Blog post

Co-Managed SIEM Rising

By Anton Chuvakin | August 24, 2015 | 2 Comments


I don’t usually blog on specific research … but when I do, it is about SIEM. So, a very interesting piece just went up on the Gartner site. It is called “How and When to Use Co-managed SIEM” (Gartner access, but not GTP access required) and is written by Toby Bussa. The summary states: “Co-managed SIEM services allow organizations to maximize value from SIEM investments and enhance security event monitoring capabilities while retaining control and flexibility. This note will help organizations to identify and select a provider, and to avoid common implementation challenges.”


So, WTH is “co-managed SIEM”? It is a SIEM that you own [usually], but somebody else runs or helps you run. It sits on a wide tract of wilderness between a traditional SIEM product (that you own and operate) and an MSSP service (that you essentially rent from a provider). We have noticed a lot of interest in such engagements in recent years.

A few fun quotes from the paper follow below:

  • “Organizations have invested in SIEM technology, but many implementations fail due to a lack of SIEM expertise, competition for scarce internal security resources, and lack of investment in processes and activities.”
  • “To maximize the value of a SIEM investment using a co-managed model, organizations must be prepared to invest time in establishing and maintaining the relationship with the provider.” <- so this is not all magic and unicorns; actual WORK on your behalf is involved.
  • “This approach enables internal staff to focus on activities that require organization-specific knowledge and are more difficult to outsource, such as interfacing with business unit staff, defining the monitoring goals, running internal projects, or leading incident investigation and response.”
  • “Compared with MSSP […], using a co-managed service allows an organization to have more control over its logs, processes and activities, and operations.”

Enjoy “How and When to Use Co-managed SIEM”!

Related blog posts about SIEM:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Matthew Gardiner says:

    I think a better way to think about this is instead of co-managing a technology (SIEM), it is about engaging an MSSP for outsourcing/collaborating on incident detection and response. Or shorthand, building a hybrid SOC that uses a SIEM, as well as other technologies, as platform to conduct joint incident detection, investigation, and response.

    • Thanks for the comment, Matthew! Frankly, we see “outsource IR/SOC” thinking leading to a lot of embarrassing and costly failures… When people have the “O word” in mind, they often shed ALL responsibility for the result and then blame the MSSP for all problems, including their own…..

      Overall, “I am going to outsource my SOC” often means “I will toss it over the fence and pray it doesn’t come back crashing on me”…

      Hybrid operation is a much healthier mindset, IMHO.