Maybe you already have a security information and event management (SIEM) service and you are looking for help managing it. Maybe you are thinking of buying a SIEM and concerned it might be too much to handle on your own. Or maybe you are using a managed security service provider (MSSP) and thinking of gaining more control of your data by working collaboratively in your SIEM rather than letting them do all the work.
However you have arrived at the concept of “co-managed SIEM,” there are several pros and cons to think about when making a decision for your organization. It is particularly important to understand what you are going to get out of a co-managed SIEM.
Here are the most common myths I hear, along with the realities of co-managed security event management or SIEM.
Myth: A co-managed SIEM is the only way to gain organizational transparency.
One of the biggest benefits security professionals want from a co-managed SIEM is visibility into their security operations. By working with a partner in your SIEM, you maintain some control over the detection rules that are in place, the sources of data and what your analysts are doing.
Reality: There are other (and better) ways to get transparency.
You cannot build trust without transparency. It is key to being a good partner to customers. It is also vital for efficiency and accuracy. But what does that look like in practice?
You should have complete visibility into the security analysis and investigations. Can you and your team watch an investigation unfold in your platform of choice? Can you work alongside your MSSP’s or MDR’s analysts to investigate and triage together? Lastly, can you review all activity to check your MSSP or MDR’s work to make sure you agree with what they have done? All third-party security providers should be held to this standard.
Myth: Greater control over business logic produces more incident detection value.
Your SIEM is the codification of business logic to detect specific threats inside your organization. Custom rules and configurations allow you to look for attacks tailored to your systems and architectures. A co-managed SIEM allows you to maintain this business logic.
Reality: The vast majority of what you detect is the same as your peers and many other companies.
Organizations think they want more control to write rules and generate alerts, but they do not realize how much it costs to manage detection content. Unless you invest a lot in this area, you will end up with a pile of false positives.
In reality, your rules probably are not as unique as you think. A third-party provider can have an advantage since they see the big picture (meaning they have lots of customers) and have the expertise to manage the detection content. You should expect your security provider to tailor their detection strategy for you to your business.
This could mean fine tuning rules that already exist, taking advantage of rules you have written in your SIEM or working together to build new rules in our platform. Have a suggestion for them? Regardless of what security provider you work with, they should work to understand the use case and make sure you are protected.
Myth: You will get assistance from outside experts.
By working with a co-managed SIEM, you are hoping to take advantage of the collective knowledge among your service providers. Presumably, your provider sees plenty of good and bad and can advise you and your team on doing SIEM better. You should also expect that they will answer general security questions and concerns you have.
Reality: You should expect this assistance from your MSSP.
Once again, your MSSP should not just process alerts. MSSPs have institutional knowledge they can share to help improve your broader security program. Your security partner should push as much information to their customers (and publicly) as they can to help everyone make their organizations more secure.
Myth: My SIEM has all of the data required for detection and response.
Many organizations envision their SIEM as the single place where all data exists for detection and investigation. Thinking about co-managed SIEM as a strategy doubles down on this assumption, as you are paying for a provider to help manage that signal and detection content.
The hope is that your SIEM will provide visibility across the entire environment and enable your team to respond to a wide variety of threats.
Reality: Storing data in a SIEM is expensive, and it is not always the right answer.
We learned pretty quickly that data sent to a SIEM is not nearly as rich as data that can be pulled from API – which can inhibit detection and response with a SIEM.
Did I mention storing data in a SIEM is expensive? As organizations increasingly use cloud applications and infrastructure, the vision of the SIEM as a single source of truth starts to make less sense. Why pay to store those Office 365 or AWS logs in your SIEM when your cloud provider is already storing them for you and your MSSP or MDR can consume them directly?
Look for a security partner that connects directly to cloud providers so that you do not have to back up yet another truck of gold ingots to your SIEM vendor just to get the visibility you need.
One of the problems with a co-managed SIEM is orchestrating who is doing what. A SIEM is a big piece of technology and dividing up responsibilities can be confusing. Who handles upgrades? Who is responsible for rule QA? Who handles device integration? How about analyst shifts? If the answer is “it depends” – you should expect friction.
By having an MSSP or MDR rather than a co-managed SIEM, the roles are clearer for both your staff and the service provider. Avoiding confusion at this stage helps ensure you are focused on the right issues (like generating good signal, minimizing noise and detecting bad actions) and not wasting time on RACI charts and scheduling.
Don’t get me wrong: SIEMs are a valuable part of an organization’s security architecture. The information and analytical capability in your SIEM can be invaluable for analysts and investigators when working through the trail of alerts and data involved with suspicious activity.
Furthermore, SIEMs are great data normalizers. Taking in unstructured data, providing structure and storing that in an orderly way can open up many more opportunities for signal generation in your company. Data that might otherwise go ignored can be put to great use in your SIEM.
Finally, they are great tools for your analysts. From experimentation to ongoing operations, a good SIEM and staff that know how to use them can fulfil their promise… serving as a focal point for your security operations. However, even the best SIEM needs people.
If you do not have in-house expertise and are thinking about co-managed SIEM as an option, consider these common myths and what you could accomplish by asking more of your MSSP.