I don’t usually blog on specific research … but when I do, it is about SIEM. So, a very interesting piece just went up on the Gartner site. It is called “How and When to Use Co-managed SIEM” (Gartner access, but not GTP access required) and is written by Toby Bussa. The summary states: “Co-managed SIEM services allow organizations to maximize value from SIEM investments and enhance security event monitoring capabilities while retaining control and flexibility. This note will help organizations to identify and select a provider, and to avoid common implementation challenges.”
So, WTH is “co-managed SIEM”? It is a SIEM that you own [usually], but somebody else runs or helps you run. It sits on a wide tract of wilderness between a traditional SIEM product (that you own and operate) and an MSSP service (that you essentially rent from a provider). We have noticed a lot of interest in such engagements in recent years.
A few fun quotes from the paper follow below:
- “Organizations have invested in SIEM technology, but many implementations fail due to a lack of SIEM expertise, competition for scarce internal security resources, and lack of investment in processes and activities.”
- “To maximize the value of a SIEM investment using a co-managed model, organizations must be prepared to invest time in establishing and maintaining the relationship with the provider.” <- so this is not all magic and unicorns; actual WORK on your behalf is involved.
- “This approach enables internal staff to focus on activities that require organization-specific knowledge and are more difficult to outsource, such as interfacing with business unit staff, defining the monitoring goals, running internal projects, or leading incident investigation and response.”
- “Compared with MSSP […], using a co-managed service allows an organization to have more control over its logs, processes and activities, and operations.”
Related blog posts about SIEM:
- My “Evaluation Criteria for Security Information and Event Management” 2015 Update Publishes
- SIEM Real-time and Historical Analytics Collide?
- SIEM and Badness Detection
- “Stop The Pain” Thinking vs the Use Case Thinking
- More on SIEM Maturity – And Request for Feedback!
- On SIEM Tool and Operation Metrics
- SIEM Analytics Histories and Lessons
- How to Use Threat Intelligence with Your SIEM?
- Popular SIEM Starter Use Cases
- Detailed SIEM Use Case Example
- On “Output-driven” SIEM
- On SIEM Deployment Evolution
- On People Running SIEM
- On SIEM Processes/Practices
- On Large-scale SIEM Architecture
- All posts tagged SIEM