To SIEM or not to SIEM: A mid-market perspective
For the past decade, the enterprise gold standard for network monitoring has been Security Information and Event Management tools, SIEM. This class of tools are able to parse millions of data logs across a distributed network and flag potential cyberthreats. When paired with sophisticated analytics and dedicated teams, the SIEM is a keystone of enterprise security.
So it’s not surprising that midmarket and growing companies are turning to SIEM as they look to bulk up their security in the face of today’s cyberattacks.
But companies that thoughtlessly opt for a SIEM may be in for a shock.
For starters, a SIEM is expensive. The actual deployment of an on-premise SIEM solution can take months, which imposes heavy personnel costs while not actual delivering security. Deployments can fail, and a failed enterprise-scale deployment is the biggest expense out there—except for a major data breach. CIOs facing a slow, risky SIEM rollout are caught between a rock and a hard place.
Once the solution is up and running, the costs keep coming. If you actually want 24/7/365 monitoring and threat detection, you need to pay a team of security engineers to work nights and weekends. If you cut corners, you leave yourself vulnerable. The best practice is to have a team of multiple full-time engineers monitoring the network—and that’s a huge expense to swallow.
And even if you can afford a full-scale security team, a SIEM can still pose serious challenges. For example, even a slight tweak of SIEM rules can lead to a flood of false positives—alerts for nonexistent cyberattacks. Such alerts grind down security teams and processes, creating additional cost and stress, and they can lead to alert fatigue, which increases risk.
So should you SIEM?
“The answer depends on the resources available to your organization.”
The answer depends on the resources available to your organization. Given the complexity, costs, and risks associated with an SIEM, it’s often not the best fit for a mid-market company. Without the right resources to manage deployment, monitoring, and fine-tuning, SIEM tools end up burdening your budget and leaving you no safer than before.
From SOC to MDR: The evolution of threat detection and response
If a SIEM isn’t a good fit for a mid-market company, what’s the alternative? Here we introduce another security term: the Security Operations Center. A SOC is an umbrella term, referring to the combination of people, process, and technology (including, but not limited to, a SIEM), that provide constant security monitoring to the most advanced enterprises.
As security technology has improved—and as the threat of cyberattacks has grown more serious—a new category of solution has emerged: SOC-as-a-Service. SOC-as-a-Service vendors offer all of the capabilities of a SOC to their customers—proprietary SIEM technology, trained security staff, and defined security processes with SLAs that meet business needs. Such vendors leverage their in-house expertise to make all of these capabilities available to mid-market companies at an affordable price point.
For mid-market CIOs and CISOs considering SIEM solutions, a SOC-as-a-Service offering has multiple advantages. SOC-as-a-Service solutions provide all of the benefits offered by a fully-functional SIEM, at a fraction of the cost and risk associated with an on-premise SIEM deployment.
Of course, the world of SOC-as-a-Service solutions isn’t staying still, either. Forward-looking SOC-as-a-Service providers are shifting their service model towards “Managed Detection and Response” (MDR). These providers understand that perimeter security is not enough to prevent modern cyberattacks, and provide additional capabilities to identify and remediate cyberattacks in progress.
MDR providers are able to deliver enterprise-class security to mid-market companies, and they should be on every CISO’s radar as they navigate the challenges of modern cybersecurity.