Organizations just like yours are increasingly turning to managed security services providers (MSSPs) for their cyber defense needs, and with good reason. Cyberthreat activity is intensifying along with the global shortage of skilled, experienced cybersecurity professionals. It often makes sense to engage with a specialized MSSP partner who can offer 24/7 coverage rather than relying solely on your ability to recruit, retain, and continuously upskill your own in-house SecOps staff.
But when you’re shopping for an MSSP, there is something to wary of. Many MSSPs still claim they can most effectively protect you by using a security information and event management (SIEM) platform to aggregate all the security-related data from across your environment. That value proposition, however, is not always credible.
Here’s why.
What SIEM-bound MSSPs Want You to Believe
The reason behind MSSPs leveraging SIEM is pretty simple. MSSPs are responsible for watching over their customers’ environments. So, they obviously need a way to aggregate their customer’s relevant security telemetry. Historically, SIEMs were once considered the best way to do so.
MSSPs can leverage SIEMs in several different ways. They can tap into your existing SIEM implementation. They can set up and manage a dedicated SIEM for you. Or they can offer you some form of hosted SIEM-as-a-service.
Regardless of how exactly a potential MSSP partner integrates SIEM technology into their service offering, the claim tends to be consistent: To fulfill their contractual commitments to protect your environment at the agreed-upon price, the MSSP needs to aggregate your security data. The cost of the SIEM is thus not only unavoidable, but it’s a value-add that you should be happy to pay for as part of your MSSP engagement.
The problem with SIEM
Unfortunately, while the above reasoning may have made sense at one time, it no longer applies to most engagements. Reasons to be skeptical about the use of SIEM by your MSSP-of-choice include:
- Cost. SIEM solutions are expensive. Worse yet, because SIEM licensing agreements typically include a component that’s based on your total data volume, you can’t accurately predict your costs. In fact, you’re actually punished financially for being diligent about data capture and/or for the fact that your environment keeps growing.
- Analysis. SIEMs are technically very useful for data aggregation. But they do nothing for analysis. So, the money you spend on a SIEM returns somewhat limited ROI. SIEMs can even impede analysis if their data structure does not easily lend itself to the application of state-of-the-art analytical methods (i.e., machine learning algorithms and AI).
- Response. Effective cybersecurity isn’t just about capturing and analyzing data. It’s about rapidly coming to accurate conclusions regarding active threats and decisively acting to interdict them. SIEM does nothing to facilitate these critical response activities. And if insufficient measures are taken to filter false/trivial positives out of SIEM-triggered workflows, a surfeit of data can actually have a negative impact on the incident-readiness of both an MSSP and its customers.
These critiques don’t mean that SIEM has no viable application at all. SIEMs remain important for large organizations that have significant regulatory obligations to warehouse security-related data for long periods of time and/or engage in especially sophisticated forensics. But for the typical small or medium-sized business seeking to get maximum value out of an MSSP engagement, SIEMs have become largely irrelevant and counterproductive.
The Smarter Alternative: Managed XDR
So, if you need to hire an MSSP — and a SIEM-bound MSSP is not your best bet — what is?
The answer is an MSSP that’s advanced enough to have adopted extended detection and response (XDR). Like SIEM, XDR aggregates all of your security-related telemetry into a unified platform. XDR, however, offers numerous significant advantages over SIEM.
These advantages include:
- Lower, more predictable total cost of ownership. Unlike SIEM, XDR is typically priced based on the number of managed endpoints — so its associated costs are lower and more predictable. XDR also tends to require less work to set up and manage over time.
- Analysis-ready. Today’s advanced XDR platforms can quickly translate threat intelligence into threat-specific detection algorithms. So effective analytics and AI are essentially built into the platform. If you pair XDR with a robust source of threat intelligence, you’ll achieve faster, more reliable detection of even the latest and stealthiest threats emerging onto the global scene.
- Response automation and acceleration. “Response” is right there in the acronym: XDR. The best XDR platforms will allow you to implement your own custom-curated combination of fully automated response, automation with human yes/no options, playbook-guided response, and other options that let you balance speed and control based on your organization’s specific needs.
Note that in many cases, MSSPs may refer to the managed XDR offering as MDR (managed detection and response). But take care: Not all MDR offerings are based on true XDR. In fact, many putative XDR solutions are just EDR (endpoint detection and response) with a few added bells and whistles. [Read more about “EDR plus” vs. true XDR here.]
Remember, effective cybersecurity isn’t just about technology and skills. It’s also about getting the most total value from your limited budget. If you need to stretch a tight budget, an MSSP and XDR/MDR have some clear advantages.
Read this Buyer’s Guide if you’d like to learn more about how XDR-based MSSP services can help your organization stay safer without busting your budget.