Cybersecurity is a constant struggle.
New threats keep popping up. Point solutions are ineffective. And the cybersecurity skills shortage makes it difficult to recruit and retain top talent—especially with the increasing salaries required to be competitive.
As an alternative, you may consider a security operations center (SOC), until you find out that operating one in-house is prohibitively expensive.
Given these challenges, among others, many IT decision makers turn to one of three security models:
· Security information and event management (SIEM) solutions
· Managed security services providers (MSSPs)
· Managed detection and response (MDR) services
Which one is most viable for your organization? How do you choose the option that best meets your business needs?
Here's our take on the pros and cons of the three security models and how to identify the right solution for your organization.
SIEM vs MSSP vs MDR: An Essential Guide
Great for data aggregation and event correlation
Helps streamline compliance
Limited in insights
Needs continuous tuning and updates
Security information and event management (SIEM) is the cornerstone technology of a SOC. It integrates with various IT systems and log flows to ingest data for event analysis via a central console.
As the name somewhat implies, SIEM combines security event management (SEM)—which monitors, gathers, analyzes, and correlates log and security-event data in real time—and security information management (SIM), which provides more of a historical, long view of the log data, as well as reporting.
The SIEM collects and aggregates data from different devices, security tools, and appliances, such as network devices (e.g., routers and domain controllers), endpoint security (antivirus, endpoint detection and response), intrusion detection or intrusion prevention systems, honeypots, and so on.
The standard SIEM relies on rules-based programming, meaning event alerts can only be triggered based on pre-designated configurations. This makes it relatively easy for security analysts to identify possible threats on the network. On the other hand, since the rules are static, a SIEM is most effective against known rather than unknown threats.
When SIEMs came to the market almost 15 years ago, many practitioners considered the combination of information management and event management ground-breaking.
Since then, the technology has gone through iterations to improve and enhance its capabilities.
Despite these advances—and the fact that SIEM is a security mainstay for countless organizations—its effectiveness for threat detection and response is hampered by several factors, including:
False positives: Billions of network events may occur in a single day. SOC analysts sift through tens of thousands—up to hundreds of thousands—of daily alerts on average. A SIEM reduces this number, but the SIEM's context is limited to its rules, which can quickly require updating in a rapidly-changing threat landscape. The result is a large number of false positives, which contribute to alert fatigue.
Misses: Also known as false negatives, misses happen when an event appears innocuous because it doesn't violate a SIEM rule but is actually a viable threat. Phishing scams, fileless malware, advanced persistent threats, and zero-day exploits are notorious examples of such silent subterfuge.
High total cost of ownership: Because of the above issues, a SIEM requires constant attention, unending configuration maintenance, and the expertise of experienced security analysts and incident responders. This makes it costly to manage. A SIEM solution is also time-consuming and can take up to a year to implement.
Pros: Great for data aggregation and event correlation for help with threat detection; helps streamline compliance.
Cons: Complex, labor-intensive, expensive, noisy, limited in its insights. Requires continuous tuning and updates for new threats.
Bottom line: A SIEM has its place as a data ingestion tool in a SOC, and will for the foreseeable future, but it lacks the ability to perform meaningful analysis that will reduce false positives. It's no longer enough by itself, which is frustrating, considering its high costs.
Augment in-house capabilities
Helps alleviate security talent gap shortage
Lack of control over security portfolio
Lack of personalized support
Won't actively hunt IOCs
Managed security services providers (MSSPs) are IT security providers that monitor, maintain, and manage security 24x7. Some organizations outsource all their security functions to MSSPs, while others use a provider to supplement their in-house capabilities and bridge gaps.
Managed security services are an increasingly popular option for a simple reason: They provide an affordable, subscription-based security model.
When you outsource all or most of your security, you don't need to own and manage security tools in-house because the MSSP handles the hardware and software updates, the system optimization, and the ongoing management of those resources. The MSSP provides its own analysts, which means you don't have to hire and train your own security personnel.
An MSSP relieves the pressures of alert fatigue, ongoing SIEM management, the struggle to find qualified security analysts, and overall maintenance costs. But it's critical to realize that MSSPs are not a replacement for a SOC.
MSSPs can bring value to your security posture, but only if they actually fill a gap in your existing infosec ecosystem — something that's difficult to assess without the ability to independently evaluate the capabilities of the vendor.
