that integrates multiple security products in a single platform |
| Scalability | Requires infrastructure and planning | Can be done easily | Can be done easily |
| Architecture | Has complexity in integrating with many components by default | Cloud based architecture | Cloud based architecture |
| Default Connectors | Not available | Built-in | Built-in |
| Custom Connectors | Available but needs development | Available but needs development | Available with easy development |
| Deployment and support visibility | Has many tools; need to have specific skills to deploy and maintain | Easy cloud-based deployment | Easy cloud-based deployment |
| Functionality coverage | Log aggregation and alert management | Provides incident response, logs correlation, threat detection, compliance, storage, and reporting | Focus on threat detection, investigation and response |
| Customization | Very limited | Enables unlimited customization of edge use cases and visualizations | Designed for effective threat detection, investigation and response |
| Data storage | Very limited | Acts as central data storage for the organization and longtime one | Stores the data temporarily for analysis, from multiple sources |
| Automation | No Automation | High customizable orchestration & automation using tools and security playbooks | Provides pre-packaged playbooks for specific threat detection Investigation and response use cases |
| Market positioning | Log storage and aggregation | Next-gen SIEM is replacing legacy SIEM and security data lakes | XDR augments legacy SIEM and data lakes |
Top vendors (Leaders of SIEM):
| Legacy SIEM | Next-Gen SIEM | XDR |
| Not used popularly nowadays | Exabeam | Trend Micro, Vision One |
| IBM | Palo Alto Networks, Cortex XDR | |
| Splunk | Cynet 360 | |
| Securonix | SentinelOne Singularity XDR | |
| Rapid7 | Crowdstrike Falcon | |
| Log Rhythm | Broadcom, Symantec XDR |
When to use XDR vs When to use Next-Gen SIEM:
| When to use XDR | When to use Next-Gen SIEM |
| Existing SIEM deployment in place, but you want to enhance the capabilities of the analyst in terms of time to investigate and time to respond | When you need a central data storage, log retention and compliance for growing security data in the modern IT environment |
| Identify known and unknown threats with sophisticated AI-based analytics on users, assets etc | Identify unknown threats including insider threats, new attack patterns and for conducting a deep investigation |
| If you want to do a manual or automated response to a critical threat | If you need a highly customizable response and automation to respond to incidents faster. Leveraging UEBA to reduce false positive |
| Deep threat investigation and threat hunting effectively from a single console. To improve your SOC productivity | Out-of-the-box use cases and dashboard with customization |
So, which one of these should you opt for?
Legacy SIEM has made a mark for itself, but there’s no denying that it has faded in comparison to recent technologies, making it obsolete. While Next-generation SIEM has been in use for a significant period, XDR is a new and developing technology. Both technologies offer unique advantages and cannot substitute for one another. Big IT consulting firms like Forrester do not recommend replacing SIEM with XDR as it doesn’t meet the needs of what SIEM does. In the future, if we can leverage both next-gen SIEM and XDR in one place, it will result in high productivity in terms of security monitoring.
Want to know more about our services, Contact us!
