Blog post

Should I Use “SIEM X” or “MSSP Y”?

By Anton Chuvakin | December 16, 2014 | 4 Comments

SIEMsecurityMSSPmonitoring

Lately I’ve been surprised by some organizational decision-making as they think about their sourcing choices for security monitoring. Specifically, some organizations want to decide between “SIEM Brand X” and “MSSP Brand Y” before they decide on the model – staffed in-house, managed, co-managed, outsourced, etc. While on some level this makes sense (specifically, on a level of “spend $$$ – get a capability” whether from a vendor tool run by employees/consultants or from a service provider), it still irks me for some reason.

Let’s psychoanalyze this! IMHO, in real-life nobody decides between “BART or Kia” or “Uber or BMW” – people think first about “should I buy a car or use public transportation?” then decide on a vehicle or the most convenient mode of transportation. In one case, your money is used to buy a tool, piece of dead code that won’t do anything on its own and requires skilled personnel to run. In another case, you are essentially renting a tool from somebody and paying for their analysts time. As a sidenote, occasionally, I see a request for something that looks and behaves as BOTH a SIEM and a MSSP, such as a request for managed SIEM contract (“If you write an RFP for a car AND for a bus pass as one document, you’d get an RFP for a chauffeured limo, with that price” as some anonymous, but unquestionably wise CSO has said)

So, to me, deciding whether to own a tool or to rent time from others is The Decision, but which brand of tool or MSSP to procure is secondary.

  1. PICK THE MODEL SIEM, MSSP, hybrid (such as staff augmentation, co-managed, or even both SIEM and MSSP)
  2. PICK THE BRAND(S) to shortlist.

Admittedly, some hybrid models are fairly mixed (“MSSP for perimeter, but Tier 3 alert triage in-house; internal network monitoring with a SIEM staffed by consultants, and internal user monitoring by FTEs” is a real example, BTW) and you may not have 100% certainty if going for a hybrid. Still, clarity on the degree of externalization is a must.

Otherwise, IMHO, you end up with a lot of wasted time evaluating choices that simply cannot work for you, for example:

  • If you know you cannot hire, don’t look at SIEM [SIEM needs people!]
  • If you cannot move your data outside the organization, don’t look at MSSPs
  • If you cannot hire AND cannot move data out, go with the “managed SIEM”

Therefore, I think it helps to narrow down the options using the coarse-grained model filter and then go sort out the providers/vendors.

Am I wrong here? Can you intelligently choose between a bunch of SIEM vendors, MSSPs and consulting firms doing managed SIEM if you don’t first settle on the model?

P.S. If you call us at Gartner with another “What is better, MSSP X or SIEM Y?” question, we will undoubtedly help you regardless of the above. Still, I think model for monitoring/management should precede the brand…

Blog posts related to this research on MSSP usage:

Comments are closed

4 Comments

  • Matthew Gardiner says:

    You are right. We see this challenge all the time. Organizations are waking up to the reality that their security monitoring (SOC/CIRC) program needs to be ramped-up an order of magnitude or so to detect and investigate the more advanced, targeted attacks that are so worrisome. But they lack the people, processes/expertise, and technology to do the job (other than that they are all set!). Thus they lurch from figuring out the technology they need to the skills and processes that they lack, with no quick fix to the problem. I strongly believe that forms of MSSP delivered IR services will become increasingly part of the solution for an increasing number of organizations, but increased experience amongst all participants (vendors, MSSPs, customers) in providing and consuming hybrid security monitoring services is needed before this approach can become more commonplace. We at RSA are certainly committed to doing our part to improve and clarify the situation!

  • @Matt Thanks for the comment. Indeed, more people realize that that “they need a SIEM”, but at the same time that “SIEM is too hard for them” — result: lots of different hybrid models, confusion, etc,etc.

    And, yes, on the IR side they also need a lot of help and MSSP/consulting is expected to grow a lot there.

  • Alex says:

    Good points! As seen you twitter:

    “Prior to evaluating events/sec, you’d better evaluate trained analysts/day”

  • @Alex Thanks for the comments. Indeed, too many $x00,000 SIEM sit there with no analysts in front of the console….