The original post: /r/cybersecurity by /u/Equivalent-Toe-623 on 2025-01-21 21:49:32.

First of all, sorry for the lack of a better title. What I want to discuss in this post is where the Threat Detection and Response (TDR) market is headed.

I use TDR to describe the ability to detect and respond to a breach, wether that’s through the use of SIEM, EDR, NDR, XDR, SOAR, internal SOC, MDR service etc.

I am also aware that there is not a single right solution and it will be depend on the environment.

Before the golden era of EDR began, Detection and Response capabilities were centralized on a traditional SIEM solution like Splunk, ingesting and normalizing system event logs like windows event log, sysmon, firewall logs etc. and then building detection rules on these.

With the evolution of EDR, it has become a central part of TDR for some organisations while for some, the SIEM is still the central part. Before you comment that it doesn’t have to be one or the other, read the whole post.

You always have to consider what is enough and what is the ROI.

Using an EDR tool like Crowdstrike, Sentinelone or Defender for Endpoint is almost plug and play (compared to SIEM) and creates relatively few, high value alerts to investigate. Using a SIEM requires a lot of work (to be done right) configuring and tuning detection rules. It also very expensive, both license cost and time spent managing it. You will probably produce a lot more alerts than an EDR to investigate as well.

If you are an inhouse SOC and you have very good control of what’s going on in your network and spend a lot of time developing anomaly detections in the SIEM you can get a lot of value there. What I’m interested in is a MSSP that creates “general” detections that are applicable to all your customers.

Based on incidents you’ve had and purple team exercises, do you have a touch idea of how much is detected by EDR vs by SIEM detection? Supose you’re running Crowdstrike+Splunk, Defender+Sentinel or similar. My experience is that the majority of attacks are detected by the EDR. Considering the investment in the SIEM platform is much bigger than the EDR, this makes it hard to justify the ROI on SIEM. Maybe we can say that EDR is “enough” for TDR and spend the SIEM budget on a different area of cybersecurity than TDR and getting a better ROI with the return being how secure we are in total.

What I haven’t factured in here is investigation and threat hunting capabilities. Here we have lots of value in the SIEM but still, with EDRs like CS, S1 and MDE (especially S1) you have a lot of endpoint activity logs to use for investigation at a substantially lower price than SIEM logs. And the amount of information and visualisation of alerts in the EDR platforms can not be compared to the endpoint visibility you get with windows event logs or even sysmon in a SIEM. Despite that, if you still think the main value of a SIEM is the visibility for investigation and threat hunting since you can ingest all types of logs, EDR vendors are looking to solve this with both S1, CS and other vendors releasing “next-gen SIEM” solutions that have cheaper log storage, giving us a much simpler SIEM but fully capable of fast log search for investigation and threat hunting.

The evolution of these EDR vendors to XDR vendors, adding capabilities for a larger attack surface like email, identity and network. SOAR capability, third party alert and response action integrations etc. is further taking away the selling points for traditional SIEMs like Splunk and Sentinel. These functionalities are developed by the vendors and are easy to set up compared to configuring it in SIEMs or developing it in SOARs like Swimlane or Google secops.

With that said, can you justify the spend on traditional SIEMs like Splunk and MS Sentinel compared to XDR solutions like Crowdstrike and Sentinelone?

Microsoft is a bit special since they are coming from both SIEM Sentinel and EDR->XDR with Defender.