Let’s not forget the main and fundamental objective of cybersecurity which is to reduce the risk of cyberattacks. To do this, new methods or new tools are emerging, at least every month.
Cybersecurity: SIEM, SOC, EPP, EDR, NDR, MDR… what are the differences? A recent survey conducted by Splunk, an American company specializing in the design of research software, indicates that companies today tend to invest a large part of their capital in cybersecurity.
As cyberattacks become more complex, more frequent and more costly too, it turns out that companies are increasingly prioritizing capabilities to detect and respond to cyber threats.
SIEM, SOC, EPP, EDR, NDR or even MDR, cybersecurity solutions are very present on the market today and seem to be able to counter all attacks.
But what is it really? Or rather, which of these many solutions will be the most appropriate for your business? To find out, you must first understand what SIEM, SOC, EPP, EDR, NDR or even MDR really are.
Each case, from cybersecurity is different, but nevertheless there are several types of tools to deal with this modern scourge that we call cybersecurity, and which will undoubtedly be one of the worst problems that CIOs and Humans will have to face. of Security, in the next 5 years.
The approaches differ, and this can range from the training of its staff, to the implementation of practices, or very specific and very specialized tools, there does not seem to be a single solution, but more solutions, which all will depend on the context to be secured, in the following article, we have identified some of the most important, but there are others.
It is obvious that there are too many terms to define, the incidents that can occur, each solution has advantages and disadvantages, but the threats are constantly evolving, and new attacks involve not only endpoints, but also all layers of the IT environment (including e-mail and the cloud, we are far from Wanacry in 2017, which did so much damage); Cybersecurity: SIEM, SOC, EPP, EDR, NDR, MDR… what are the differences; The answer right away, in the following article.
SIEM: Security Information and Event Management
SIEM technologies, in French “Security Event Management”, aggregate data from your computer network logs, security alerts and all events that occur in a centralized platform to provide real-time analysis for monitoring the security.
To ensure more or less complete monitoring of a computer network, SIEM solutions collect data at the level of network devices (the network concentrator or hub, the switch, the network router, the gateway, the repeater, the access point …), servers (web, proxy, messaging, FTP…), network security devices (firewalls, antivirus, content filtering, EDR…) as well as at the level of applications on the network.
The collected data is then analyzed and correlated, allowing the SIEM solution to automatically detect threats with pre-set rules to reduce alert fatigue and conduct investigations to identify possible intrusions.
SOC: Security Operations Center
The SOC is not a tool, but rather an on-premises centralized location from which a security operations (SecOps) team continuously monitors, analyzes and responds to security incidents that threaten the business. To achieve this, the SOC uses various cybersecurity devices, including the EDR, XDR and also SIEM solutions that we have seen above.
Functions of a security operations center include proactive monitoring of intrusions, threats and vulnerabilities, incident response and recovery, remediation activities, and ensuring that network security meets security standards external such as ISO 27001, the NIST Cybersecurity Framework (CSF) or the GDPR.
A SOC is usually made up of 5-8 in-house security experts. Because of its very high cost of implementation, only large companies have it, unlike tools like SIEM, which are accessible to all companies, even SMEs.
EPP: Detection tool on terminals based on known signatures
An Endpoint Protection Platform (EPP), in French terminal protection platform, is a security solution designed to detect and block threats at the level of the device on which it is integrated. It includes some inherently preventive devices such as an antivirus, an anti-malware, data encryption, personal firewalls, an intrusion prevention system (IPS), a data loss prevention tool (DLP)…
Little appreciated by cybersecurity experts, EPP solutions offer little added value compared to antivirus. They would also be detection solutions easily circumvented by attackers.
EDR: Tool focused on the detection and investigation of physical and virtual machines
EDR tools are cybersecurity systems that install agents at endpoints and virtual machines to monitor them. For this, they combine elements of next-generation antivirus with additional tools for detecting and alerting anomalies and intrusions in real time. Supported by modern and powerful technologies such as artificial intelligence and machine learning, EDR tools are capable of performing in-depth data analyzes making it possible to detect the most sophisticated intrusions and also to perform remedial actions. appropriate corrections, all completely automatically.
Compared to EPP tools, EDR tools have automatic threat blocking features. They can also isolate infected machines. Finally, they are also better able to detect the most elaborate attacks.
NDR: For continuous monitoring of a company’s network
A Network Detection and Response or NDR solution is a cybersecurity solution that provides continuous monitoring of a company’s network to detect intrusions, threats and unusual behavior. NDR solutions work with non-signature based tools and techniques, making them adept at detecting both known and unknown threats traversing your network.
The problem with signature-based cybersecurity tools is that they cannot detect new attacks unless signatures have been previously written to recognize attacks on the network.
It is important to note that NDR systems handle alerts quite poorly. This is why cybersecurity experts always advise organizations to have an EDR and/or SIEM tool before acquiring an NDR.
MDR: for Managed Detection and Response
MDR is the acronym for “Managed Detection and Response”, which means “Detection et Response Managed” in French. MDR is not a tool or a technology, but rather a service provided by a cybersecurity company that mobilizes modern cybersecurity technologies and cybersecurity experts for the remote monitoring, detection and neutralization of threats present in the networks of their customers, which are generally companies for information.
The essential functionalities of an MDR solution include the monitoring of threats, vulnerabilities and intrusions using detection tools, threat hunting, but also the mobilization and provision of cybersecurity experts to customers, managed prioritization to move to screens the large volumes of alerts and gives priority to the most important ones, the investigation which consists of MDR service experts determining whether the threats detected are not false positives and finally the correction of the threats detected. Everything is done remotely!
Author Antonio Rodriguez Mota Publisher and Director of Clever Technologies
We want to thank the author of this post for this amazing material
Cybersecurity, SIEM, SOC, EPP, EDR, NDR, MDR… what are the differences – La Revue Tech
Take a look at our social media profiles along with other related pageshttps://www.ai-magazine.com/related-pages/