The difference between Antivirus MDR SIEM and SOC

Photo courtesy of Sinousxl

I wanted to help make an overview to help clear up some confusion on these 5 cybersecurity technologies and concepts. There is a lot of marketing surrounding MDR SIEM SOC and Antivirus, each has their own part in a cybersecurity environment but how they are used and where they can be effectively used varies widely. Much like a security system that is used to detect motion at the front door or in the back yard these systems can be applied effectively and ineffectively and end up weighing you down by an excess of alerts and work to be done in order to reach a desired effect or just wade through the data.

Antivirus

This is what detects threats on each endpoint, alone its scope is pretty limited in terms of a large network. The antivirus will look at downloads, processes, and network often connections. This is all in an effort to discover and stop intrusions as they occur and before they can do damage or lift data and/or credentials. So going back to our security camera metaphor, Antivirus is kind of like if a camera was connected to a door that could lock automatically. Antivirus would be the mechanism that tells the camera to lock the door if someone who is unrecognized or who has a weapon or is actively on fire happens walks up to the door. The antivirus detects a possible threat and stops it from doing damage much like automatically locking the door. Where antivirus falls short is when you are facing a threat that looks like you and talks like you and may have disguised themselves as a handyman to get through the door.

Antivirus shines when it is put on each endpoint, or entrance, all of the Antivirus products have the capability to send the person sitting in front of the computer an alert that something weird is going on and a file or website was blocked. Where it falls short is notifying IT or the security team that this event occurred, it would be like if your camera system just locked the door and then a light came on at the door saying that it was locked but never sent a notification to your phone. Great! The threat was blocked, but who knew about it?

EDR

This stands for Endpoint Detection and Response. This is a system that allows for events to be logged and sent to a SIEM or central point from many different endpoints. EDR also allows for responses to be taken automatically or may need to be approved manually. These responses can include host isolation, file removal, and ending programs. EDR is like if you had each camera sensor automatically lock when a person was detected at the front door, but if you were expecting guests or work was being done these settings could be tuned so that you would need to approve or deny a door locking. EDR is not usually used on its own but it can be for some environments where network monitoring is not possible.

SIEM

SIEM stands for security information and event management and is a broad term that covers a lot of central logging systems. A SIEM is what centralizes logs and makes all the events, security related or system related, available in one place to be viewed by a system administrator and security team. In our hypothetical video monitoring system this would be adding a capability such as a DVR that would be able to view all the video feeds, saved videos, and alerts for times that the motion detection system was triggered, as well as the little thinks like if cameras were rebooted, or when they were viewed. Alerts can be created so that security teams and administrators and responded to events. The SIEM is passive and requires people to run it and respond to events. This is a core part of improving the security posture of an organization but it is utterly useless if no one sees or responds to alerts.

SOC

SOC stands for Security Operations Center it is how security teams are able to gather information, make determinations on what needs to happen to improve cybersecurity, as well as identify issues with configurations and behavior of systems that indicate compromise within an organization. It requires that people monitor the SOC for issues and record their findings for future investigations. Without responders this would be the equivalent to installing the video security system turning it on and never looking at it again. The SOC is outfitted with security experts and junior annalists who can monitor it and escalate issues to incident responders and system administrators as issues are identified. This is similar to having a team of people watching the video security system and going through motion alerts to determine if the alert was generated by a stray animal, bug, or a verified intruder and being able to contact the police in the event of a break in.

MDR

MDR stands for managed detection and response, this concept integrates the SOC and EDR, endpoint detection and response. MDR differs from an in house SOC team in the way that it is not an internal team that handles the detection and response but instead it is managed by an outside party that is focused entirely on cybersecurity. This would be the equivalent to buying ADP as a service, who handles installation of cameras and sensors as well as monitoring them.

Words of Caution

Each of these solutions should be used appropriately, by this I mean if you run a single coffee shop or have a home network that has two or three computers and a printer, configuring and installing a SOC and assigning or hiring people to watch it day and night is overkill. Hiring a MDR provider to install agents and maybe manage your router might be a better route for a small business. If you are trying to learn more about cybersecurity and want to deploy a SOC and monitor it it can be a great learning experience. For a financial company that has 200 employees, 5 servers, network infrastructure, and an internal IT team, looking into a SOC and hiring a team of analysts and incident responders makes good sense with the data that is being processed and the scope of assets. Know what your risks are and understand where the line should be drawn with reasonable and unreasonable paranoia. 

In Conclusion

To bring it all together in one short paragraph; Antivirus is what stops viruses from infecting your computer but often lacks notification capabilities past sending a pop up alert to the computer. EDR is like antivirus but allows for alerts to be sent to a central logging system and for actions to be taken. SIEM is the system that aggregates logs from many sources and allows for looking at alerts and logs in one place, it does not provide response capabilities ( that would be SOAR, security orchestration and automation which allows for real time configuration changes to take place based on information in the SIEM ) instead it allows analysts to work with data in one place. MDR is the process of hiring out another company to detect and respond to threats in your environment and usually requires that you install their software and follow guidance by that company in order for them to adequately protect it.

Resources

There are a lot of really good open source security software out there, not only for the malicious but also for those of us interested in protecting networks and data.

Wazuh is an open source EDR tool that requires a server and agents to be deployed, it can monitor for changes on systems and provides you with insights on how to improve configurations. It supports Linux Windows and Mac. Once again like SOC this required monitoring and a lot of configuration legwork to be done on your part.

Security Onion, I have spoken about this before but figure its worth a mention again. This is a freely available SOC it requires a lot of initial configuration but once it is set up it can be very very very helpful when trying to figure out what is going on in your network. It integrates ElasticEndpoint ( commercial and free editions are available ), Suricata, Zeek and other network monitoring systems for a comprehensive view of the network.

There are literally hundreds of antivirus and MDR companies out there. A couple of good questions to ask if you end up needing one are; What is the industry they normally protect? What types of threats are they protecting you against? Is the MDR company able to protect the size of your organization adequately? It also never hurts to ask other companies in your field about MDR companies they have had good experiences with.