Now more than ever, the mid market needs to find a way to excel at cyberthreat detection and response without spending an arm and a leg. The alternative – cutting corners – isn’t really much of an alternative at all given the immense potential for damages following an intrusion. Ransomware alone will rake in $1 billion by the end of 2016, according to the FBI.
Perhaps most frustratingly of all, the tried-and-true mechanism for threat detection and response,SIEM, has left many a mid-market organization by the wayside thanks to its insufferably high operational expenses, its noisiness and various other reasons we’ll explore in this blog post. If your security posture appears to be coming apart at the SIEM, it’s time for a change.
The cost of SIEM Management
It bears repeating that SIEM management is extremely expensive. In fact, a recent survey of 234 large enterprises found that nearly 70 percent of these businesses wanted to cut back on the cost of SIEM management. Again, these are large corporations that, in theory at least, have more resources at their disposal that will allow them to manage a SIEM. If they’re unhappy with the cost, it’s only logical that the mid-market would be as well.
So why exactly is SIEM so expensive? There are several reasons, according to a recent document published by Arctic Wolf Networks:
- 24/7 expertise: A SIEM will generate thousands of notifications every day, and at all hours. Many of these will need to be acted upon by an expert security engineer, which necessitates a skilled, full-time staff. Further, by full-time, we don’t mean 9 to 5. We mean 12 to 12. Between salary and benefits, all of those man hours really start to add up.
- “Volume, variety, velocity”: An accurate alerting system with the refined configurations requires a massive amount of log data that’s aggregated from a variety of business sources (which is becoming more difficult thanks to remote working and BYOD). All of this data must subsequently be analyzed in near-real time. Building or buying a SIEM that can do all of this, let alone managing it, will cost you.
- Complexity: Depending on how thin an IT staff runs, SIEM can take up to a year or more for deployment. Even then, managing a SIEM is hardly a set-it-and-forget-it endeavor. The configurations and algorithms that are in place to identify threats or deviations need constant tuning in order to stay in step with the most recent cyberthreats. Again, this requires a significant amount of time, energy and money that most mid-market businesses simply don’t have access to.Assessing the alternatives: MSSP or MDR?
“Managing SIEM is like riding a bike uphill.”
In a recent webinar moderated by SC Magazine, Sridhar Karnam of AWN compared managing SIEM to riding a bike uphill. As any person who has shared in this experience knows, you can’t stop pedaling. SIEM is like that. It requires constant laboring to sift through alerts and fine tune configurations.
For our intents and purposes, let’s say that the alternative to biking uphill is to have someone who’s more fit than you pedal while you get pulled from behind in a cart. That’s what you get with managed SIEM and other MSSP offerings. The problem with outsourcing a SIEM, like getting pulled behind a bike, is the loss of visibility and control. A managed SIEM service provider might tell you there’s a threat, but they won’t provide the threat life cycle in great enough detail that you could devise a strong response strategy. Put differently, they’ll tell you the bike is crashing, but they won’t be able to tell you what the best course of action is to react swiftly and minimize harm.
Then there’s managed detection and response (MDR). This third option is the tandem bicycle in our analogy. In this scenario, the person will operate as a security operation center. They supply the pedal power, which in this case is a dedicated security engineer who manages the SIEM for you. This team of experts also backs you up by providing regular assessments based on your current security posture.
In other words, you still have control over your own security environment (the bike), but a lot of the effort (pedaling) expended on managing that SOC is taken on by the MDR service provider (the rear biker), who can supply guidance. Suddenly, the uphill climb to better security posture doesn’t seem all that bad.