Aerial shot of cantilever bridge with cars on it in mist

Blog | 31 January 2022

The definitive guide to Managed SIEM: Everything you need to know

Anna Webb profile headshot

Anna Webb

Head of Security Operations

The how, what, and why of using a Managed Security Information and Event Management (SIEM) service.

The sheer volume and variety of modern cyber threats makes keeping on top of your security a real challenge.

SIEM solutions are fast becoming essential to ensuring effective threat detection and response. By utilising a SIEM tool, organisations can better manage security incidents, respond at speed, and prove compliance against stiff regulations.

Simply having a SIEM tool isn’t enough, however. Most organisations can’t field the skills or staff necessary to use one efficiently, which is why many choose to outsource the support of a SIEM to a specialist third-party. This allows them to gain access to all the security benefits of a properly managed and monitored SIEM tool.

In this blog, we’ll cover all your key Managed SIEM questions. Explaining what a Managed SIEM service is, how it works, the benefits of using one, and how to access one for your organisation.

What is Managed SIEM?

A Managed SIEM is where an organisation utilises a third-party service provider to monitor its IT environment for security threats.

In this scenario, the SIEM solution is typically hosted and maintained by a third party – collecting information from across your network through event logs that can be easily viewed, analysed, and responded to by a security analyst.

It used to be that SIEM software was simply used to collect and report on log data. However, over the years SIEM solutions have evolved into sophisticated security response systems, adopting Machine Learning (ML) and Artificial Intelligence (AI) capabilities to quickly identify typical attack patterns and behaviours – making them an integral element of effective security.

Unfortunately, those additional capabilities also add complexity to the management of a SIEM solution. A complexity most organisations can’t afford to support, either through lack of budget or personnel, and so a Managed SIEM service offers the opportunity to benefit from a SIEM faster and cheaper than doing it inhouse.

What does a SIEM do?

A SIEM tool pulls log data from across your entire environment into a single platform for analysis and response.

It does this either via agents installed on your infrastructure endpoints or through physical or virtual appliances deployed within your network. These act as log collectors, which allow the log data to be collected and then pulled into, or ingested, into a centralised platform.

Within the centralised platform, all the log data is sorted into various security event categories such as malware, unsuccessful logins, suspicious devices, and other potential breach activity. When a threat is detected, an alert is fired with a defined threat level, which is based on a predetermined set of rules. In this way, the SIEM detects threats and creates security alerts.

The manual monitoring of your environment is a nigh-impossible task for any human to do alone. A SIEM platform takes that huge volume of data and sifts through it – separating the suspicious from standard everyday activity.

If an activity is considered suspicious, the SIEM software flags it for further investigation by a security analyst, helping security teams build detection use cases to pinpoint attacks and respond to threats much faster.

Key SIEM functions

  • Collect: Gather data from infrastructure, devices, applications, and users across on-premises and cloud operations.
  • Detect: Identify threats and minimise false positives.
  • Investigate: Use business rules and pattern recognition to separate the sinister from the civil.
  • Respond: Take appropriate action and react to incidents using automated responses and escalate when necessary.

Most SIEM solutions should offer you these basic capabilities:

Ebony and green exploded pie chart icon on transparent background

Data aggregation

Automatically collect log files and alert data and translate them into a usable dataset for event detection and response.

Ebony and green head with green lines and nodes icon on transparent background

Threat intelligence

Use rules to identify potential threats and support the use of automated responses.

Ebony and green hands warning icon on transparent background

Security event correlation

Aggregate log data to reveal threats and malicious patterns.

Ebony and green exploded pie chart icon on transparent background

Advanced analytics

Correlate multiple data points to identify threats in context, such as multiple password attempts.

Ebony and green spinning cog icon on transparent background

SOC automation

Automatically provide event logs and information to guide the security operations centre (SOC) response to attacks.

Ebony and green open eye icon on transparent background

Dashboards

Gathers data in a visual interface to enable a faster response to threats.

Ebony and green alert search magnifying glass icon on transparent background

Threat hunting

Analysts can use the data to find potential threats among the collected event information.

Why use Managed SIEM?

As I mentioned above, running a SIEM solution inhouse is a costly endeavour – both in terms of the SIEM tool itself and the recruitment and training of the analysts required to monitor it.

That’s not to say it’s impossible, some larger companies have dedicated internal teams to maintain their SIEM. However, for smaller to mid-sized organisations, an inhouse team dedicated to monitoring the SIEM solution is largely unrealistic.

