Securing the Digital World

XDR versus Evolved SIEM – What’s the Difference?

Mar 02, 2021 | by Brian Robertson |
Visualization of security operations

Extended Detection and Response (XDR) and evolved security information and event management (SIEM) solutions offer similar capabilities and benefits. For example, they both tend to incorporate advanced analytics, machine learning, and security orchestration and automation to improve threat visibility and dramatically accelerate threat detection and response. So how do you decide between the two?

To answer that question, let’s recap some of the fundamental differences between evolved SIEM and XDR:

XDR focuses on identifying, investigating and taking action to resolve incidents as quickly and efficiently as possible. While evolved SIEM fundamentally does the same, it also serves as the system of record for compliance monitoring, retention and reporting.  

To support threat detection and response and compliance requirements, evolved SIEM platforms leverage as much of an organization’s data as possible, including logs, network data and endpoint data.

In contrast, because XDR isn’t intended to satisfy compliance mandates in the way that evolved SIEM is, XDR platforms generally do not need to collect logs to assist with threat detection and investigation; instead, network and endpoint data typically suffice. Even if an organization occasionally needs user logs to resolve security issues, XDR platforms require far fewer of them than evolved SIEM platforms.  

Because evolved SIEM platforms need to collect logs to support compliance, they incur throughput costs that XDR platforms don’t.

Bottom line: If your organization already has a log management and retention tool in place to support compliance, you may not need an evolved SIEM solution for threat detection and response. XDR may be a better (and more cost-effective) fit for your organization.

But if you don’t have a log management and retention tool or a threat detection and response platform in place, then an evolved SIEM can serve both purposes. Either way, RSA NetWitness Platform has you covered.