What is Managed SIEM? Everything you need to know

The sheer volume and variety of modern cyber threats makes keeping on top of your security a real challenge.

SIEM solutions are fast becoming essential to ensuring effective threat detection and response. By utilising a SIEM tool, organisations can better manage security incidents, respond at speed, and prove compliance against stiff regulations.

Simply having a SIEM tool isn’t enough, however. Most organisations can’t field the skills or staff necessary to use one efficiently, which is why many choose to outsource the support of a SIEM to a specialist third-party. This allows them to gain access to all the security benefits of a properly managed and monitored SIEM tool.

In this blog, we’ll cover all your key Managed SIEM questions. Explaining what a Managed SIEM service is, how it works, the benefits of using one, and how to access one for your organisation.

What is a Managed SIEM service?

A Managed SIEM is where an organisation utilises a third-party service provider to monitor its IT environment for security threats.

In this scenario, the SIEM solution is typically hosted and maintained by a third party – collecting information from across your network through event logs that can be easily viewed, analysed, and responded to by a security analyst.

It used to be that SIEM software was simply used to collect and report on log data. However, over the years SIEM solutions have evolved into sophisticated security response systems, adopting Machine Learning (ML) and Artificial Intelligence (AI) capabilities to quickly identify typical attack patterns and behaviours – making them an integral element of effective security.

Unfortunately, those additional capabilities also add complexity to the management of a SIEM solution. A complexity most organisations can’t afford to support, either through lack of budget or personnel, and so a Managed SIEM service offers the opportunity to benefit from a SIEM faster and cheaper than doing it inhouse.

What does a SIEM do?

A SIEM tool pulls log data from across your entire environment into a single platform for analysis and response.

It does this either via agents installed on your infrastructure endpoints or through physical or virtual appliances deployed within your network. These act as log collectors, which allow the log data to be collected and then pulled into, or ingested, into a centralised platform.

Within the centralised platform, all the log data is sorted into various security event categories such as malware, unsuccessful logins, suspicious devices, and other potential breach activity. When a threat is detected, an alert is fired with a defined threat level, which is based on a predetermined set of rules. In this way, the SIEM detects threats and creates security alerts.

The manual monitoring of your environment is a nigh-impossible task for any human to do alone. A SIEM platform takes that huge volume of data and sifts through it – separating the suspicious from standard everyday activity.

If an activity is considered suspicious, the SIEM software flags it for further investigation by a security analyst, helping security teams build detection use cases to pinpoint attacks and respond to threats much faster.

Key SIEM functions

• Collect: Gather data from infrastructure, devices, applications, and users across on-premises and cloud operations.
• Detect: Identify threats and minimise false positives.
• Investigate: Use business rules and pattern recognition to separate the sinister from the civil.
• Respond: Take appropriate action and react to incidents using automated responses and escalate when necessary.

Most SIEM solutions should offer you these basic capabilities:

Why use Managed SIEM?

As I mentioned above, running a SIEM solution inhouse is a costly endeavour – both in terms of the SIEM tool itself and the recruitment and training of the analysts required to monitor it.

That’s not to say it’s impossible, some larger companies have dedicated internal teams to maintain their SIEM. However, for smaller to mid-sized organisations, an inhouse team dedicated to monitoring the SIEM solution is largely unrealistic.

But those smaller businesses still need the security benefits a SIEM can provide (even more so given there are over 65,000 attempted attacks on UK SMEs every day), so using a Managed SIEM approach is often the preferred route to obtaining them.

Benefits of using Managed SIEM

The main benefits of using a Managed SIEM are that it reduces costs and allows you to use outsourced expertise to manage your day-to-day security operations and keep your business secure against cyber threats and breaches.

Let’s look at these and some other benefits in more detail.

Popular SIEM platforms

There are quite a few SIEM tools to choose from. Each one caters to different business needs – depending on the size and technical requirements.

It’s worth researching which would be the best fit for your organisation. As a guide, you should assess potential platforms by cost, available features, and ease of use.

If you’re a smaller organisation, the likes of Splunk or QRadar are likely to be unsuitable. These are mainly aimed at enterprise-level organisations. Other SIEM tools, such as AlertLogic MDR, do not come as a standalone product and must be purchased as a service instead, which isn’t always the best option for businesses.

Our platform of choice here at Kocho is Microsoft Sentinel. This is a cloud-native solution for SIEM and Security Orchestration, Automation, and Response (SOAR).

