EDR vs. SIEM: What’s the Difference and Why Do You Need Both?

| By:
Jay Ryerse

In the past, antivirus and firewall were a solid first line of defense tactic, but things have changed. Cybercriminals are more sophisticated and are working harder to tap into networks and reach data centers to hold companies for ransom. The best defense is a layered approach to security. 

Let’s reframe this scenario and think of your data center like a king inside of a castle—you want to protect him at all costs. To do so, you have an outer wall to keep enemies at bay; this is your firewall and antivirus. But what happens if the bad guys get through, finding a way over the wall? Is the king captured then? No, of course not. There are layers of protection—a moat, draw bridge, knights, and maybe even a dragon. Because everything within the fortress—especially the king—must be protected at all costs. MSPs need to start thinking about their security and the security of their clients like this. They need a layered approach that does more than simply keeping the enemies at bay. 

Endpoint Detection and Response (EDR) 

Endpoints essentially serve as gateways to a network—think underground tunnels into the castle or the keys to the backdoor. These are your hardware devices such as desktops, smartphones, Internet of Things (IoT) devices, and servers. All of which are prone to vulnerabilities that malicious actors target relentlessly in hopes of infiltrating the network. 

To combat those threats, Endpoint Detection and Response tools gather and analyzes security threat-related information from computer workstations and other endpoints to find security breaches as they happen. Working proactively, EDR facilitates faster responses to discovered or potential threats. 

An EDR system can also vary greatly depending on the vendor and implementation but can benefit from vendor-driven analysis. Other key advantages include using rollback capabilities, the ability to query endpoint data quickly, and containing threats at the endpoint. 

Security Information and Event Management (SIEM) 

SIEM detects, prevents, and helps resolve cyberattacks while centralizing security events from devices within your network. By collecting log and event data from network devices, systems, and applications and services generated, SIEM can bring all the information into one platform. This gives security teams greater visibility into what’s happening with all the elements in the IT ecosystems through a “single pane of glass.” 

With all of this information easily accessible, this gives your team a leg-up in the battle against cybercrime because you can conduct strategic detection, analyze event data, enrich logs, meet compliance requirements, and accept data from many sources in the network. These are your eyes and ears that proactively protect your fortress.  

EDR and SIEM work better together 

The layered approach works best when it comes to implementing EDR and SIEM. An EDR can detect, block, contain, and remediate the threats targeting your clients’ endpoints faster. It also analyzes and investigates these threats and rolls back to “safe” versions if needed. In tandem, SIEM technology helps protect your clients more effectively by providing complete visibility into an organization’s IT infrastructure by collecting data from multiple sources for analysis. This enables security teams to catch events when prevention measure fails. 

Here’s a classic example:  

Often, EDR solutions are limited in their ability to detect and deflect highly sophisticated file-less malware. This malware is dangerous, as it exploits vulnerabilities that can give attackers administrative control and the ability to gather data to use in future attacks—like a highly targeted phishing attack. 

The file-less malware threat is just one reason more TSPs are starting to leverage advanced SIEM and EDR platforms together. Adding these layers of advanced defenses to their security technology stack can help TSPs develop a complete picture of the threats targeting their clients—in real-time.