• United States



How the combination of XDR and SIEM can improve SOC operations

Jun 05, 20234 mins

SOCs need help to keep up with the growing volume of security alerts they receive. Discover how many teams are utilizing a combination of XDR and SIEM to improve operations.

istock 610855316
Credit: iStock/Marco_Piunti

By Microsoft Security

We’ve all seen the headlines on the latest ransomware attack or emerging cyberthreat trends, but what about the day-to-day challenges that security operations centers (SOCs) face?

SOC teams are responsible for a wide range of duties, including monitoring identities, endpoints, servers, databases, network applications, websites, and other systems to uncover potential cyberattacks in real-time. This allows them to prevent, detect, and respond to threats in a timely manner. They also conduct proactive security by using the latest threat intelligence to stay current on threat groups and infrastructure while identifying and addressing system or process vulnerabilities before attackers can exploit them.

And while this work is critical for maintaining organizational productivity, it also represents a significant demand on the part of SOC teams. This is especially true when you consider the growing number of attack vectors, increase in cyberthreat activity, and widening cybersecurity skills gap. SOC teams need a better way to keep up with the accelerating pace of demand while also maintaining a strong security posture.

Read on to learn how your company can leverage a combination of extended detection and response (XDR) and security information and event management (SIEM) solutions to improve SOC operations moving forward.

What challenges do SOCs face?

SOCs must operate 24 hours a day, seven days a week in order to keep up with the sheer number of security incidents that occur daily. According to Microsoft data, there was a 130% increase in ransomware attacks alone in 2022. For SOC teams, this translates to more than 10,000 alerts every day, leading to a sense of alert fatigue and increased dwell time.

SOCs need help to keep up with the growing volume of security alerts they receive, and they often have difficulty determining which alerts to prioritize against their potential organizational risk. One survey found that more than half of IT professionals spend more than 20% of their time prioritizing security alerts. Not only does this contribute to job turnover, it can also lead to critical security alerts going unaddressed. Of those same survey respondents, 55% report missing critical alerts on a weekly or even daily basis due to ineffective alert prioritization.

This is also happening alongside a broader trend of security tool diversification and a lack of skilled cybersecurity workers. According to Microsoft research, a standard-sized organization deploys 50 security tools on average, increasing complexity and downtime for SOC teams. And because there are an estimated 3.5 million unfilled cybersecurity jobs globally, SOC teams also struggle with insufficient resources and skills to handle their workload.

How can the combination of XDR and SIEM help?

These statistics may seem overwhelming, but there are several solutions at your disposal. Unified XDR and SIEM solutions can greatly modernize security operations, providing end-to-end threat visibility across your resources. Critically, they can also correlate and prioritize security alerts to provide timely, actionable insights across all enterprise assets.

This is done through a combination of AI and ML. By unifying XDR and SIEM, SOC teams can better prevent, detect, and respond to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms. This breadth of data provides comprehensive signals across your modern work and cloud infrastructure, which informs SOC teams with faster insights and greater accuracy.

These inputs can then be combined with broader threat intelligence from leading researchers and cybersecurity companies to inform the ML model moving forward. Likewise, automation can be used to surface the most pressing security alerts and provide much-needed context around what is happening and which systems have been impacted—ultimately helping to decrease SOC workloads.

Ultimately, by using XDR and SIEM solutions in parallel, SOC teams can cut down on alert fatigue, decrease their mean time to acknowledge and respond to threat alerts, prioritize attention, and reduce the time needed for reporting and post-incident activity—delivering a better cybersecurity experience overall.

For more information on the latest cybersecurity offerings and threat intelligence insights, visit Microsoft Security Insider.