SIEM, EDR, XDR, MDR – what do they mean and how do they effect the daily information security operation?

The information security profession is full of three- and four-letter acronyms. Those who just listen to a cybersecurity lecture are likely to lose the plot very quickly. But sometimes even those in the industry are not necessarily able to keep up with the incredibly fast pace of development dictated by the vendors, which means that they are adding new acronyms every year! We can see such an evolution in the field of incident management, where we have just learned the term SIEM, which has been quickly enriched by the acronyms EDR, XDR and MDR. What are they? SIEM, or Security Incident and Event Management systems, are now a cornerstone of organisational information security, bringing together all the security-relevant data that helps to detect incidents early and manage them when necessary. EDR, or endpoint detection and response systems have grown from endpoint protection solutions that initially only provided anti-virus functionality, to provide continuous data on the security state of endpoints in addition to traditional protection. XDR stands for extended detection and response and is an extension of EDR to servers, cloud infrastructures and other network services, with a similar goal of supporting the generation of more relevant security data in addition to protection. MDR stands for managed detection and response, which refers to services and providers that leverage XDR capabilities to support an organisation’s information security efforts.

The real innovation here, of course, is the ability to collect and process large amounts of security data and automation. We are not yet writing about artificial intelligence on purpose, as the market is still mainly exploring the potential of machine learning. But there is huge potential in this. Whereas in the past the success of SIEM systems depended on a set of built-in rules, mostly updated continuously by human intervention, in recent years the data-driven revolution in information technology has made it possible to extract information from the already large amount of data that is generated, and to make SIEM work better. The recipe is simple: if you have a lot of data, the machine can learn what is ‘normal’ operation and have a high chance of detecting ‘abnormal’ operation. The detection of behavioural anomalies has brought a new colour to incident management. As the concept appeared to be working, endpoint protection solution providers, including operating system vendors, began to supply more and better data to SIEM systems as a result. Then came servers, digital services, the cloud, and we arrived at the full complexity of XDR and the massive amounts of data that will one day, not too long from now, enable the emergence of true artificial intelligence in information security, beyond anomaly detection.

However, millions of companies are not yet ready to adopt either data-driven information security or artificial intelligence. Meanwhile, the increasing number of compliance requirements worldwide does not leave much time for a qualitative leap in enterprise information security. In fact, the formula is simple: EDR is ‘built-in’ to more and more operating systems. The widespread emergence of the cloud makes XDR relatively easy to implement. SIEMs can also be cloud-enabled. You just need someone to put in place and operate the whole ecosystem, in order to comply as effectively as possible with the NIS2 Directive and similar requirements, and of course to best manage the cyber threats that now affect all organisations. This is where MDR providers come in. Neither the expertise nor the human resources required will be available in infinite supply anytime soon, even with the artificial intelligence revolution. In the meantime, we need specialist firms that can help their clients adapt to the technological environment of the 2020s. So, when looking for a managed security service provider, it’s also worth assessing what capabilities the provider has in the MDR space. The better this capability, the greater the potential for making today’s cybersecurity capabilities part of your daily routine.