But those smaller businesses still need the security benefits a SIEM can provide (even more so given there are over 65,000 attempted attacks on UK SMEs every day), so using a Managed SIEM approach is often the preferred route to obtaining them.

Benefits of using Managed SIEM

The main benefits of using a Managed SIEM are that it reduces costs and allows you to use outsourced expertise to manage your day-to-day security operations and keep your business secure against cyber threats and breaches.

Let’s look at these and some other benefits in more detail.

Ebony and green money bag icon on transparent background

Reduced deployment costs

If you were dead set on running your SIEM inhouse, then it will come at a price. It’ll be on you to purchase and maintain any IT infrastructure required for deployment (unless cloud-based), whereas a Managed SIEM approach only requires a monthly subscription fee.

Ebony and green piggy bank and pound icon on transparent background

Better budgeting

Using a Managed SIEM means having a set cost for support services as stated in your service-level agreement (SLA). This makes it easier to budget month to month vs. varying potential overtime costs for inhouse resources.

Ebony and green speedometer icon on transparent background

Accelerated deployment

As the third-party already has the required infrastructure in place, as well as the analysts to use it, you can be up and running much faster than building inhouse. Your Managed SIEM partner will already have experience of how to correctly deploy, configure, and manage the SIEM solution in your environment.

Ebony and green woman with headset support desk icon on transparent background

Security expertise on-demand

It’s very difficult to recruit cyber security staff with the expertise needed to monitor your environment. The SIEM is a tool after all, it can sort through the data, but someone needs to tell it what to look for and, in the event of an alert, know what it is they’re looking at and how to respond.

By using a Managed SIEM, the burden of finding, training, and retaining skilled security staff lies with the third-party and not you. Not only does that save you time and money, but it also means you have around the clock access to the staff and skills you need without the hassle.

Ebony and green angled locked padlock icon on transparent background

Keep internal servers secure

Adopting a Managed SIEM approach means that your chosen partner uses their own resources to host and manage the SIEM, so your internal infrastructure remains secure.

Green and ebony tools on transparent background

Access to top-tier technology

Managed SIEM providers invest so you don’t have to, often utilising cutting-edge SIEM software and security technologies to ensure they can keep you secure (any service provider who didn’t, would quickly find themselves out of business).

They also tend to have strategic partnerships with bigger cyber security vendors, allowing them access to new tools, technologies, resources, and insights to better protect you.

Licensing the various technologies yourself could cost a small fortune. With the Managed SIEM route you get access to industry-leading tools as part of your standard monthly subscription fee.

Ebony and green 'OK,' hand gesture icon on transparent background

Peace of mind

If you’ve done your homework and opt to outsource your threat monitoring to a managed service provider with a good reputation, you can rest easy knowing your organisation is being protected by effective security tools operated by people with the know-how to use them properly.

Popular SIEM platforms

There are quite a few SIEM tools to choose from. Each one caters to different business needs – depending on the size and technical requirements.

It’s worth researching which would be the best fit for your organisation. As a guide, you should assess potential platforms by cost, available features, and ease of use.

If you’re a smaller organisation, the likes of Splunk or QRadar are likely to be unsuitable. These are mainly aimed at enterprise-level organisations. Other SIEM tools, such as AlertLogic MDR, do not come as a standalone product and must be purchased as a service instead, which isn’t always the best option for businesses.

Our platform of choice here at Kocho is Microsoft Sentinel. This is a cloud-native solution for SIEM and Security Orchestration, Automation, and Response (SOAR).

Sentinel is ideal, mainly due to its ability to indefinitely scale alongside your needs. Its advanced AI is powered by Microsoft’s powerful security telemetry, allowing it to apply the very latest security intelligence to your entire network. This helps bring much-needed context to the data being analysed, to effectively identify activity that could be considered suspicious vs. what’s normal.

Microsoft Sentinel’s strength lies in its compatibility, both with third-party connectors from AWS, Barracuda, Cisco, etc. and the wider Microsoft security suite. It is also a real advantage for organisations looking to achieve true XDR (extended detection and response) alongside Microsoft 365 Defender.

Check out our case study to find out how the University of Stirling improved its threat detection and response using Microsoft Sentinel.

How to choose the right SIEM for you

Whichever SIEM tool you think would be the best fit for you and your organisation, check with your potential Managed Service partner to see if their chosen SIEM solution can offer the following:

Real-time monitoring and alerts: This is a must for all SIEM solutions. Attackers can move quickly through your network once inside, so the ability to detect and react as events happen is essential.

