Blog

EDR & SIEM

Steve Ripper from PCG explains endpoint detection and response (EDR) and security incident event management (SIEM) software. He talks about why they are critical for business cybersecurity.

Hi, my name is Steve Ripper. I’m a senior network engineer here at PCG. I’m also a member of the security team. Two services that we get asked about often are EDRs and SIEMs. An EDR is an endpoint detection and response software, and SIEMs are security incident event management software, usually third party in that case. So EDRs is antivirus software that’s really souped up. It’s installed on devices. And it does what we call heuristic scanning or behavioral analysis. Whereas antivirus is more aimed at definition files, in other words, very reactive to something that’s in its database.

EDRs can actually see patterns that are happening on the device and react to them, such as large amounts of files being created, large amounts of log-on access, things of that nature. SIEMs are a different animal. They are services, usually third party, that can look at logs and look at the management processes on devices like servers, firewalls, and switches, and then react to patterns and changes within your network environment. They’re usually managed by a SOC or a security operations center that can look at those patterns and react to them 24 hours a day and make changes based on what is happening. So they can see patterns like hacking attempts. They can see patterns like logs being formatted and used incorrectly, things of that nature.