On top of that, a lack of control over the vendor's security portfolio and processes creates risks, especially when it comes to data privacy and compliance. Although it's the MSSP's job to protect you from data breaches, you're the one who'll be liable if your customer data becomes exposed and you find yourself not in compliance with regulations such as HIPAA.
Other drawbacks of MSSPs include:
Lack of personalized support: Support is often relegated to contact centers where representatives have limited contextual insight into the client's business or industry and don't necessarily understand how the client's internal systems work. As a result, problems may take significantly longer to resolve. A lack of understanding of your business, IT environment, and constraints may also impede the MSSP's ability to make the best decisions on your behalf.
Useless post intrusion: MSSPs are predominantly preventative. They will not actively threat hunt for indicators of compromise (IOCs) on the network and they won't optimize incident response in the event of an undetected breach.
Limited scope: While the MSSP takes alert monitoring off your hands, it doesn't necessarily include analysis, triage, and response. In many cases, that's still up to you, so you need to ensure you have adequate expertise in-house to take action.
Poor visibility: MSSPs won't help you holistically improve your security posture, and they very rarely aid in compliance management (e.g., HIPAA, PCI DSS). If you don't assess and understand your own strengths and weaknesses and rely completely on the MSSP, you still leave gaps in your defenses.
Pros: A cost-effective, good way to augment your in-house capabilities; alleviates the security talent gap shortage.
Cons: Impersonal support, won't necessarily help you maintain compliance, poor visibility, adds new risks.
Bottom line: An MSSP is not a replacement for a SOC. While you may have a security expert managing a set of point solutions for you, these tools are still just that: tools. You won't get a premium security service that helps you elevate your threat detection and incident response capabilities.
Personalized service by a dedicated team
Cost savings compared to an in-house SOC
Not all vendors include both on-premises and cloud monitoring
Not all vendors offer same depth of compliance reporting
Managed detection and response (MDR) is a type of security service that offers customers 24x7 continuous threat monitoring of their network — including events/logs, suspicious activity, and alerts — for a predictable subscription fee. A SIEM is part of the service offering, but MDR is not synonymous with a managed SIEM service.
Rather, MDR's defining feature is the provisioning of dedicated security engineers to each account. They act as extensions of the end-customer's IT and security teams, performing real-time and continuous monitoring, threat hunting on the client's network, incident response, vulnerability scans and assessments, compliance management and reporting, and provide regular reports on the state of the company's security posture.
The MDR vendor manages its own SIEM, which is usually augmented by cognitive analysis capabilities. In addition to a SIEM, MDR providers use other advanced technology and comprehensive tools, including integrated threat intelligence.
The combination of human expertise, SIEM, and advanced event analysis is commonly referred to as hybrid AI security. It significantly expedites alert triaging and limits false positive cases. And “misses" occur less frequently since analysts can orchestrate meaningful log data analysis. Upon detection of IOCs, security analysts take immediate response actions and work directly with customers to accelerate time to remediation.
Integrating vulnerability management with threat response has advantages because not only is your MDR team constantly identifying new vulnerabilities and prioritizing patching for you, but they're also monitoring for emerging threats at the same time.
By identifying vulnerabilities and remediating the weaknesses before threat actors can exploit them, MDR effectively reduces the attack surface. Threat hunting capabilities, which combine automated tools with human analysts to track unknown threats, further serve to provide proactive defenses and reduce the damage that attackers can inflict on your environment.
MDR providers are not in direct competition with MSSPs. During vulnerability scans, the dedicated security engineer may make recommendations for point solutions that could enhance detection capabilities. In effect, this engineer also acts as an objective security consultant who is intimately familiar with the client's network.
Unlike MSSPs, which require a separate retainer for incident response services, MDR companies offer different levels of incident response as part of their basic fee. Effectively, MDR services are the equivalent of SOC-as-a-service, providing you managed SOC capabilities.
Pros: Personalized service by a dedicated team that understands your business and environment. Better technology, proactive capabilities, and cost savings compared to an in-house SOC.
Cons: Not all vendors include both on-prem and cloud monitoring, and not all offer the same depth of compliance reporting you may need.
Bottom line: MDR provides the cost efficiency of an MSSP, the on-demand expertise of an in-house SOC staffed by security experts, and a significantly enhanced version of a SIEM. It's a more holistic approach that improves your security posture.
To sum it up, when it comes to SMEs, MDRs are the clear winner from keeping your organization safe from threats.
To learn even more, read our white paper Why Choose MDR over MSSP or SIEM.