Where SIEM Misses, MDR+R Steps In

Security Information and Event Management (SIEM) systems are a prominent piece of modern security stacks. Within that, they’re often seen as the center of analysts’ world. SIEMs integrate data from diverse sources across an organization’s environment, collecting information for processing and analysis, to alert on security events and serve as system of record for compliance purposes. This single pane of glass provides a unified view of an organization’s cybersecurity health. Because of that, SIEM is often perceived as an essential tool for managing complex cybersecurity data and responses.

Capabilities

• Log Aggregation, Analysis, and Storage
  • The ability to aggregate data from multiple sources, correlate this information to detect patterns or anomalies, and efficiently store it for future analysis is crucial.
• Threat Detection
  • Detection and response are critical parts of a SIEM, serving to alert security analysts of events in their environment.
• Identification of Known Threats and IoCs
  • Threat detection on SIEMs is often focused on known bad behavior such as malware, signatures, and indicators of compromise (IoCs). This activity easily triggers alerts based on volumetric changes in the environment’s behavior.
• Dashboards and Reporting
  • SIEMs make it easy for analysts to intuitively understand and interact with stored data.
• Log Accessibility
  • SIEMs serve as a system of record to support forensic analysis post-breach. This allows analysts to review what has happened and potentially identify root causes.
• Compliance Reporting
  • Insurance providers and compliance auditors engage with risk analysts to utilize SIEM to understand where customers comply with the various frameworks – CMMC, HIPAA, etc.

Limitations

• Catching the Unknown in Time
  • Because SIEMs process alerts after event correlation is complete, there is often a noticeable delay in alerts, leading to successful threat actor behavior. In addition, true positives can get drowned out by the high volume of alerts.
• Requires Large Amounts of Configuration and Management
  • SIEMs require ongoing support to ensure:
    • Your data sources are configured
    • Data is flowing (Data Feed fidelity is key)
    • Alerts and actions based off the analysis are set up correctly
• Data Dependency and Cost Concerns
  • Although SIEMs enable comprehensive attack analysis, their effectiveness hinges on complete data access. However, the cost of storing every log can become prohibitive due to pricing models that escalate quickly with increased storage. With 78+% of global MSPs expecting to increase their revenue in the next three years (Datto), they cannot be bogged down by dramatic spikes in data storage pricing.
• Dependent on Additional Security Tools
  • MSPs that utilize SIEMs often have to use other security tools to ‘clean’ and reduce the amount of data that must be sent into the SIEM, increasing businesses’ spending on security stack tools.

While SIEM systems provide significant capabilities in log management, they are insufficient for MSPs’ security. They were neither built, nor priced, with the MSP in mind. Traditional SIEM-based Managed Detection and Response (MDR) services often fall short in several areas:

• Delayed Alerts: SIEMs can have substantial delays in alert generation, hindering real-time threat response.
• Manual Intervention: Effective response often requires manual intervention, complicating the coordination across different tools and systems.
• Complex Threat Detection: Many SIEMs struggle to identify advanced or sophisticated threats, leading to a high volume of alerts and a substantial number of false positives.
• Deployment and Maintenance Challenges: SIEMs can be complex and time-consuming to configure, deploy, and maintain.

Instead, Blackpoint advocates for an integrated approach that combines the robust detection and alerting capabilities of advanced MDR with the comprehensive data capabilities of SIEMs. Our solutions are designed to offer not only compliance and advanced threat detection but also real-time, automated response that addresses the needs of MSPs and their end clients efficiently and effectively.

Download our CIS Controls slick sheet today and discover how Blackpoint can help you meet stringent compliance requirements and protect against sophisticated cyberthreats.

• Datto’s Global State of the MSP Report: Trends and Forecasts for 2024