User activity monitoring: Not all threats are malicious. Many breaches occur because of internal user error or misuse of privileges. A good SIEM should have sight of all user activity to bring any potential dangers to your attention quickly.

Threat detection across the environment: Your chosen SIEM should be able to process every source in your environment, whether that be databases, applications, devices, or web services.

Log storage: SIEM’s quickly accumulate large amounts of data, and some of that data you may be legally required to hang on to depending on the regulations within your industry. Make sure the SIEM can store the data you want to keep while excluding any irrelevant data to keep usage down.

Scalability: Many SIEM solutions license by the amount of data processed, which can change dramatically depending on how a business changes or grows. So, make sure your chosen SIEM can grow alongside you.

Integrations: Most organisations’ security systems are a patchwork of different point solutions that often cause problems by not communicating effectively with one another. Your selected SIEM will need to be able to draw from all of them and make sense of the data they provide.

Reporting: You’ll likely need to provide regular, relevant reports on your security activity to both auditors and executives to prove compliance with multiple regulations. A good SIEM will allow you to contextually export these reports, saving you time and effort when proving compliance.

SIEM vs. Managed security services

Very often a Managed SIEM service will only be a part of a wider Managed Service offering. The day-to-day collection of logs and reporting via a SIEM tool is often the base-level service available from a provider.

A Managed Security Services Provider (MSSP) will typically offer additional services, such as Managed Detection and Response – monitoring your estate 24×7 using automation.

Security analysts can then respond to and investigate security incidents based on defined SLAs, using their expertise and knowledge of your estate to determine when a genuine threat is detected and to notify you before that threat is realised.

They may also offer Incident Response and Remediation guidance, providing analysis and investigation of potential security threats with remediation advice. If they have a Security Operations Centre (SOC), a fully managed incident response process will likely be an option.

A fully staffed SOC can also provide ad hoc security information to clients about zero-day dangers, emerging threats, and new vulnerabilities. These are usually in the format of security bulletins and other security detail reporting.

A managed security service will also offer you regular reporting, which will provide valuable information around potential threats, mitigated threats, and details of the organisation’s security posture at a given point in time.

It can also support the organisation in the achievement and maintenance of compliance against given standards (CE, CE+, ISO27001, PCI, etc.) which can be compulsory for some businesses to maintain their operation.

If you’re considering using either a Managed SIEM or a full MSSP service, take the time to make sure they’ll work with you to find the right solution and that you’re getting the best value for money.

How to get started with Managed SIEM

The use of a SIEM is a great foundation on which to build out your security strategy, helping you translate the noise of alerts into something meaningful.

However, it’s not as simple as just installing some software and feeding all your logs into it – a clear implementation plan is needed.

We’ve seen it before, clients rush an implementation and begin logging everything all in one go, resulting in a tidal wave of information that can easily overwhelm.

If you’re looking for a Managed SIEM or Managed Security Service Provider, our recommendation would be asking about a Proof of Concept first. This way you can trial the product and the service to see if it’s suitable without fully committing.

At Kocho, we work with Microsoft to offer a funded POC for Microsoft Sentinel, which not only gets you set up with the tool but also allows you to experience the Managed Security Service offered by the SOC.

We’ve done this for several of our clients; with many choosing to adopt the Managed Security Service, which then operates as an extension of their internal IT and security teams.

Others have used it to get the tool set up as far as initial log ingestion and then looked at managing the systems themselves – calling on our expertise through consultancy when needed.

Key takeaways

  • Using a SIEM tool helps cut through alert noise to identify the real threats.
  • Building and maintaining a SIEM inhouse is a costly and length process.
  • Many organisations use a third-party Managed SIEM service to access tech and talent faster, at a fraction of the cost of doing it inhouse.
  • Microsoft Sentinel is a market-leading SIEM/SOAR platform – designed to operate in modern hybrid environments.
  • Implementation can be easy to get wrong, utilising a partner is a much safer route to ensuring return on investment.
tag icon

Join the mailing list

Ready to ‘Become greater’?

When you sign up to our mailing list, you’ll get the best content, expert resources, and exclusive event invites sent directly to your inbox.

Anna Webb profile headshot

Author

Anna Webb

Anna Webb is Kocho’s Head of Security Operations. Anna is passionate about security and works tirelessly to ensure our clients have peace of mind.

Butterfly overlay image

We’re here to help you on your journey towards becoming greater. Get in touch to find out how.