a comparison between SIEM versus XDR.pdf
rahaf822731
107 views
28 slides
Sep 01, 2024
Slide 1 of 28
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
About This Presentation
a comparison between two cyber security Analytics technologies
Slide Content
SIEM OR XDR
FORTISIEMOR
FORTIXDR
FORTISIEMOR
FORTIXDR
1.SIEM vs XDR
2.Which one is preferred ?
3.FortiSIEMvs FortiXDR
2.Which one is preferred ?
3.FortiSIEMvs FortiXDR
SIEM… SECURITY INFORMATION AND EVENT MANAGEMENT
Source device could be network device ( Router , Switch ,…ect ) , security device (Firewall , WAF
…etc) , endpoints ( such as windows Event Logs ) , servers , applications logs.
Source device could be network device ( Router , Switch ,…ect ) , security device (Firewall , WAF
…etc) , endpoints ( such as windows Event Logs ) , servers , applications logs.
SIEM… SECURITY INFORMATION AND EVENT MANAGEMENT
SIEM… SECURITY INFORMATION AND EVENT MANAGEMENT
•Example ( log , Parsing , correlation , Alert and Incident )
Raw Log
CEF:0|FORCEPOINT|Firewall|6.10.14|1008|FW_Packet-Discarded|0|src=10.0.1.5 dst=192.168.1.11 spt=34201
dpt=3389 proto=6 deviceInboundInterface=13 msg=IP\=(tos\=2 id\=5045 ttl\=122) TCP\=(flags\=SEC
seq\=1945937860 ack_seq\=0 win\=8192) deviceFacility=Packet Filtering rt=Apr 07 2023 15:53:28 app=Remote
Desktop
Parsed Log
Date Apr 07, 2023 Device type firewall
Time 15:53:28 Action discarded
Source IP 10.01.5 Source port 34201
Destination IP192.168.1.11 Destination port3389
•Example ( log , Parsing , correlation , Alert and Incident )
Raw Log
CEF:0|FORCEPOINT|Firewall|6.10.14|1008|FW_Packet-Discarded|0|src=10.0.1.5 dst=192.168.1.11 spt=34201
dpt=3389 proto=6 deviceInboundInterface=13 msg=IP\=(tos\=2 id\=5045 ttl\=122) TCP\=(flags\=SEC
seq\=1945937860 ack_seq\=0 win\=8192) deviceFacility=Packet Filtering rt=Apr 07 2023 15:53:28 app=Remote
Desktop
Parsed Log
Date Apr 07, 2023 Device type firewall
Time 15:53:28 Action discarded
Source IP 10.01.5 Source port 34201
Destination IP192.168.1.11 Destination port3389
SIEM… SECURITY INFORMATION AND EVENT MANAGEMENT
•Correlation
Correlation is the process of comparing sequences of activity based on a set of
rules.
For example, you can define a correlation rule to look for events X and Y that
occur in a specific order, where X is a number of failed login attempts from a
user account from a particular IP address, and Y is a successful login from the
same IP address to any machine in the network.
So, the correlation rule can be : “3 login failure for unique user from source IP
followed by successful login from the same source IP”
•Correlation
Correlation is the process of comparing sequences of activity based on a set of
rules.
For example, you can define a correlation rule to look for events X and Y that
occur in a specific order, where X is a number of failed login attempts from a
user account from a particular IP address, and Y is a successful login from the
same IP address to any machine in the network.
So, the correlation rule can be : “3 login failure for unique user from source IP
followed by successful login from the same source IP”
SIEM… SECURITY INFORMATION AND EVENT MANAGEMENT
•Correlation
Another example for a correlation rule that detect “Reconnaissance” :
Port Scan Vertical Log: Alert when log events contain 200 unique destination
ports with the same source and destination IP within 60 seconds.
•Alert
The notification issued from the correlation rule
•Incident
One or more alerts grouped by specific criteria
•Correlation
Another example for a correlation rule that detect “Reconnaissance” :
Port Scan Vertical Log: Alert when log events contain 200 unique destination
ports with the same source and destination IP within 60 seconds.
•Alert
The notification issued from the correlation rule
•Incident
One or more alerts grouped by specific criteria
XDR … EXTENDED DETECTION AND RESPONSE
XDR = SIEM + NDR + EDR + UEBA What is the Difference Between XDR vs. SIEM? PaloAlto Networks
is a comprehensive cybersecurity solution that combines multiple security
technologies and data sources to provide enhanced threat detection, response,
and remediation capabilities. XDR expands beyond traditional endpoint
detection and response (EDR) solutions and incorporates additional security
telemetry data from various sources, such as network traffic, cloud environments,
and other endpoints.
