I don’t usually blog on specific research … but when I do, it is about SIEM. So, a very interesting piece just went up on the Gartner site. It is called “How and When to Use Co-managed SIEM” (Gartner access, but not GTP access required) and is written by Toby Bussa. The summary states: “Co-managed SIEM services allow organizations to maximize value from SIEM investments and enhance security event monitoring capabilities while retaining control and flexibility. This note will help organizations to identify and select a provider, and to avoid common implementation challenges.”
So, WTH is “co-managed SIEM”? It is a SIEM that you own [usually], but somebody else runs or helps you run. It sits on a wide tract of wilderness between a traditional SIEM product (that you own and operate) and an MSSP service (that you essentially rent from a provider). We have noticed a lot of interest in such engagements in recent years.
A few fun quotes from the paper follow below:
- “Organizations have invested in SIEM technology, but many implementations fail due to a lack of SIEM expertise, competition for scarce internal security resources, and lack of investment in processes and activities.”
- “To maximize the value of a SIEM investment using a co-managed model, organizations must be prepared to invest time in establishing and maintaining the relationship with the provider.” <- so this is not all magic and unicorns; actual WORK on your behalf is involved.
- “This approach enables internal staff to focus on activities that require organization-specific knowledge and are more difficult to outsource, such as interfacing with business unit staff, defining the monitoring goals, running internal projects, or leading incident investigation and response.”
- “Compared with MSSP […], using a co-managed service allows an organization to have more control over its logs, processes and activities, and operations.”
Related blog posts about SIEM:
- My “Evaluation Criteria for Security Information and Event Management” 2015 Update Publishes
- SIEM Real-time and Historical Analytics Collide?
- SIEM and Badness Detection
- “Stop The Pain” Thinking vs the Use Case Thinking
- More on SIEM Maturity – And Request for Feedback!
- On SIEM Tool and Operation Metrics
- SIEM Analytics Histories and Lessons
- How to Use Threat Intelligence with Your SIEM?
- Popular SIEM Starter Use Cases
- Detailed SIEM Use Case Example
- On “Output-driven” SIEM
- On SIEM Deployment Evolution
- On People Running SIEM
- On SIEM Processes/Practices
- On Large-scale SIEM Architecture
- All posts tagged SIEM
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.