NDR vs. SIEM
In the category of security tools to protect the network perimeter, 2 tools stand out. They are NDR (also known as IDS/IPS) and SIEM. They are often confused, but they do not have the same goal.
In this article, we will clarify the role of each of them.
NDR (Network Detection and Response)
NDRs are the ultimate intrusion detection technology. They are connected to the network entrance, usually on the network's main switch (or core-switch). They intercept all traffic entering and leaving the network and analyze it for signs of attacks or suspicious behavior. Any computer communicating in the network is automatically discovered by the NDR, giving it 360-degree visibility into the computer network.
NDRs look for signatures (or attack patterns) of attacks in network traffic. They use AI to detect deviations in behavior that are indicative of a cyberattack.
NDRs can automatically block attacks (via firewall, etc.).
SIEM
The SIEM is a tool that allows to collect and centralize security events (or logs) generated by the computers of a computer park. SIEMs collect and store logs from various network sources, such as servers, databases, routers, firewalls, etc. Its objective: to provide a unified view of network logs.
SIEM modules (called agents) are installed on the computers to be monitored. It is these agents that transmit the logs to the SIEM. It is therefore important to make sure you install a SIEM agent on all the computers you want to monitor, otherwise you will have no visibility on the attacks targeting them.
SIEMs also offer other ways to collect logs on computers, such as: using the SYSLOG protocol.
By default, SIEMs come with very basic attack detection rules. It is up to you to make them more efficient. You have the possibility to create detection rules (or use cases) to monitor specific activities. For example:
- Successful connections to a database containing sensitive information
- User creations that occur on weekends
- Multiple failed login attempts in your network
NDR vs SIEM comparison
Functionalities | NDR | SIEM |
Detection of known intrusions | YES | By default, about 20% of the NDR |
Detection of known malware traffic | YES | By default, about 20% of the NDR |
Anomaly detection via AI | YES | Often/partial |
Detection of advanced cyber attacks (ransomware, shellcode/webshell, APT, etc.) | YES | NO |
Detection of malicious lateral movements in the network | YES | NO |
Detection of cyber attacks in encrypted traffic | YES (via AI) | NO |
Deployment time | Hours (e.g. 2H with the Streamscan NDR) | Weeks or months |
Installation of agents on the computers to be monitored in the computer park | N/A | YES |
Automatic discovery of network computers | YES | NO |
Agent installation on each new computer | NO | YES |
Ongoing maintenance | NO | YES |
360-degree visibility of computer park | YES | NO |
Network blind spot detection | YES | NO |
Automatic blocking of attacks | YES (via firewall, etc.) | NO |
Deployment objective | Cyber defence | Conformity(PCI DSS, etc.) |
Conclusion
As you see, in terms of cyber attack detection capabilities, SIEMs are very basic compared to NDRs. If you are looking to protect your network from cyber attacks, use an NDR.
Most of the time, the need to use a SIEM comes from a legal, contractual obligation (e.g. PCI DSS). It can also be requested by your cyber insurer. Deploying it allows you to meet certain compliance requirements and please your cyber insurer (or other), but don't be fooled, it is not guaranteed. A SIEM will not protect you against cyber attacks. That's not what it does.
If you are forced to deploy a SIEM for conformity issues, and you also want to protect yourself from cyberattacks, deploy an NDR as well.
How can Streamscan help you?
Streamscan's expertise covers NDR technology development, MDR security monitoring, cyber attack response, etc.
We can help you better understand and address the cybersecurity issues and challenges that can impact your organization.
Talk to one of our experts or call us at +1 877 208-9040.