From DIY to ROI: reasons to consider a managed security service over SIEM

Have you recently heard more about managed detection and response services? Is your organization thinking about deploying an SIEM solution while wondering what’s difference between an SIEM and a managed security service? And even if it has already deployed an SIEM, are you wondering if a managed security service is a better alternative when it comes to building breach detection and response capabilities on top of your existing SIEM solution?

Author: Liang Fang
Date: 23.05.2017
Read Time: 3 Minutes

At F-Secure we firmly believe in a holistic approach to cyber security. We call it Live Security: a combination of technology and human expertise. Because you can’t improve your cyber security operations without the smartest cyber security talent. And you can’t scale that cyber security know-how without smart software.

Of all the challenges that organizations face while building up their breach detection and response capabilities, nothing really compares to the difficulties of trying to hire and retain cyber security experts. It is estimated that, right now, there are at least two open cyber security jobs for every one person working in the field. And this problem is expected to become even more acute in the future.

managed detection and response service, MDR, SIEM

Meanwhile, the only way you’re going to get valid or actionable data from an in-house solution such as an SIEM (security information and event management) system is by having experts on staff. Let’s illustrate it with a recent real-world example from one of our Rapid Detection Service customers. In a 1300-node customer installation, our sensors collected around 2 billion events over a period of one month. Raw data analysis in our back end systems filtered that number down to 900,000 suspicious events. Our detection mechanisms and data analytics then narrowed that number to 25 detections. Finally, those 25 events were further analyzed and confirmed by our threat analysts as anomalies. They contacted our customer and 15 out of the 25 were verified and confirmed by the customer to be real threats. In comparison, if our customer would have chosen to go with an in-house SIEM solution, their own staff or outsourced resources would have had to comb through those 900,000 suspicious events in order to screen out the noise and false positives to finally discover the real threats. Laborious jobs like that can cause fatigue in even the most diligent of analysts, not to mention the need for the 24×7 availability of such a team.

From the example above, the following presentation elaborates on one of the biggest reasons why your organization should consider a managed security service instead of an in-house SIEM deployment for breach detection and response: cost, cost, cost!

Building in-house breach detection and response capabilities is difficult. When chosen right, your managed detection and response service provider actually become your cyber security partner: its capabilities become an extension of your own. That’s why we recommend that you consider a managed service over the DIY approach. Even more importantly, both approaches are not necessarily mutually exclusive. For many organizations that have invested in an SIEM solution (for various reasons), a managed detection and response service like ours provides an additional layer of security that easily integrates with (via processes and APIs) and augments the existing security infrastructure so that SIEM systems can be used for log management, and managed service for breach detection and response. The key message here is, if you are looking to build detection and response capabilities with an SIEM or on top of your existing SIEM, you might want to consider a managed detection and response service as a better alternative.


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s