Utilizing SIEM can feel a bit like navigating a minefield unless you have the right tools and expertise.

Theres a lot of buzz in the marketplace these days around SIEM, which is Security Information and Event Management. Ive had people tell me that their SIEM technology isnt of much use, and others tell me that its critical to their businesss everyday security posture. The vast difference between those two is usually the same thing, which is how the related tools are deployed, and what the staff around them looks like.

In a mature security posture, SIEM is only one component of a much broader acronym. While we do employ SIEM for many of our customers, its actually a small piece of a term called Managed Detection and Response (MDR). Our team of security analysts provides these real-time MDR services to our customers. But, little known to most, they actually provide MDR for our own organization as well. We call it eating our own dogfood.”

MDR helps you avoid data-breach landmines

The world of MDR involves a lot of pieces. It includes developers who understand how to ingest information, and security analysts who know how to communicate to those developers the intelligence they need to derive from the information. The SIEM is a typical tool used in that process as a platform for the developers to implement the rules and turn the information into actionable intelligence.

Sorting through the mess of false positives and useless information is a science in and of itself. Behind the scenes, senior security analysts are doing threat hunting”; theyre taking the intelligence produced by the system, correlating those events with what they already know, and using that to notify customers in real time when there are suspicious things going on that warrant more review. In many of those cases, its an active attack thats knocked down immediately.

Where does your MDR function reside?

Large enterprises with massive IT budgets typically implement a SIEM and have the necessary IT staff to maintain and monitor it (i.e., MDR). By contrast, smaller and mid-sized organizations typically do not succeed in gathering intelligence from their SIEM because they dont have the necessary internal expertise and staffing levels. In those environments, we often see the SIEM being used by a forensic investigator, trying to determine why a breach was ongoing for months. In those cases, outsourcing MDR to a managed security service provider—before you have to engage a forensic investigator—is the ideal solution.

In the end, you can implement all the right tools and still miss an intrusion. The answer lies not only within how good your tools are, but also in whos watching your environment.

Contact us today to learn more about how to maximize your cybersecurity functions by supplementing your organizations security threat management efforts.