Wed, Nov 29, 2023
Effective threat detection is critical to achieving a mature cybersecurity posture. Yet with so many threat detection options on the market, from managed detection and response (MDR) to managed security service providers (MSSPs) to security information and event management (SIEM), choosing the most effective one for your organization can be challenging. The appropriate solution should have the breadth of insight to consistently address many types of threats, but also be able to align fully with your organization’s security environment. In this article, we will outline how MDR, MSSPs and SIEM compare, and discuss their potential challenges, as well as sharing key considerations to help you maximize your organization’s security investment.
As a well-established threat detection technology, SIEM enables organizations to detect targeted attacks and data breaches. SIEM is a combination of security event management (SEM), which provides event monitoring, correlation and notification, and security information management (SIM), which provides analysis, retention and reporting. It aggregates and analyzes log data from devices, infrastructure, systems and applications, and then generates alerts.
SIEM tools collect logs from data sources to facilitate event correlation and alerting. They draw on a wide range of sources such as network devices, infrastructure, systems, applications and security technologies.
SIEM solutions enable organizations to advance threat visibility and more easily achieve compliance with the NIS Directive and Payment Card Industry Data Security Standard (PCI DSS), and other regulations and standards.
A key point about SIEM is that it is a product rather than a service, providing visibility of environments to support detection of and response to threats, but requiring the resource and expertise to utilize it effectively.
The nature of SIEM means that organizations are often unable to manage it effectively without a large team of security specialists in place to deploy, manage and monitor it, as well as analyzing and responding to the high volume of alerts it can generate. Security teams often struggle with alert fatigue due to the large volume of false positives generated by SIEM solutions, risking important alerts being missed or overlooked. Even when authentic threats are identified, it can be difficult to understand the best way to respond to them. Alongside this, the sheer range of available SIEM tools on the market makes it likely that specialist platform training and certification may also be required.
SIEM is often integrated within broader Security orchestration, automation and response (SOAR) and threat management platforms. A key step to selecting a SIEM solution for your organization is to consider the following issues:
How effectively it will integrate with data sources
How well it will deliver the caliber of threat coverage and visibility required to fully address your threat detection use cases
What type of deployment options are provided
The level of support provided for threat intelligence sources
Incident response capabilities
An alternative to managing a SIEM solution in-house is a managed SIEM service. As well as enabling organizations to benefit from the most up-to-date SIEM technology, this type of solution should also provide the resources required to manage and monitor it, 24/7.
Managed security service providers (MSSPs) provide cyber services to other organizations. This is usually delivered through a security operations center (SOC). MSSPs offer services such as incident alerting, managing and monitoring security technologies, and continuous threat detection. In addition to SIEM, MSSPs may also provide support with intrusion detection, virtual private networks and other areas. Businesses can choose whether they outsource individual aspects of their cybersecurity requirement to an MSSP—or their entire function. While working with an MSSP can help companies better address gaps in knowledge and meet compliance requirements, it also presents a number of challenges, including:
Inadequate Value: Despite the perception among organizations that they can achieve cost savings by outsourcing to an MSSP instead of investing in in-house cybersecurity provision, the reality is that MSSPs fail to adapt fast enough to newly emerging threats, making them slow to deliver value.
Limited Capabilities: MSSPs are usually focused on alert triage and management, instead of on incident investigation, incident response and remediation. Added to this, their detection coverage is mainly at a network level, meaning they have only limited capabilities in cloud security monitoring.
The limitations of traditional MSSPs helped to influence the rise of MDR. Organizations began to recognize that, as well as only offering basic monitoring and alerting, many MSSPs lack the context and guidance to identify and remediate genuine security incidents. Unlike MDR, where outcomes are delivered 24/7, organizations relying on MSSPs often lack the critical level of support they need when they need it most. Another important way in which MDR is a progression from MSSPs is its proactive approach. Traditional MSSPs rely on signature and rule-based detection techniques that can overlook more advanced threats, such as memory-resident and polymorphic malware. As a result, they often pass security alerts generated by managed security technologies “over the wall,” providing very little contextual information or guidance on how to respond.
In recent years, MDR has emerged as one of the fastest growing security solutions in the industry. MDR brings together dedicated security expertise, a range of network and host-based detection technologies with advanced intelligence, analytics and forensics to enable organizations to proactively hunt for, investigate, respond to and remediate threats, round the clock. Through MDR, businesses can achieve an enterprise-standard cybersecurity capability at a significantly lower cost than establishing the same capabilities in-house. It also allows companies to benefit from improvements to Mean Time to Detection (MTTD) and Mean Time to Response (MTTR)—helping to eliminate breaches before they cause damage and disruption. However, MDR does also present some challenges to businesses, such as:
Ensuring Complete Response: It is critical to select an MDR solution that offers complete detection and response. Look out for an MDR service that provides a broad scope of telemetry collection, remote containment and disruption, forensics and response capabilities. Selecting this type of solution will enable you to understand root causes and eliminate threats.
Long-term Perspective: Because MDR requires long-term commitment to be effective, selecting the right MDR solution solution is key to achieving a balance between effective security and return on investment.
Because not all MDR solutions deliver the same level of expertise, it is critical to ensure that your potential provider offers the appropriate breadth of capabilities. You can achieve this by evaluating providers based on maturity, scope of services and alignment with essential security outcomes. This process starts with asking your prospective provider some key questions, including:
Your potential MDR provider’s response to this question will provide essential clues about the quality and breadth of its detection and response capabilities. While MSSPs are likely to focus only on a limited set of telemetry, limiting their ability to trace a kill chain, experienced MDR providers routinely monitor telemetry and alerts across the digital estate using a unified threat management platform.
An MDR platform should be able to integrate seamlessly with your existing technology stack. This should preserve the value of your current security investments while also providing the flexibility to incorporate new tools and technologies in alignment with the evolution of your business and IT infrastructure.
This is an important question to ask because many traditional MDR providers rely on the default detection rulesets included by their preferred EDR and SIEM product vendors while some make minor modifications to those rulesets in response to new threat advisories.
Ask your potential MDR provider about how it uses the MITRE ATT&CK framework and threat intelligence to tune these rules. Some providers may advise that they use this internally, but more proficient providers should be able to provide a live mapping of your MITRE ATT&CK coverage to help you gain an overview of the scope of their services and demonstrate that they understand your unique threat profile.
For more insights on how to assess a potential MDR provider, view our Managed Detection & Response Buyer’s Guide.
Making the best choice of a security solution starts with identifying an experienced partner with the capacity to fully meet your organization’s requirements. At Kroll, we leverage our unrivaled incident response experience and frontline intelligence to deliver a 24/7 global MDR service, Kroll Responder, which provides active response using seasoned incident responders. Kroll Responder is one of the only solutions in the market that delivers MDR with what we call “Complete Response”. This is because our response goes as far as you need it to, closing the gap between merely containing the threat to actively removing it across all affected systems and quickly understanding the root cause, to ensure it doesn’t happen again.
Our Responder MDR service is backed by the Kroll incident response experts that handle 3,000+ high-profile breach investigations annually. We extend that service to our customers, which means they get the value of remote digital forensics and incident response without the additional cost.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
In the event of a security incident, Kroll’s digital forensics investigators can expertly help investigate and preserve data to help provide evidence and ensure business continuity.