Can XDR Survive Outside of SIEM?

In my journey from EDR startup founder to industry analyst and now, “recovering analyst,” I’ve had a lot of time to think about the evolution of threat detection technologies and how they all fit together. Over the years I’ve introduced this story with the following picture, describing the intersection of XDR and SIEM. The point I try to make with this is that while these engines have come from different places, they end up being a single piece of metal.

Let’s take a look at the current divide, what’s happening in each of these markets, and what the future will hold over the next 5 years:

EDR as the Mini-Fridge of SIEM. EDR solved the problem of endpoint detection (as much as one can I suppose) by leveraging proprietary agents to ensure the right data was being collected for analysis/investigation, and correlating this event data to allow automated reconstruction of process execution and entire process trees. This in turn allowed us to perform detection based on patterns of behavior instead of individual behaviors. Considering the collection and storage of EDR telemetry (logs), I’ve often found it helpful to frame EDR as productizing the management requirements of a SIEM while delivering an endpoint focused “mini-fridge” SIEM solution.

An assertion I often hear is that XDR is or will just become SIEM. I find this perspective is popular among people who view SIEM as a giant bit bucket that solves every log analytics problem — and from that perspective they aren’t wrong. But before we buy in, there’s an important lesson in what happened with the traditional AV vendors over the last decade to consider. These traditional vendors largely ignored the emergence of EDR, allowing a second endpoint agent to emerge that would eventually eat their use cases and take over the endpoint security market while they were struggling to catch up with the innovation. Similarly, the SIEM market may have contentedly stood by as EDR was developing an “endpoint” security analytics use case they didn’t view as an immediate threat, but as discussed above, XDR is coming to steal their lunch money. The technology and lessons learned by XDR vendors when building EDR products over the last decade may well provide them an advantage when considering concerted development and potential re-architecture of storage in SIEM back ends to support these XDR capabilities, compared with the challenge of just adding compliance dashboarding (oversimplification to drive home the point). All of this said, I expect any SIEM vendor that hasn’t pivoted before the XDR foot race is done, will be lost — and for them this will be a trainwreck.

Related posts:

GDB or GNU DeBugger is a utility that enables you to step through the execution of your program line by line. This helps you not only to more easily visualize the ‘flow of execution’ in your program…

My 14-year-old daughter has lots of questions about love these days. Not about the birds and the bees though, since we’ve covered all that. The information that she wants to know now is slightly more…

Every time you open a magazine, surf the web, or look at your Instagram feed, you will see training tips and advice from influencers and large companies trying to sell you something. The fitness…