MSSP, MDR, or SaaS SIEM?
Choosing the right approach for your organization
Effectively maintaining and operating an on-premises SIEM solution works for a lot of larger organizations. Many of our enterprise customers do this very successfully today and have the required in-house resources available. However, for a lot of organizations, including those in the multinational enterprise world, outsourcing some or all of their SIEM operations ensures they get the full value of the tool, without needing to hire and retain the full complement of people required for a truly in-house on-premises SIEM.
Managed services options
The cybersecurity, and indeed wider technology skills gap, is a well-documented challenge faced by organizations of all shapes and sizes, and managed service providers (MSPs) have been helping solve this for many years. The overall MSP market and associated offering set is vast, and unsurprisingly, given the technology skills gap (read: chasm), continues to grow at breakneck speed.
Managed security services providers (MSSPs), as the second “S” clearly suggests, focus on providing security offerings, including products and some level of monitoring and operations. In the case of SIEM, there are a range of offered services. On one end of the spectrum, the MSSP covers the basics of ensuring the product is deployed, functioning, configured and regularly upgraded with the onus fully on the customer to respond to alerts. Additional value-adds are commonplace, such as a layer of alert triage — essentially providing a tier 1 function — where the customer takes responsibility for tier 2+ operations. Some MSSPs have a SIEM as a transparent function — the SIEM itself is used as an internal tool by the MSSP’s analysts to monitor and respond to multiple customers as part of a use case driven set of services. Regardless of the type of MSSP service(s) provided, on the customer side there is still a degree of the requirement to respond to and contain MSSP findings, but much of the day to day heavy lifting is taken care of.
The newest subset of the managed security service family is managed detection and response (MDR) service providers. MDR services include more than alert triage and typically provide a full 24 x 7 security operations center (SOC), with options for inclusive incident response consultancy hours or the number of incidents through a retainer service. MDR providers will commonly offer a menu of services, which will have a mix of endpoint and network security vendor and proprietary technologies under the hood, as well as a tiered structure of security analysts, threat hunters, and incident responders. The SIEM technology is again often transparent to the end customer and is complemented by threat intelligence, automation, and advanced analytics capabilities. In their 2019 Market Guide for Managed Detection and Response Services, Gartner recommends the use of MDR services “to add 24/7 threat detection and incident investigation and response capabilities, when they don’t exist or are immature. Internal resources will still be needed for some response activities, and incident response retainers will be necessary for additional support as well.” Source: Expel.io
In addition to the larger MDR vendors, there are a plethora of boutique companies that can provide MDR services. Organizations looking for local language coverage or rapid on-site incident response support may prefer to utilize these types of providers.
In managed summary
Navigating the multitude of different available services from MSSPs and MDR vendors needs a focussed approach. As with any contracted service, it’s important to clearly define your organization’s requirements before shopping around. Make sure you fully understand what you are getting and what you are not getting as part of the service, to ensure expectations are set correctly on both sides. In general, the more menu options included in the service, the higher the costs will be, so it’s important to align your budget, your security maturity posture, and your available in-house skill set to the service that you ultimately choose.
Exabeam partners with a number of managed service providers. Do check out our featured services partner page for more information.
SaaS SIEM: security operations without the operational overhead
When your organization does have a security operations team and you prefer to run the show yourselves, a SaaS SIEM can relieve your team of the overhead of owning and maintaining on-premises equipment and software. Your team is freed up to focus on using the SIEM, and your budget isn’t tied up with capital expenditure. System sizing, maintenance, uptime, and product upgrades are all taken care of, meaning your security engineers can focus on other projects, and your analysts can be hands on keyboard. This is especially important when there is no defined line between security engineers and security analysts, and some of your team members are essentially wearing both hats.
Keeping operations in-house also gives you full control over the service levels you provide to the wider organization, and doesn’t tie you to defined contractual obligations that would come from a managed offering. However, you will obviously still be responsible for hiring, retaining, and training talent to run your SOC functions.
When choosing a SaaS SIEM, it’s important to look at solutions that will help you improve your security maturity, and support your security maturity growth without needing to invest in a host of other tools. Consider the skill set needed to get value from your SIEM, and whether that matches with your current (and future!) talent. Complexity can quickly equal expense, especially if you need a data scientist to get value from your data. While a SaaS SIEM eliminates the need for capex budget spend, evaluating pricing models will help you select a vendor that won’t surprise you with giant data bills halfway through the contract
Common services at a glance
|Services Included||MSSP||MDR||SaaS SIEM|
|System health monitoring||✔||✔||✔|
|Service Delivery Reports||✔||✔|
|Threat Summary Reports||✔||✔|
|Proactive Security Alerting||✔|
|Alert Triage||✔||Via SOAR|
|Incident Response & Containment||Additional Cost||✔ (usually via retainer)|
In final summary
MSSPs, MDR and SaaS SIEM tools all have their benefits and considerations. Choosing what is best for your organization ultimately depends on whether you have the right skills in-house, where you are in your security maturity journey, and what your strategic security roadmap looks like.
Our team is happy to help you work through the process of finding what’s best for you. Click here to start the conversation!