Simplifying SIEM, EDR, XDR and SOAR

Issue 7 2022 Editor's Choice, Information Security

There is much hype around the SIEM, EDR, XDR and SOAR acronyms in the market today, and I think the frustration for most large enterprises is the contradictory information you find when searching for an explanation on the Internet. It is like trying to diagnose your own medical condition and getting scared out of your wits with the different ailments Google says you may have.

It’s ironic that when you search for these acronyms you get overloaded with information. You have to delve into it and try to make sense of it. Similarly, it is interesting that these acronyms exist because they have the data overload of cybersecurity events in common.

I have done my own investigation and have realised that many opinions are published based on a vendor, manufacturer or service provider furthering their own agenda. I believe a neutral perspective should be offered.

Why are these solutions important today? The best way to answer this is to go back 25 to 30 years. We hardly heard about an enterprise breach back then. When we did hear about an event it was big news. Today, it can still be big news, but it happens so regularly we have become immune to it.

There is an exponential rise in threats every year. Years ago it was a ‘script-kiddy’ wanting to prove he or she could gain access into an enterprise or government network. Today we are dealing with high-stakes, organised criminal activities by different types of bad actors with differing objectives. It is big business.

We also have to include ‘nation state’ attacks into the mix as there are countries that are providing funds to create cyber weapons. Some argue it is for defence reasons, but in war there is always collateral damage. This can be you or your organisation. Make no mistake, cyber war is happening all around us.

What is concerning is that there are more focused bad actors than there are focused defenders of our cyber environments. Attackers often use the very same tools initially designed to assess and defend our organisations’ environments for their malicious or criminal intentions. Enterprises use machine learning (ML) or artificial intelligence (AI) for defence, but bad actors are building the same capabilities into their attack tools. This, in turn, increases the complexity and the number of threats an enterprise is exposed to.

These are some of the cybersecurity challenges organisations experience today:

• Finding sufficiently skilled persons to defend or protect their environment.

• Log and alert overload giving rise to ‘alert fatigue’.

• The more stealthy threats may fly under the security team’s radar.

• Investigations take long, which takes up costly and scarce human resources.

• Disparate teams don’t always connect the dots when required.

• Too many false positives.

• Slow response to a threat, if any.

• Unnecessary compromise and business downtime.

What can organisations implement to help with these challenges?

• Add more skilled staff resources and more training.

• Correlate the detection of threats.

• Ensure faster analysis of events.

• Introduce better visibility in order to detect, identify and remediate threats faster.

• Identify stealthy threats automatically with machine learning.

• Automate detection, response and remediation.

Employing more staff may be possible for some organisations, but it has cost implications and there is the lack of available and qualified skills to consider. Automation is an option, hence the rise of SIEM, EDR, XDR and SOAR. There are more variations, but let’s keep it simple.

A neutral explanation of what each are:

• SIEM (Security Information and Event Management) has been around the longest. SIEM ingests data from multiple sources, helps correlate events and automates reporting in order for a human operator to analyse the result and make the next decision.

• EDR (Endpoint Detection and Response) is one of the first iterations of the era of automated response that you see in XDR and SOAR today. The endpoints are monitored for threats, threats are correlated and there is an automated response to a threat which may include remediation.

• XDR (Extended Detection and Response) we see as an extension or ‘extended’ detection and response where more data sources than just the endpoints are monitored and used for detection, response and remediation. These data sources can include SIEM, next-generation firewalls, endpoints and more.

• SOAR (Security Orchestration, Automation and Response) has much of the XDR functionality, but adds the automation of other security management processes like vulnerability management and playbooks into the solution in order to reduce the load on the security teams.

There are many conflicting definitions when researching these solutions. Many vendors like to refer to these solutions as software-as-a-service (SaaS), and this may be true in many instances, but it is possible to install comparative on-premises solutions or get the service from a managed service provider. There are obviously pros and cons to consider, dependent on your organisation’s requirements.

Organisations should carefully investigate what approach to take. It is worthwhile to consider the following:

• There will be a substantial cost to each solution, so investigate the differences between on-premises, SaaS or a managed service carefully over the long term.

• These are not ‘configure and leave’ solutions. Continuous improvement is required to manage them.

• Skilled people are still required to manage these solutions, whether you hire them or contract in a service provider.

• From a business perspective, the solutions should prevent attacks or a breach without business disruption or downtime.

• The intention is that critical applications, assets, personally identifiable information (PII) and organisational reputation are protected and maintained.

I hope that this short summary helps you make sense of the different solutions and their acronyms. Perhaps this can help you make a more informed decision about your cybersecurity defence systems.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Balancing secure access control and fire safety
Editor's Choice Access Control & Identity Management Fire & Safety
In modern building management, few topics create as much tension as the intersection between security access control and fire evacuation safety. Nichola Allen of G2 Fire sheds light on this delicate balance.

Read more...
Fire safety in South Africa
Technoswitch Fire Detection & Suppression Technews Publishing SMART Security Solutions Editor's Choice Fire & Safety Security Services & Risk Management
Fire safety is sometimes ignored, sometimes relegated to whatever is cheapest, and sometimes treated with the seriousness it deserves, given that it focuses on protecting life and assets. SMART Security Solutions asked Brett Birch, MD of Technoswitch, for some insights into the realities of fire safety in South Africa.

Read more...
Preventing and suppressing lithium fires
SMART Security Solutions Technews Publishing Editor's Choice Fire & Safety Security Services & Risk Management Smart Home Automation
SMART Security Solutions asked Clyde Becker, director of Pyro Brand, for some insight into the mechanics of lithium-ion battery fire risks, especially thermal runaway, and to define a comprehensive, layered approach to fire detection and suppression.

Read more...
Sophos establishes South African legal entity to strengthen local operations
News & Events Information Security
Global cybersecurity company, Sophos, has announced the formation of its local legal entity, which will support local invoicing, partner enablement, compliance requirements and expanded regional investment.

Read more...
71% of organisations suffered an identity breach
News & Events Information Security
The State of Identity Security 2026 report from Sophos finds human error and poor non-human identity management are the root causes of most attacks, as agentic AI accelerates the risk.

Read more...
Global security in 2026
Editor's Choice News & Events Security Services & Risk Management Industrial (Industry) Mining (Industry)
The World Security Report 2026 states: “In a world of increasing volatility, physical security has evolved. It is no longer just a defensive measure; it is a critical driver of corporate value.”

Read more...
Who is to blame for autonomous mistakes?
Editor's Choice Security Services & Risk Management Industrial (Industry) Mining (Industry)
Most supply agreements for AI-integrated equipment still closely resemble plant hire contracts from ten years ago: bilateral, human-focused, and silent on who bears the risk when a machine makes a decision on its own.

Read more...
Cyber resilience is the real defence
Security Services & Risk Management Information Security Infrastructure
Cyber resilience has evolved into a form of strategic agility, ensuring that when an interruption occurs, the business does not just survive; it snaps back into place before the market even notices a pause.

Read more...
Beyond the checkpoint
Veracitech Editor's Choice
For decades, mining corporations have treated employee screening as a necessary friction point, an operational cost to be managed rather than a strategic capability to be optimised. A new generation of full-body X-ray technology, purpose-built for the realities of high-throughput precious-metals environments, is beginning to change that calculus.

Read more...
Persistent surveillance with rapid deployment
Editor's Choice
Sky Robots has introduced an aerial drone system designed to operate as a consistent layer within security environments, addressing long-standing challenges around visibility and response across large or complex sites.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.