XDR = SIEM + NDR + EDR + UEBA What is the Difference Between XDR vs. SIEM? PaloAlto Networks
is a comprehensive cybersecurity solution that combines multiple security
technologies and data sources to provide enhanced threat detection, response,
and remediation capabilities. XDR expands beyond traditional endpoint
detection and response (EDR) solutions and incorporates additional security
telemetry data from various sources, such as network traffic, cloud environments,
and other endpoints.
XDR … EXTENDED DETECTION AND RESPONSE
XDR … EXTENDED DETECTION AND RESPONSE
•XDR = SIEM + NDR + EDR + UEBA + Threat intelligence + Simple automated response
•NDR
Monitor and analyze the network traffic ( packet sniffing )
One common type of malicious activity that can be detected using NDR but may not be easily
detected using SIEM is lateral movement within a network. When an attacker gains unauthorized
access to a network, they often attempt to move laterally from one compromised system to
another to escalate their privileges and access sensitive data.
Examples:
DNS Amplification Detects when a UDP destination port is 53 and the total size of the network
session packets is more than ,for example ,4000 bytes.
HTTP Get Flood: Detects when successful HTTP connections send GET requests, which result in at
least 1000 packets to the same destination IP within 60 seconds.
•XDR = SIEM + NDR + EDR + UEBA + Threat intelligence + Simple automated response
•NDR
Monitor and analyze the network traffic ( packet sniffing )
One common type of malicious activity that can be detected using NDR but may not be easily
detected using SIEM is lateral movement within a network. When an attacker gains unauthorized
access to a network, they often attempt to move laterally from one compromised system to
another to escalate their privileges and access sensitive data.
Examples:
DNS Amplification Detects when a UDP destination port is 53 and the total size of the network
session packets is more than ,for example ,4000 bytes.
HTTP Get Flood: Detects when successful HTTP connections send GET requests, which result in at
least 1000 packets to the same destination IP within 60 seconds.
•EDR
collecting a subset of endpoint data either on a scheduled basis or on-demand (manually) ,
monitoring the endpoint and detecting anomalous behavior.
Examples:
Process Redirects to STDOUT or STDERR : can be used by hackers as a technique to hide their
malicious activities and evade detection. By redirecting the output of a process to the standard output
(STDOUT) or standard error (STDERR) streams, hackers can obfuscate the command outputs or error
messages that may reveal their actions.
process DarkTortilla Renames Initial Loader is a specific type of attack where the initial
loader or executable file of a legitimate software or system component is renamed to
evade detection by security tools. Hackers may use this technique to disguise their malicious
payloads or malware as legitimate files, making it harder for antivirus software or security
mechanisms to identify and block the threat.
XDR … EXTENDED DETECTION AND RESPONSE
collecting a subset of endpoint data either on a scheduled basis or on-demand (manually) ,
monitoring the endpoint and detecting anomalous behavior.
Examples:
Process Redirects to STDOUT or STDERR : can be used by hackers as a technique to hide their
malicious activities and evade detection. By redirecting the output of a process to the standard output
(STDOUT) or standard error (STDERR) streams, hackers can obfuscate the command outputs or error
messages that may reveal their actions.
process DarkTortilla Renames Initial Loader is a specific type of attack where the initial
loader or executable file of a legitimate software or system component is renamed to
evade detection by security tools. Hackers may use this technique to disguise their malicious
payloads or malware as legitimate files, making it harder for antivirus software or security
mechanisms to identify and block the threat.
XDR … EXTENDED DETECTION AND RESPONSE
•UEBA … User and Entity Behavior Analytics
Advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all
users and entities in your network environment.
Example: A remote employee has normal work hours of M-F / 8 AM to 5 PM. However, one day,
they accessed the network on a Saturday at 8 AM. Is that normal or is it unusual?
•Threat Intelligence ( Proactive )
Malicious IPs , Domains , Hashes.
•Automated Response: XDR can automate response actions, such as isolating compromised
endpoints, blocking malicious network traffic, or initiating remediation tasks.
XDR … EXTENDED DETECTION AND RESPONSE
Advanced analytics solution for discovering, investigating, and monitoring risky behaviors across all
users and entities in your network environment.
Example: A remote employee has normal work hours of M-F / 8 AM to 5 PM. However, one day,
they accessed the network on a Saturday at 8 AM. Is that normal or is it unusual?
•Threat Intelligence ( Proactive )
Malicious IPs , Domains , Hashes.
