Alexa metrics
Live Chat

Welcome to UKFast, do you have a question? Our hosting experts have the answers.

Chat Now
Sarah UKFast | Account Manager

EDR vs SIEM: What’s the difference, and which is right for your business?

19 August 2020 by Laura Valentine

Threat Monitoring Blog Images 03 (002)With a recent survey revealing that 86% of businesses expect an increase in cyberthreats over the next 12 months, it’s clear that the ever-evolving threat landscape is a major concern for organisations of all sizes. Understanding the distinction between endpoint detection and response (EDR) tools and security information and event management (SIEM) platforms is an important step on the road to better security for any business.  

What is EDR? 

The term ETDR (endpoint threat detection and response) was first used by Anton Chuvakin from Gartner in 2013. In 2015, the ‘T’ was dropped, creating the term EDR with which we are now more familiar. As the name suggests, an EDR tool stores software on endpoint devices to offer protection against a range of common cyber-threats. The tool will alert the security management team of any threats identified on an endpointso that the necessary action can be taken to mitigate potential malicious events as soon as possible 

EndpointDevices connected to your network; desktop computers, laptops, mobile devices, cloud-based systems and other IoT devices.  

DetectionThe EDR tool constantly scans the endpoint device for signs of unusual activity or behaviours and gathers information.  

ResponseIf unusual activity is detected, an automatic notification is sent to the system user to alert them of a potential threat. The user can then take appropriate action to mitigate the risk.  

As you would expect, EDR tools are focused on the endpoint devices rather than the system as a wholeTheir effectiveness therefore is inherently tied to an organisation’s level of network visibility — you cant secure devices that youre not aware of. As 84% of endpoint breaches include more than one endpoint, total device visibility is essential, although difficult to achieve. 

What is SIEM? 

Taking care of the bigger picture, SIEM software logs information from across your infrastructure including network devices, servers, and unlimited other sources. Focused on the detection element of security, SIEM collects information from various applications such as firewalls, antivirus programs — and even EDR tools — and collates them in a central location to provide real-time analysis of events.  

 SIEM platforms analyse the activity detected on your infrastructure against a set of predetermined rulesets and alert users to any anomalies that may point to malicious activity. It then falls to your IT team to manage the log of events, identify and investigate suspicious behaviours and neutralise threats. The ability to analyse the detailed logs is invaluable to many companies, aiding compliance and providing a report to reflect on during the occasions where a threat slips through your net and a breach occurs.  

Which do I need? 

If you’re looking to bolster your security and establish a system that allows you to respond as quickly as possible to cyber-threats, the ideal solution may well include both. The tools are often integrated, with EDR widely considered complimentary to SIEM. EDR software acts as another source for the SIEM, providing additional information about all known endpoints to be logged alongside other activity across your infrastructure.  

The key is having a security system that provides a centralised platform to review activity and a log of real-time alerts so potential threats can be mitigated at the earliest possible stage. Another big consideration is the resource and capability of your IT team to respond to any security concerns – reviewing and investigating the report log can be time consuming depending on the size of your business and extent of your infrastructure 

UKFast’s Threat Vision suite of tools offers a solution to suit any business. Combining SIEM, EDR and our own bespoke-built platform, Threat Vision solutions automatically take care of logging, collating and analysing activity from all monitored endpoints to detect and block suspicious events across your network.   

Providing advanced security technology, enhanced network visibility and access to live reports via the UKFast dashboard, our range of Threat Vision solutions offer a choice of defence levels to suit your needs. And, with the expertise of our security team on hand 24/7/365 there’s always guidance and support available to help mitigate existing and emerging threats.  

Find out more about our suite of Threat Vision solutions.