Security Information and Event Management (SIEM)
Platform that collects and correlates security logs from across an environment for detection, investigation, and compliance reporting. Major vendors: Splunk, Microsoft Sentinel, Google Chronicle, Sumo Logic, Elastic, Exabeam, IBM QRadar.
More from Incident Response
Incident Response (IR)
Organized approach to detecting, containing, investigating, and recovering from security incidents. Phases: preparation, detection, analysis, containment, eradication, recovery, post-incident review. Many organizations maintain IR retainers with external forensics firms for faster engagement.
Endpoint Detection and Response (EDR)
Security tooling deployed on endpoints (laptops, servers) providing visibility into process execution, network connections, and file operations. Detects behavioral anomalies that signature-based antivirus misses. Major vendors: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR.
Extended Detection and Response (XDR)
Evolution of EDR integrating endpoint, network, identity, email, and cloud telemetry for cross-domain correlation. Major platforms: CrowdStrike Falcon Insight XDR, Microsoft Defender XDR, Palo Alto Cortex XDR, SentinelOne Singularity XDR.
Managed Detection and Response (MDR)
Outsourced security operations service combining EDR/XDR tooling with 24x7 human analysts who triage alerts and respond to incidents. Alternative to building an in-house SOC. Major providers: Expel, Red Canary, Arctic Wolf, CrowdStrike Falcon Complete.
Security Orchestration, Automation and Response (SOAR)
Platforms that automate incident response workflows. Ingesting alerts, running enrichment, executing containment actions. Major tools: Palo Alto XSOAR, Splunk SOAR, Tines, Torq, Swimlane.
Apply this to your environment
Our engagements address concepts like security information and event management (siem) in practice — not just definitions, but how the attack patterns apply to your stack and how to remediate.