Gartner Blog Network


Co-Managed SIEM Rising

by Anton Chuvakin  |  August 24, 2015  |  2 Comments

I don’t usually blog on specific research … but when I do, it is about SIEM. So, a very interesting piece just went up on the Gartner site. It is called “How and When to Use Co-managed SIEM” (Gartner access, but not GTP access required) and is written by Toby Bussa. The summary states: “Co-managed SIEM services allow organizations to maximize value from SIEM investments and enhance security event monitoring capabilities while retaining control and flexibility. This note will help organizations to identify and select a provider, and to avoid common implementation challenges.”

SIEM-managed

So, WTH is “co-managed SIEM”? It is a SIEM that you own [usually], but somebody else runs or helps you run. It sits on a wide tract of wilderness between a traditional SIEM product (that you own and operate) and an MSSP service (that you essentially rent from a provider). We have noticed a lot of interest in such engagements in recent years.

A few fun quotes from the paper follow below:

  • “Organizations have invested in SIEM technology, but many implementations fail due to a lack of SIEM expertise, competition for scarce internal security resources, and lack of investment in processes and activities.”
  • “To maximize the value of a SIEM investment using a co-managed model, organizations must be prepared to invest time in establishing and maintaining the relationship with the provider.” <- so this is not all magic and unicorns; actual WORK on your behalf is involved.
  • “This approach enables internal staff to focus on activities that require organization-specific knowledge and are more difficult to outsource, such as interfacing with business unit staff, defining the monitoring goals, running internal projects, or leading incident investigation and response.”
  • “Compared with MSSP […], using a co-managed service allows an organization to have more control over its logs, processes and activities, and operations.”

Enjoy “How and When to Use Co-managed SIEM”!

Related blog posts about SIEM:

Category: announcement  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Co-Managed SIEM Rising


  1. Matthew Gardiner says:

    I think a better way to think about this is instead of co-managing a technology (SIEM), it is about engaging an MSSP for outsourcing/collaborating on incident detection and response. Or shorthand, building a hybrid SOC that uses a SIEM, as well as other technologies, as platform to conduct joint incident detection, investigation, and response.

    • Thanks for the comment, Matthew! Frankly, we see “outsource IR/SOC” thinking leading to a lot of embarrassing and costly failures… When people have the “O word” in mind, they often shed ALL responsibility for the result and then blame the MSSP for all problems, including their own…..

      Overall, “I am going to outsource my SOC” often means “I will toss it over the fence and pray it doesn’t come back crashing on me”…

      Hybrid operation is a much healthier mindset, IMHO.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.