Security Information and Event Management (SIEM) conjures up cringeworthy moments for many customers. Why? The SIEM is an endless multi-phased project taking center stage in a security operations program. The project can be driven by requirements such as compliance, cyber security insurance, or security best practices.
The SIEM journey can be less daunting for customers who engage Managed Security Service Providers (MSSPs) to ease the burden.
Here are SIEM and MSSP selection considerations which can jumpstart the evaluation process and result in sound choices for customers
SIEM projects include implementation, log ingestion, tuning, maintenance, and 24-hour operations. Logs from key infrastructure components with security relevance should be acquired, correlated, and stored. Candidate log sources pertain to identity, network perimeter, endpoint security, email, and business critical servers. The most important log events must surface so analysts can investigate and act. SIEMs require tuning and maintenance. If customers do not have a SIEM and complementary tools, they should explore some considerations prior to embarkation on the SIEM journey.
The SIEM Itself
- Does the customer want a SIEM in the cloud or on their premises?
- If on-premises, what is the desired form factor – hardware, servers, or virtual machines?
- Does the customer have hands-on experience with any SIEM installation, configuration, and monitoring?
- Is the customer experienced with security orchestration automation and response (SOAR), threat feeds, and ticketing systems?
- What is the customer’s appetite for ongoing activities such as installation, maintenance, management, rule writing, log source ingestion, tuning, monitoring, and response?
MSSP Services
- Does the customer prefer service with a known commercial SIEM product or a provider’s proprietary Managed Detection and Response (MDR) platform? For in-place SIEMs, the form factor must be compatible with MSSP integration.
- Are complementary tools (e.g., threat feeds, ticketing, and a known commercial or proprietary SOAR) integrated into the provider’s solution?
- Does the customer desire license ownership or should licenses be part of the service cost?
- Does the customer prefer full access to the SIEM or MDR solution to drill into details or do they prefer high-level data access through a simple interface?
- Is a fully-managed or a co-managed SIEM desired?
- Does the customer have service compliance requirements (e.g., SOC2, 24x7x365 monitoring)?
- What are the technical SIEM or MDR requirements (e.g., log volume, log source counts, desired log sources ingestion, online/offline data retention, and data retrieval)?
Pulling it All Together
Once the SIEM and MSSP considerations have been discovered and examined, the customer must analyze the findings and decide – SIEM or MSSP.
Ideal SIEM Customers
SIEMs typically work well in organizations with mature security programs and robust security staffs. They invest in experienced security engineers who can implement the SIEM, SOAR tools, threat feeds, and integrate with other tools such as ticketing systems. Sometimes they invest in consulting services. They must be able to maintain and tune the solution. The organization must invest in security operations staff who can monitor the SIEM and respond 24x7x365. Personnel experienced with the chosen SIEM are ideal, but those with other SIEM experiences can transfer their knowledge to the new SIEM with training. More engineering skills and increased timeline are needed in the organization for on-prem SIEMs versus cloud SIEMs. Risk adverse customers concerned about cloud data security should consider on-prem SIEMs, and this may also apply to heavy data users.
Ideal MSSP Customers
MSSPs are usually well-suited to organizations light on seasoned security engineers and security operations staffs. Mature and experienced organizations may utilize an MSSP to free their staff for other projects and reduce headcount.
An MSSP provides a second pair of eyes or a second opinion when events arise and are beneficial for personnel continuity reasons because cyber professionals come and go. Some MSSPs offer services for on-prem SIEMs, which works well for organization with engineering capabilities, heavy data users, and minimal operations staff. Other MSSPs offer services for cloud SIEMs, which works well for organizations light on engineering, operations, data usage, and timeline.
An organization that wants to understand and utilize the full-SIEM capabilities should choose an MSSP offering a commercial SIEM versus a proprietary solution. An MDR versus SIEM solution may be considered SIEM “light” to some, which works well for organizations depending on use cases and requirements. Full data and event access might be desired by more mature organizations who prioritize forensics and big data, so that must be considered. This might not be important to less mature organizations now, but that can change as they evolve and grow their employees’ skillsets.
Final Thoughts
SIEMs have existed for a long time, and there are many options. MSSPs are nothing new, but they are sprouting up like dandelions in the Spring and there are a plethora of solutions on the market. The trend is to outsource security operations, especially in the cloud. The above considerations checklist is not exhaustive, but customers should use it as a guide when exploring SIEM, MDR, and MSSP solutions and services.
Naturally there are exceptions to the rules for “ideal SIEM” or “ideal MSSP” customers. This journey is a balancing act between solution capabilities, timeline, cost, risk, responsibilities, and skills.