SIEM: To Manage or Not to Manage, That is the Question

For organizations looking to protect themselves from cyber threats, one question is front and center: Do you choose to use a managed security provider (MSP) or do you dedicate in-house resources?

This question is one that must be answered whether you work at a multinational corporation with a team of analysts in a security operations center or a thriving small business with a limited IT staff.

If you look back at the recent cyber security breaches, you see many affected organizations have owned and implemented relevant cyber security technologies. But simply purchasing security technologies does not mean you are safe.

It’s really about whether those technologies are effectively managed.

So how do you know which management option is the best choice for your organization? Let’s first evaluate the risks of each.

Risks of Outsourcing Security (Managed Security)

Decreased Familiarity with Environment and Business: As an outside organization, an MSP could struggle to understand or stay updated on changes occurring within your environment.
Loss of Control and Visibility: As you rely on an MSP for your security, you empower the MSP to make decisions regarding products, controls, settings used within your environment.
Increased Risk: You are trusting another company to secure your organization’s sensitive information. Giving up the reins inherently comes with risk.
A Breakdown of Communication: History has told us that reoccurring alarms might be ignored or silenced with an MSP. Let’s use an example. Suppose a customer tells an MSP not to address an alarm about a malfunctioning log collector because work is being performed. The MSP then continues to ignore the alarm, even after work has been completed. Leaving a potentially important alarm un-investigated.

Risks of In-House Security

Costs: It can be expensive to run an in-house security team. There are significant costs to hiring and housing employees as well as paying salaries and benefits.
Expertise and Experience: MSPs are dedicated and expert staff that specializes in security. They work with security tools daily and have most likely encountered the problem you are experiencing before. Also, MSPs are likely to have the most up-to-date training and knowledge of the changing threat landscape.
Support: Most MSPs have 24/7 support alongside vendor support. Some may have heightened support contracts with the vendor, which means you do too.
Alarm Fatigue: Due to the volume of alarms, some analysts will ignore them rather than tweaking to reduce noise. Also it is common that in-house analysts will use local knowledge to justify alarms, leaving potential incidents uninvestigated. (For instance, “Oh don’t worry about that alarm, that always happens because…”)

Here are a couple more questions and answers to help to inform your decision:

How are SIEM Managed Services provided?

SIEM managed services are typically implemented in two ways:

  1. A managed on-site install of the hardware/software
  2. A cloud-based software as a service with a secure gateway into network to collect and pull data

Does a Managed Service Provider mean that you do nothing?

The short answer is no. Exact responsibilities should be discussed and included in your contract with your selected MSP. But here are some things that you will likely be on the hook for:

  • Infrastructure changes to ensure compatibility with selected SIEM
  • Vetting and questioning of reports
  • Understanding for which scenarios the managed service organization is monitoring
  • Defining process around alarms on compliance violations and threats
  • In the case of an identified threat—you will most likely need to respond and coordinate with your MSP to resolve the incident.

Shameless plug: 🙂

Whether you choose a MSP or dedicate in-house resources to run your SIEM, LogRhythm has got you covered. In addition to having world-class support and training resources available, we have many awesome partners that are able to provide managed services that fit your needs using the best SIEM on the planet.

Click here to see how LogRhythm helps detect, prioritize and neutralize advanced cyber-threats.