Gartner Blog Network


Should I Use “SIEM X” or “MSSP Y”?

by Anton Chuvakin  |  December 16, 2014  |  4 Comments

Lately I’ve been surprised by some organizational decision-making as they think about their sourcing choices for security monitoring. Specifically, some organizations want to decide between “SIEM Brand X” and “MSSP Brand Y” before they decide on the model – staffed in-house, managed, co-managed, outsourced, etc. While on some level this makes sense (specifically, on a level of “spend $$$ – get a capability” whether from a vendor tool run by employees/consultants or from a service provider), it still irks me for some reason.

Let’s psychoanalyze this! IMHO, in real-life nobody decides between “BART or Kia” or “Uber or BMW” – people think first about “should I buy a car or use public transportation?” then decide on a vehicle or the most convenient mode of transportation. In one case, your money is used to buy a tool, piece of dead code that won’t do anything on its own and requires skilled personnel to run. In another case, you are essentially renting a tool from somebody and paying for their analysts time. As a sidenote, occasionally, I see a request for something that looks and behaves as BOTH a SIEM and a MSSP, such as a request for managed SIEM contract (“If you write an RFP for a car AND for a bus pass as one document, you’d get an RFP for a chauffeured limo, with that price” as some anonymous, but unquestionably wise CSO has said)

So, to me, deciding whether to own a tool or to rent time from others is The Decision, but which brand of tool or MSSP to procure is secondary.

  1. PICK THE MODEL SIEM, MSSP, hybrid (such as staff augmentation, co-managed, or even both SIEM and MSSP)
  2. PICK THE BRAND(S) to shortlist.

Admittedly, some hybrid models are fairly mixed (“MSSP for perimeter, but Tier 3 alert triage in-house; internal network monitoring with a SIEM staffed by consultants, and internal user monitoring by FTEs” is a real example, BTW) and you may not have 100% certainty if going for a hybrid. Still, clarity on the degree of externalization is a must.

Otherwise, IMHO, you end up with a lot of wasted time evaluating choices that simply cannot work for you, for example:

  • If you know you cannot hire, don’t look at SIEM [SIEM needs people!]
  • If you cannot move your data outside the organization, don’t look at MSSPs
  • If you cannot hire AND cannot move data out, go with the “managed SIEM”

Therefore, I think it helps to narrow down the options using the coarse-grained model filter and then go sort out the providers/vendors.

Am I wrong here? Can you intelligently choose between a bunch of SIEM vendors, MSSPs and consulting firms doing managed SIEM if you don’t first settle on the model?

P.S. If you call us at Gartner with another “What is better, MSSP X or SIEM Y?” question, we will undoubtedly help you regardless of the above. Still, I think model for monitoring/management should precede the brand…

Blog posts related to this research on MSSP usage:

Category: monitoring  mssp  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Should I Use “SIEM X” or “MSSP Y”?


  1. Matthew Gardiner says:

    You are right. We see this challenge all the time. Organizations are waking up to the reality that their security monitoring (SOC/CIRC) program needs to be ramped-up an order of magnitude or so to detect and investigate the more advanced, targeted attacks that are so worrisome. But they lack the people, processes/expertise, and technology to do the job (other than that they are all set!). Thus they lurch from figuring out the technology they need to the skills and processes that they lack, with no quick fix to the problem. I strongly believe that forms of MSSP delivered IR services will become increasingly part of the solution for an increasing number of organizations, but increased experience amongst all participants (vendors, MSSPs, customers) in providing and consuming hybrid security monitoring services is needed before this approach can become more commonplace. We at RSA are certainly committed to doing our part to improve and clarify the situation!

  2. @Matt Thanks for the comment. Indeed, more people realize that that “they need a SIEM”, but at the same time that “SIEM is too hard for them” — result: lots of different hybrid models, confusion, etc,etc.

    And, yes, on the IR side they also need a lot of help and MSSP/consulting is expected to grow a lot there.

  3. Alex says:

    Good points! As seen you twitter:

    “Prior to evaluating events/sec, you’d better evaluate trained analysts/day”

  4. @Alex Thanks for the comments. Indeed, too many $x00,000 SIEM sit there with no analysts in front of the console….



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.