SIEM vs MSSP vs MDR: A Showdown
Cybersecurity is as much a part of modern business as office spaces or electronic devices used for productivity. But for small-to-midsize enterprises (SMEs), a unique set of circumstances makes it seem burdensome:
- Prohibitively steep costs to operate an in-house security operations center (SOC)
- A cybersecurity skills shortage leading to high security analyst salaries
- Advanced criminal hacking techniques that make most point solutions ineffective.
Consequently, IT decision-makers make do with what they have, which is typically one of three viable security models:
- Security information and event management (SIEM)
- Managed security services providers (MSSPs)
- Managed detection and response (MDR) services.
We break down these three security models to identify the best solution the SME market. Here’s our take:
Security information and event management is the cornerstone technology of a SOC. It integrates with various IT systems and log flows to ingest data for event analysis via a central console.
The standard SIEM relies on rules-based programming, meaning event alerts can only be triggered based on pre-designated configurations. This makes it relatively easy for security analysts to identify possible threats on the network.
Although aSIEM is a security mainstay for countless organizations, its effectiveness for threat detection and response is hampered by several factors:
- False positives: Billions of network events may occur in a single day. A SIEM can narrow these down, but analysts will still need to sift through as many as 150,000 alerts daily. This is because a SIEM’s context is limited to its rules, which can quickly require updating in a rapidly changing threat landscape. The result is large number of false positives that cause alert fatigue.
- Misses: Also known as false negatives, misses are what happen when an event appears innocuous because it doesn’t violate a SIEM rule, yet is actually a viable threat. Phishing scams, fileless malware, advanced persistent threats and zero-day exploits are notorious examples of such silent subterfuge.
- High total cost of ownership: Because of the above issues, a SIEM requires constant attention, unending configuration maintenance, and the expertise of experienced security analysts and incident responders. This makes it costly to manage. A SIEM solution is also time-consuming and can take up to a year to implement.
Pros: Great for data aggregation and event correlation.
Cons: Complex, expensive, noisy, limited in its insights.
Bottom line: A SIEM has its place as a data ingestion tool in a SOC, and will for the foreseeable future, but it lacks the ability to perform meaningful analysis that will reduce false positives. It’s no longer enough by itself, which is frustrating considering it’s difficult to afford in the first place.
Managed security services are an increasingly popular option for a simple reason: They provide an affordable, subscription-based security model.
Rather than owning and managing security tools in-house, MSSPs handle the hardware and software updates, the system optimization and the ongoing management of those resources. This relieves the pressures of alert fatigue, ongoing SIEM management, the struggle to find qualified security analysts and overall maintenance costs.
However, MSSPs are not a replacement for a SOC. They can bring value to your security posture, but only if they actually fill a gap in your existing Infosec ecosystem—something that’s unclear without access to impartial security analysts. Other drawbacks of MSSPs include:
- Lack of personalized support: Support is often relegated to contact centers where representatives have limited context into the client’s business or industry. As a result, problems may take significantly longer to resolve.
- Useless post intrusion: MSSPs are predominantly preventative. They will not actively threat hunt for indicators of compromise (IOCs) on the network and they won’t optimize incident response in the event of an undetected breach.
- Poor visibility: MSSPs won’t help you holistically improve your security posture, and they very rarely aid in compliance management (HIPAA, PCI DSS).
Pros: Cost effective.
Cons: Impersonal support, won’t necessarily help you maintain compliance, poor visibility.
Bottom line: MSSP is not a replacement for a SOC. So while you may have a security expert managing a set of point solutions for you, these tools are still just that: tools. You won’t get a premium security service that helps you elevate your threat detection and incident response capabilities.
Managed detection and response is a type of security service that offers 24/7/365 continuous threat monitoring of a customer’s network–including events/logs, suspicious activity and alerts–all for a predictable subscription fee. A SIEM is part of the service offering, but MDR is not synonymous with a managed SIEM service.
Rather, MDR’s defining feature is the provisioning of dedicated security engineers to each account who act as extensions of the end-customer’s IT and security teams. They perform real-time, continuous monitoring, threat hunting on the client’s network, incident response, vulnerability scans and assessments, compliance management and reporting, and regular reports on the state of the company’s security posture. The MDR vendor manages its own SIEM, which is usually augmented by cognitive analysis capabilities.
This combination of human expertise, SIEM and advanced event analysis is commonly referred to as hybrid AI security. It significantly expedites alert triaging, and limits false positive cases. Conversely, “misses” occur less frequently since analysts can orchestrate meaningful log data analysis. Upon detection of IOCs, security analysts take immediate response actions, and work directly with customers to accelerate time to remediation.
MDR providers are not in direct competition with MSSPs. During vulnerability scans, the dedicated security engineer may make recommendations for point solutions that could enhance detection capabilities. In effect, this engineer also acts as an objective security consultant who is intimately familiar with the client’s network.
Bottom line: MDR provides the cost efficiency of an MSSP, the on-demand expertise of an in-house SOC staffed by security experts, and a significantly enhanced version of a SIEM. It’s the clear winner for SMEs.
To learn more, read our white paper.