Sentinel is ideal, mainly due to its ability to indefinitely scale alongside your needs. Its advanced AI is powered by Microsoft’s powerful security telemetry, allowing it to apply the very latest security intelligence to your entire network. This helps bring much-needed context to the data being analysed, to effectively identify activity that could be considered suspicious vs. what’s normal.

Microsoft Sentinel’s strength lies in its compatibility, both with third-party connectors from AWS, Barracuda, Cisco, etc. and the wider Microsoft security suite. It is also a real advantage for organisations looking to achieve true XDR (extended detection and response) alongside Microsoft 365 Defender.

Check out our case study to find out how the University of Stirling improved its threat detection and response using Microsoft Sentinel.

How to choose the right SIEM for you

Whichever SIEM tool you think would be the best fit for you and your organisation, check with your potential Managed Service partner to see if their chosen SIEM solution can offer the following:

Real-time monitoring and alerts: This is a must for all SIEM solutions. Attackers can move quickly through your network once inside, so the ability to detect and react as events happen is essential.

User activity monitoring: Not all threats are malicious. Many breaches occur because of internal user error or misuse of privileges. A good SIEM should have sight of all user activity to bring any potential dangers to your attention quickly.

Threat detection across the environment: Your chosen SIEM should be able to process every source in your environment, whether that be databases, applications, devices, or web services.

Log storage: SIEM’s quickly accumulate large amounts of data, and some of that data you may be legally required to hang on to depending on the regulations within your industry. Make sure the SIEM can store the data you want to keep while excluding any irrelevant data to keep usage down.

Scalability: Many SIEM solutions license by the amount of data processed, which can change dramatically depending on how a business changes or grows. So, make sure your chosen SIEM can grow alongside you.

Integrations: Most organisations’ security systems are a patchwork of different point solutions that often cause problems by not communicating effectively with one another. Your selected SIEM will need to be able to draw from all of them and make sense of the data they provide.

Reporting: You’ll likely need to provide regular, relevant reports on your security activity to both auditors and executives to prove compliance with multiple regulations. A good SIEM will allow you to contextually export these reports, saving you time and effort when proving compliance.

SIEM vs. Managed security services

Very often a Managed SIEM service will only be a part of a wider Managed Service offering. The day-to-day collection of logs and reporting via a SIEM tool is often the base-level service available from a provider.

A Managed Security Services Provider (MSSP) will typically offer additional services, such as Managed Detection and Response – monitoring your estate 24×7 using automation.

Security analysts can then respond to and investigate security incidents based on defined SLAs, using their expertise and knowledge of your estate to determine when a genuine threat is detected and to notify you before that threat is realised.

They may also offer Incident Response and Remediation guidance, providing analysis and investigation of potential security threats with remediation advice. If they have a Security Operations Centre (SOC), a fully managed incident response process will likely be an option.

A fully staffed SOC can also provide ad hoc security information to clients about zero-day dangers, emerging threats, and new vulnerabilities. These are usually in the format of security bulletins and other security detail reporting.

A managed security service will also offer you regular reporting, which will provide valuable information around potential threats, mitigated threats, and details of the organisation’s security posture at a given point in time.

It can also support the organisation in the achievement and maintenance of compliance against given standards (CE, CE+, ISO27001, PCI, etc.) which can be compulsory for some businesses to maintain their operation.

If you’re considering using either a Managed SIEM or a full MSSP service, take the time to make sure they’ll work with you to find the right solution and that you’re getting the best value for money.

How to get started with Managed SIEM

The use of a SIEM is a great foundation on which to build out your security strategy, helping you translate the noise of alerts into something meaningful.

However, it’s not as simple as just installing some software and feeding all your logs into it – a clear implementation plan is needed.

We’ve seen it before, clients rush an implementation and begin logging everything all in one go, resulting in a tidal wave of information that can easily overwhelm.

If you’re looking for a Managed SIEM or Managed Security Service Provider, our recommendation would be asking about a Proof of Concept first. This way you can trial the product and the service to see if it’s suitable without fully committing.

At Kocho, we work with Microsoft to offer a funded POC for Microsoft Sentinel, which not only gets you set up with the tool but also allows you to experience the Managed Security Service offered by the SOC.

We’ve done this for several of our clients; with many choosing to adopt the Managed Security Service, which then operates as an extension of their internal IT and security teams.

Others have used it to get the tool set up as far as initial log ingestion and then looked at managing the systems themselves – calling on our expertise through consultancy when needed.

Key takeaways

Next steps