NDR vs. SIEM

In the category of security tools to protect the network perimeter, 2 tools stand out. They are NDR (also known as IDS/IPS) and SIEM. They are often confused, but they do not have the same goal.

In this article, we will clarify the role of each of them.

NDR (Network Detection and Response)

NDRs are the ultimate intrusion detection technology. They are connected to the network entrance, usually on the network's main switch (or core-switch). They intercept all traffic entering and leaving the network and analyze it for signs of attacks or suspicious behavior. Any computer communicating in the network is automatically discovered by the NDR, giving it 360-degree visibility into the computer network.

NDRs look for signatures (or attack patterns) of attacks in network traffic. They use AI to detect deviations in behavior that are indicative of a cyberattack.

NDRs can automatically block attacks (via firewall, etc.).

SIEM

The SIEM is a tool that allows to collect and centralize security events (or logs) generated by the computers of a computer park. SIEMs collect and store logs from various network sources, such as servers, databases, routers, firewalls, etc. Its objective: to provide a unified view of network logs.

SIEM modules (called agents) are installed on the computers to be monitored. It is these agents that transmit the logs to the SIEM. It is therefore important to make sure you install a SIEM agent on all the computers you want to monitor, otherwise you will have no visibility on the attacks targeting them.

SIEMs also offer other ways to collect logs on computers, such as: using the SYSLOG protocol.

By default, SIEMs come with very basic attack detection rules. It is up to you to make them more efficient. You have the possibility to create detection rules (or use cases) to monitor specific activities. For example:

• Successful connections to a database containing sensitive information
• User creations that occur on weekends
• Multiple failed login attempts in your network

NDR vs SIEM comparison

Functionalities

NDR

SIEM

Detection of known intrusions

YES

By default, about 20% of the NDR

Detection of known malware traffic

YES

By default, about 20% of the NDR

Anomaly detection via AI

YES

Often/partial

Detection of advanced cyber attacks (ransomware, shellcode/webshell, APT, etc.)

YES

NO

Detection of malicious lateral movements in the network

YES

NO

Detection of cyber attacks in encrypted traffic

YES (via AI)

NO

Deployment time

Hours (e.g. 2H with the Streamscan NDR)

Weeks or months

Installation of agents on the computers to be monitored in the computer park

N/A

YES

Automatic discovery of network computers

YES

NO

Agent installation on each new computer

NO

YES

Ongoing maintenance

NO

YES

360-degree visibility of computer park

YES

NO

Network blind spot detection

YES

NO

Automatic blocking of attacks

YES (via firewall, etc.)

NO

Deployment objective

Cyber defence

Conformity(PCI DSS, etc.)

Conclusion

As you see, in terms of cyber attack detection capabilities, SIEMs are very basic compared to NDRs. If you are looking to protect your network from cyber attacks, use an NDR.

Most of the time, the need to use a SIEM comes from a legal, contractual obligation (e.g. PCI DSS). It can also be requested by your cyber insurer. Deploying it allows you to meet certain compliance requirements and please your cyber insurer (or other), but don't be fooled, it is not guaranteed. A SIEM will not protect you against cyber attacks. That's not what it does.

If you are forced to deploy a SIEM for conformity issues, and you also want to protect yourself from cyberattacks, deploy an NDR as well.

How can Streamscan help you?

Streamscan's expertise covers NDR technology development, MDR security monitoring, cyber attack response, etc.

We can help you better understand and address the cybersecurity issues and challenges that can impact your organization.

Talk to one of our experts or call us at +1 877 208-9040.