•Automated Response: XDR can automate response actions, such as isolating compromised
endpoints, blocking malicious network traffic, or initiating remediation tasks.
XDR … EXTENDED DETECTION AND RESPONSE
XDR … BENEFITS AND LIMITATIONS
Benefits
•Holistic Visibility and Context
•Cross-Layer Detection and Response
•Advanced Analytics and Threat
Intelligence
•Automated Response and
Orchestration
Limitations
•Complexity and Deployment
Challenges
•Cost and Resource Requirements
•False Positives and Alert Fatigue
•Integration Challenges
Benefits
•Holistic Visibility and Context
•Cross-Layer Detection and Response
•Advanced Analytics and Threat
Intelligence
•Automated Response and
Orchestration
Limitations
•Complexity and Deployment
Challenges
•Cost and Resource Requirements
•False Positives and Alert Fatigue
•Integration Challenges
XDR OR SIEM
The decision depends on:
•Existing Infrastructure : If you have a well-established security stack and want to
enhance log management and correlation capabilities, SIEM may be the preferred
choice.
•Resource Availability and Skill Set : SIEM solutions often require expertise in log
management, correlation rule creation, and compliance auditing. XDR solutions may
involve managing endpoint agents, network sensors, and advanced analytics tools.
•Budget Considerations
•Regulatory and Compliance Requirements: If compliance is a primary concern, SIEM
may be a suitable choice.
The decision depends on:
•Existing Infrastructure : If you have a well-established security stack and want to
enhance log management and correlation capabilities, SIEM may be the preferred
choice.
•Resource Availability and Skill Set : SIEM solutions often require expertise in log
management, correlation rule creation, and compliance auditing. XDR solutions may
involve managing endpoint agents, network sensors, and advanced analytics tools.
•Budget Considerations
•Regulatory and Compliance Requirements: If compliance is a primary concern, SIEM
may be a suitable choice.
FORTISIEM
•Unified data collection and analytics from diverse information sources including
logs and SNMP Traps which is first parsed and then fed into an event-based
analytics engine for monitoring real-time searches, rules, dashboards, and ad-
hoc queries.
•Unified data collection and analytics from diverse information sources including
logs and SNMP Traps which is first parsed and then fed into an event-based
analytics engine for monitoring real-time searches, rules, dashboards, and ad-
hoc queries.
FORTISIEM HIGHLIGHTS & FEATURES
Highlights:
•UEBA … uses ML without requiring complex rules
•User & Devise risk scoring
•Real-Time Event Correlation (patented)
•Real-Time, Automated Infrastructure Discovery and Application Discovery
Engine: (Centralized Management Database) enables to discover both
physical and virtual infrastructure, on-premises and in public/ private clouds,
simply using credentials without any prior knowledge of what the devices or
applications are.
Highlights:
•UEBA … uses ML without requiring complex rules
•User & Devise risk scoring
•Real-Time Event Correlation (patented)
•Real-Time, Automated Infrastructure Discovery and Application Discovery
Engine: (Centralized Management Database) enables to discover both
physical and virtual infrastructure, on-premises and in public/ private clouds,
simply using credentials without any prior knowledge of what the devices or
applications are.
FORTISIEM HIGHLIGHTS & FEATURES
Highlights:
•Dynamic User Identity Mapping : network identity (IP address, MAC
Address) to user identity (log name, full name, organization role). Users and
their roles are discovered from on-premises or Cloud SSO, repositories. Then
geo-identity is added to form a dynamic user identity audit trail. This method
makes it possible to create policies or perform investigations based on user
identity instead of IP addresses—allowing for rapid problem resolution.
•Flexible and Fast Custom Log Parsing Framework (Patented)
Highlights:
•Dynamic User Identity Mapping : network identity (IP address, MAC
Address) to user identity (log name, full name, organization role). Users and
their roles are discovered from on-premises or Cloud SSO, repositories. Then
geo-identity is added to form a dynamic user identity audit trail. This method
makes it possible to create policies or perform investigations based on user
identity instead of IP addresses—allowing for rapid problem resolution.
•Flexible and Fast Custom Log Parsing Framework (Patented)
FORTISIEM HIGHLIGHTS & FEATURES
Highlights:
•Business Services Dashboard — Transforms System to Service Views
•Automated Incident Mitigation : Built-in scripts support a variety of devices
including Fortinet, Cisco, Palo Alto, and Window/Linux servers. Built-in scripts can
execute a wide range of actions including disabling a user’s Active Directory account,
disabling a switch port, blocking an IP address on a Firewall,deauthenticating a user
on a WLAN Access Point, and more.
