Cyber101: Managed SIEM vs. Managed Security Service Providers

A reader recently asked “What’s the difference between a Managed SIEM Service and a Managed Security Service Provider?” 

 

It’s a question that doesn’t get asked often enough, and the differences can range from “pretty big” to “insanely different.”  Let’s dive a bit deeper and see what sets these two types of services apart:

Security Information and Event Management (SIEM) systems are designed to collect and analyze security and other logs from networking devices (like firewalls) as well as servers, appliances, VM’s and other infrastructure.  In many cases they can also report on whatever they find.  While a SIEM is an invaluable tool to have as part of your security protocols, they can be difficult to manage and require specialized training to use effectively.

A Managed SIEM Service (MSS) is a company that does what it says on the tin.  They coordinate the collection of logs into the SIEM and handle data integrity, storage, and reporting operations.  However, it’s important to note that how much of each of those a particular MSS does can vary wildly.  Some simply coordinate gathering the logs and managing the actual SIEM platform itself; reporting on the raw data but not giving insight into what it means.  Others handle storage and data management, but expect that the customer has one or more employees who will run reports and keep an eye on what’s actually going on.  Still others may do analysis, but report on all anomalies they find – including those that aren’t actual threats.  If your organization has cybersecurity personnel on the payroll, this service can be added into your overall security program, but probably isn’t sufficient to be a security program on its own.

MSS providers may manage a centralized SIEM for multiple customers, or may set up and manage individual SIEM platforms for each customer.  Both methods are valid, so long as proper multi-tenancy restrictions are put in place so that customer data does not mix; and typically both types of solution sets can get the MSS job done.

A Managed Security Services Provider (MSSP) will do what an MSS does as part of their package of services, but most often goes beyond that by a good measure.  MSSP’s will analyze the data that the logs represent to look for anomalies that may or may not be threats.  They will then analyze those anomalies to determine if a threat exists, and what impact that threat could have on the customer’s data and systems.  MSSP’s also have established methodologies to notify the customer of actual threats, and typically will also provide remediation guidance to help fix whatever security issues led to that threat event.

Added to this, the majority of MSSP’s offer extended services – either as part of the base service or as add-ons purchased as bundles or a-la-carte.  For example, MSSP’s offer endpoint protection (anti-malware, Data Loss Prevention systems, etc.), email protection to stop phishing attacks and email fraud, vulnerability scanning to identify potential security issues before they become actual security issues, etc.  Since the MSSP handles so many of the individual security concerns of a customer, they also routinely set up regular briefings or meetings to relay new information to the customer and gather information about changes (upcoming or already in-place) to infrastructure, applications, etc.  This allows the MSSP’s services to best suit the changing reality of the IT landscape as more core applications move to Software as a Service, new technologies for networking are brought into play, etc. 

All of these services go beyond what would be expected of an MSS provider because they involve more than just the SIEM and the reports a SIEM can produce.  They require analysts to differentiate between anomalies that are benign and threats that need to be addressed.  These analysts are also trained in determining how significant a threat is in order to advise remediation over time or immediately.  MSSP’s also maintain threat intelligence services to know what threats are out there, which are seeing growth and which are the most dangerous, and which are most likely to impact their customers at any given point in time.  And, of course, systems that handle vulnerability scanning, email, and endpoint protection are totally outside the scope of a SIEM, and wouldn’t be expected of an MSS; but are standard offerings for an MSSP.

In short, an MSSP will offer MSS as part of their overall service packages, but typically an MSSP will go far beyond just managing the SIEM for a customer.  Which is the best fit for you depends on what IT and Cybersecurity talent you have on staff, if they can be used 24/7, and what hardware and/or software you have or are willing to acquire and manage from a security perspective.  You also need to know if you have the skill-set and tools to go beyond what a SIEM can offer.  If any of those points aren’t already part of your organization, then an MSSP is the way to go as they can supplement your staff, work with your IT partners, typically offer 24/7 services, and bring all the tools and skills required with them.

Your definition of the day: White-Hat hackers are security personnel who specialize in attacking systems and infrastructure – but only ethically, with appropriate permission and binding rules of engagement.  This means they can act like threat actors to determine if security holes exist, but cannot steal whatever data they find or roam to systems that haven’t been placed in the scope of the engagement they’re contracted to perform.

Written by Mike Talon

Mike Talon is a Cybersecurity Architect and journalist in New York City. His experience has allowed him to help companies from mom and pop shops to Fortune 500 organizations. Currently, he’s working for SkOUT Secure Intelligence assisting customers of all sizes find the right Cybersecurity protocols and tools to keep them safe.