Introduction

With the exponential growth of vendor-developed IT solutions, a need has arisen for a technology capable of collecting and analyzing log data (“telemetry”) being generated from a vast variety of sources.

While the data being collected is diverse, examples include application activity, user activity, network logs, and much, much more. Essentially, anything that produces a text log could be considered a data source to an endpoint agent monitoring it.

SIEM vs MDR

Security Information and Event Management (SIEM) tools are used to consolidate and analyze all this endpoint log data. But to properly take advantage of a SIEM tool, every data-producing source must be able to work with your SIEM tool, and the logs from each source must be continually maintained and stored.

Once log sources are configured to work with the SIEM, organizations still need to conceive of, and then build, analytic rules that take security concerns into consideration and properly reacts to every single log entry generated.

From a security perspective, the limitation with the SIEM approach is that it can only gain visibility into the logs a source can produce. This is like reading newspaper headlines, instead of witnessing the event directly. There is value in reading headlines, but the full story may not be available to the reader.

While SIEMs fulfill an important function of collecting log data and enabling the analysis of it, it can be very difficult to attract and retain staff that know to effectively manage logs and SIEM tools. And as the SIEM tool matures within the organization, these challenges around complexity and maintenance also increase.

In the absence of alternatives, SIEMs have become a requirement among regulatory and compliance frameworks, regardless of the high cost and experience required to successfully implement and manage one. This is a well-intentioned policy decision in trying to ensure operators are aware of the activity on their networks and have the ability to identify malicious activity. 

Over time, however, threat actors have evolved to the point that SIEMs can no longer keep up with emerging tactics. Operators can only react to threats that the SIEM has logged, and this reaction is slowed further with the need to create rules that deal with identified threats - and this point, it's usually too late. Creating active and automated responses to threats is a challenge, if not an impossibility, for SIEM solutions.

In many cases, organizations still rely on SIEMs to store and retain their historical logs for audit purposes. But reliance on them to deliver cyber security outcomes has fallen significantly, particularly in all but the largest of enterprise environments.  

Field Effect, a Managed Detection and Response (MDR) solution, has been built to identify technical risks (vulnerabilities) that can lead to an attack, as well as to ongoing actual attacks. Our solution is deployed across customer IT devices (desktops and servers) via an endpoint agent, network sensors (physical or virtual), and cloud services (such as Microsoft365). Beyond detecting threats and risks, Field Effect can trigger responses (isolating or locking a compromised system) to threats.  

The security telemetry and coverage provided by Field Effect is broad.  This combination of risk reduction and sophisticated threat detection includes network, endpoint IT devices, and cloud services. Field Effect MDR includes, as a subset, what most vendors refer to as Managed EDR.