•Infusion of Security Intelligence ( FortiGuard )
•Large Enterprise and Managed Service Provider Ready — “Multi-Tenant
Architecture”
Highlights:
•Business Services Dashboard — Transforms System to Service Views
•Automated Incident Mitigation : Built-in scripts support a variety of devices
including Fortinet, Cisco, Palo Alto, and Window/Linux servers. Built-in scripts can
execute a wide range of actions including disabling a user’s Active Directory account,
disabling a switch port, blocking an IP address on a Firewall,deauthenticating a user
on a WLAN Access Point, and more.
•Infusion of Security Intelligence ( FortiGuard )
•Large Enterprise and Managed Service Provider Ready — “Multi-Tenant
Architecture”
FORTIXDR
FORTIXDR
Highlights
•Extended detection & Extended Response ?????
•AI-Powered
•Third Parity Support - supports integration with non-Fortinet, API supporting
products via connectors !
•Cloud , On Premises in an air-gapped environment, and hybrid
Highlights
•Extended detection & Extended Response ?????
•AI-Powered
•Third Parity Support - supports integration with non-Fortinet, API supporting
products via connectors !
•Cloud , On Premises in an air-gapped environment, and hybrid
FORTIXDR … SCREENSHOTS
The Extended detection source was forti analyzer
The Extended detection source was forti analyzer
FORTIXDR … SCREENSHOTS
FORTIXDR … SCREENSHOTS
FORTIXDR … SCREENSHOTS
FORTISIEM
OR FORTIXDR
OR FORTIXDR
FORTISIEM VS FORTIXDR
FORTISIEM FORTIXDR
UEBA Yes NO
Third Parity Event SourceSimply using CredentialAPI Integration
Automated response Yes Yes
Real time Analysis and
response
Yes Yes
Conclusion:
Cannot figure out the add value of using FortiXDR than
FortiSIEM, so FortiSIEM seams to be the better choice , at least its
usage and value is understandable
FORTISIEM FORTIXDR
UEBA Yes NO
Third Parity Event SourceSimply using CredentialAPI Integration
Automated response Yes Yes
Real time Analysis and
response
Yes Yes
Conclusion:
Cannot figure out the add value of using FortiXDR than
FortiSIEM, so FortiSIEM seams to be the better choice , at least its
usage and value is understandable
FORTIXDR WHAT IS XDR? FORTINET
•FortiXDR= FortiEDR+ NTA + cloud data + Event Mgmt+ automatic response
FortiXDR vs FortiEDR
XDR is more advanced that it handles network and cloud data as well. If
already you have a security solution that handle network traffic analysis and
cloud data , so it’s preferred to chose FortiEDR.
•FortiXDR= FortiEDR+ NTA + cloud data + Event Mgmt+ automatic response
FortiXDR vs FortiEDR
XDR is more advanced that it handles network and cloud data as well. If
already you have a security solution that handle network traffic analysis and
cloud data , so it’s preferred to chose FortiEDR.
FORTIXDR WHAT IS XDR? FORTINET
•FortiXDR= FortiEDR+ NTA + cloud data + Event Mgmt+ automatic response
FortiXDR vs FortiSIEM
XDR differs from SIEM in that it comes with response solutions. Although SIEM can work with a
response solution, it focuses on detecting threats, not responding to them. If you want to custom
design how you respond to threats, then a SIEM solution like FortiSIEM may be a better choice
than XDR.
In some cases, XDR may detect and respond to a threat automatically even when it does not
pose a real danger. A premature response like that can hurt your organization. With SIEM, you
are free to decide how you respond to each threat, which can prevent you from stopping or
halting operations unnecessarily.
•FortiXDR= FortiEDR+ NTA + cloud data + Event Mgmt+ automatic response
FortiXDR vs FortiSIEM
XDR differs from SIEM in that it comes with response solutions. Although SIEM can work with a
response solution, it focuses on detecting threats, not responding to them. If you want to custom
design how you respond to threats, then a SIEM solution like FortiSIEM may be a better choice
than XDR.
In some cases, XDR may detect and respond to a threat automatically even when it does not
pose a real danger. A premature response like that can hurt your organization. With SIEM, you
are free to decide how you respond to each threat, which can prevent you from stopping or
halting operations unnecessarily.
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 107
- Slides 28
- Age 471 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
41 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
45 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
40 views
14
Fertility awareness methods for women in the society
Isaiah47
38 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
37 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
39 views