By Thorsten Mandau, Pre-Sales Consultant, CISSP

Sometimes different tools can have overlapping functionalities/capabilities, which may prove to be confusing to decision makers. In this short blog post, I try to shed some light onto the differences between a Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) tool.

EDR solutions

Broadly speaking, an EDR is used to determine if malware (APTs, advanced persistent threats) has been installed on an endpoint device (detect) and find ways to reply to this kind of threat (response). Often, EDR solutions are using agents installed on such an endpoint to collect data from many different kind of data sources directly on the endpoint and store them in a central database. Among this data, but not limited to it, is data from the following sources:

  • ARP
  • DNS
  • Sockets
  • Registry
  • Memory dumps
  • System calls
  • IP addresses
  • Hardware types

An EDR is seen complimentary to traditional means of protection like signature-based tools or a SIEM. They all provide dashboards or reports and data analysis is performed. EDR solutions currently support mainly Windows OS, only beginning to support other platforms such as Linux, Unix, iOS, or Android.

SIEM

A SIEM is used to provide a single central place for storing and analyzing data coming from many different log sources. This is in no way limited to endpoint systems only. Thus, it provides the means of breaking apart information silos to see and analyze all data in real-time and be able to act accordingly. All information is presented in an easy to understand way and is completely product-agnostic.

It is possible to understand many different use-cases, which do not rely on just one type of system, but on many different log sources such as firewalls, servers, IPS, proxies, etc. A SIEM supports a multitude of different platforms and can be used for advanced correlation, log management, and forensics. Additionally, as is the case with LogPoint there is no limit when it comes to use cases. LogPoint is capable of searching through different areas like IT-Operations, IT-Security, financial or medical use cases, and more.

Summary

A SIEM can be used to collect data from many different types of log sources and do advanced correlation, log management, or forensics. There is no limit regarding supported platforms or the type of use case in question. An EDR tool is considered to be complimentary to a SIEM tool and many EDR vendors try to integrate into a SIEM. From a SIEM point-of-view an EDR is considered to be another log source, which can provide valuable information to a SIEM.