Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Enterprise ServicesSecurity Leadership and ManagementAccess ManagementIdentity ManagementPhysical SecurityVideo SurveillanceArenas / Stadiums / Leagues / EntertainmentBanking/Finance/InsuranceConstruction, Real Estate, Property ManagementInfrastructure:Electric,Gas & WaterHospitality & CasinosPorts: Sea, Land, & AirTransportation/Logistics/Supply Chain/Distribution/ Warehousing

The biggest myths of co-managed security event management

By Bruce Potter
Co-managed SIEMS: is it a good or bad idea?
October 27, 2020

Maybe you already have a security information and event management (SIEM) service and you are looking for help managing it. Maybe you are thinking of buying a SIEM and concerned it might be too much to handle on your own. Or maybe you are using a managed security service provider (MSSP) and thinking of gaining more control of your data by working collaboratively in your SIEM rather than letting them do all the work.

However you have arrived at the concept of “co-managed SIEM,” there are several pros and cons to think about when making a decision for your organization. It is particularly important to understand what you are going to get out of a co-managed SIEM.

Here are the most common myths I hear, along with the realities of co-managed security event management or SIEM.

Myth: A co-managed SIEM is the only way to gain organizational transparency.

One of the biggest benefits security professionals want from a co-managed SIEM is visibility into their security operations. By working with a partner in your SIEM, you maintain some control over the detection rules that are in place, the sources of data and what your analysts are doing.

Reality: There are other (and better) ways to get transparency.

You cannot build trust without transparency. It is key to being a good partner to customers. It is also vital for efficiency and accuracy. But what does that look like in practice?

You should have complete visibility into the security analysis and investigations. Can you and your team watch an investigation unfold in your platform of choice? Can you work alongside your MSSP’s or MDR’s analysts to investigate and triage together? Lastly, can you review all activity to check your MSSP or MDR’s work to make sure you agree with what they have done? All third-party security providers should be held to this standard.

Myth: Greater control over business logic produces more incident detection value.

Your SIEM is the codification of business logic to detect specific threats inside your organization. Custom rules and configurations allow you to look for attacks tailored to your systems and architectures. A co-managed SIEM allows you to maintain this business logic.

Reality: The vast majority of what you detect is the same as your peers and many other companies.

Organizations think they want more control to write rules and generate alerts, but they do not realize how much it costs to manage detection content. Unless you invest a lot in this area, you will end up with a pile of false positives.

In reality, your rules probably are not as unique as you think. A third-party provider can have an advantage since they see the big picture (meaning they have lots of customers) and have the expertise to manage the detection content. You should expect your security provider to tailor their detection strategy for you to your business.

This could mean fine tuning rules that already exist, taking advantage of rules you have written in your SIEM or working together to build new rules in our platform. Have a suggestion for them? Regardless of what security provider you work with, they should work to understand the use case and make sure you are protected.

Myth: You will get assistance from outside experts.

By working with a co-managed SIEM, you are hoping to take advantage of the collective knowledge among your service providers. Presumably, your provider sees plenty of good and bad and can advise you and your team on doing SIEM better. You should also expect that they will answer general security questions and concerns you have.

Reality: You should expect this assistance from your MSSP.

Once again, your MSSP should not just process alerts. MSSPs have institutional knowledge they can share to help improve your broader security program. Your security partner should push as much information to their customers (and publicly) as they can to help everyone make their organizations more secure.

Myth: My SIEM has all of the data required for detection and response.

Many organizations envision their SIEM as the single place where all data exists for detection and investigation. Thinking about co-managed SIEM as a strategy doubles down on this assumption, as you are paying for a provider to help manage that signal and detection content.

The hope is that your SIEM will provide visibility across the entire environment and enable your team to respond to a wide variety of threats.

Reality: Storing data in a SIEM is expensive, and it is not always the right answer.

We learned pretty quickly that data sent to a SIEM is not nearly as rich as data that can be pulled from API – which can inhibit detection and response with a SIEM.

Did I mention storing data in a SIEM is expensive? As organizations increasingly use cloud applications and infrastructure, the vision of the SIEM as a single source of truth starts to make less sense. Why pay to store those Office 365 or AWS logs in your SIEM when your cloud provider is already storing them for you and your MSSP or MDR can consume them directly?

Look for a security partner that connects directly to cloud providers so that you do not have to back up yet another truck of gold ingots to your SIEM vendor just to get the visibility you need.

One of the problems with a co-managed SIEM is orchestrating who is doing what. A SIEM is a big piece of technology and dividing up responsibilities can be confusing. Who handles upgrades? Who is responsible for rule QA? Who handles device integration? How about analyst shifts? If the answer is “it depends” – you should expect friction.

By having an MSSP or MDR rather than a co-managed SIEM, the roles are clearer for both your staff and the service provider. Avoiding confusion at this stage helps ensure you are focused on the right issues (like generating good signal, minimizing noise and detecting bad actions) and not wasting time on RACI charts and scheduling.

Don’t get me wrong: SIEMs are a valuable part of an organization’s security architecture. The information and analytical capability in your SIEM can be invaluable for analysts and investigators when working through the trail of alerts and data involved with suspicious activity.

Furthermore, SIEMs are great data normalizers. Taking in unstructured data, providing structure and storing that in an orderly way can open up many more opportunities for signal generation in your company. Data that might otherwise go ignored can be put to great use in your SIEM.

Finally, they are great tools for your analysts. From experimentation to ongoing operations, a good SIEM and staff that know how to use them can fulfil their promise… serving as a focal point for your security operations. However, even the best SIEM needs people.

If you do not have in-house expertise and are thinking about co-managed SIEM as an option, consider these common myths and what you could accomplish by asking more of your MSSP.

KEYWORDS: security event management SIEM

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Bruce potter

Bruce Potter is a noted cybersecurity expert and the CISO of Expel. He is also former senior technical advisor to the members of President Obama’s Commission on Enhancing National Cyber Security.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SEC0421-ProdSpot-Comodo-Slide7-900px

    Fully Managed or Co-Managed Threat Detection and Response Platform

    See More
  • leadership

    Why Senior Management is the Biggest Threat to Workplace Security

    See More
  • Event Security

    Ensuring safety and success: The critical role of event security

    See More

Related Products

See More Products
  • 9780128147948.jpg

    Effective Security Management, 7th Edition

  • contemporary.jpg

    Contemporary Security Management, 4th Edition

  • 9780367259044.jpg

    Understanding Homeland Security: Foundations of Security Policy

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!