SIEM, EDR, MDR – in-house, or Managed Service?
IT – and cyber security – becomes more complex over time. The sun also rises.
Traditional preventative security measures – firewalls, endpoint protection, Identity and Access Management (IAM) controls – are no longer adequate on their own to defend against cyber threats. The logical approach to fixing this has been to use a Security Information and Event Management (SIEM) platform to combine all the alerts and data. But for those organizations with the means to use SIEM, the result has often been a deluge of data of wildly varying fidelity from a multitude of controls. That’s led to a further development: Endpoint Detection and Response, and Managed Detection and Response.
The next problem: Everyone and their pet budgerigar claims to offer Endpoint Detection and Response (EDR), Managed Detection and Response (MDR) and Extended Detection and Response (XDR). While the odds are good that you’ll find a product, sometimes the goods themselves are - well - a bit odd. You and your organization need to work out firstly what you need, and secondly, which provider you should consider. It’s entirely possible that a SIEM that you already operate is perfectly fine – but equally, there are plenty of situations in which an in-house SIEM handled by an in-house Security operations Center (SOC) demands constant maintenance and drains the ability of your team to actually defend the business. Instead, some of your most effective team members are wrangling logs – and that’s no way to keep them motivated and enthused.
Internal Resource constraints
Perhaps the first question relates to time, people and tools: Do you need a detection and response capability, including threat detection and threat hunting, running within six months? Do you have an experienced team to run a 24/7 Monitoring and Response service? If time really is the overriding issue, then a Managed Detection and Response service, either from a vendor or a managed security service provider (MSSP) is probably the best option. There’s always the option of using MDR as a stopgap while you build your own capability in-house, but if staffing and retaining the skills to manage this sort of service is beyond your budget, making it someone else’s problem is also attractive.
Which platform is right for you: SIEM, EDR or MDR?
We’ll start at each end of a spectrum: The need to see and control everything, and the desire to hand all of those problems to an expert provider. These are extremes, and – unsurprisingly - many organizations live somewhere between the two. Endpoint Detection and Response sits in this happy medium; it’s a powerful tool in the right hands, it keeps power and visibility in the hands of the cybersecurity team and, if things start to go seriously wrong, a decent provider will have some way of bringing tricky or overwhelming challenges to a host of experts and responders. At WithSecure, for instance, we provide a service called Elevate to do just this, bridging between the capabilities of an EDR and that of a full MDR service. For organizations looking to do just this, WithSecure™ Elements EDR, through one of our partners as part of a managed or self-managed service, fits the bill. As we have a host of researchers, threat hunters and incident responders in-house, we can bring resources to bear when your team needs more scale or more specific expertise on tap.
Then there are times when a good SIEM makes a great deal of sense. If regulatory compliance is a priority, if self-managing is practical because you already have a strong team in place, or if forensic recording, analysis and endpoints device management are high on your organization’s priority list, then building and maintaining a strong, effective SIEM is inevitable. It’s going to cost a lot. But in sectors with these sorts of needs, it is likely the organization’s leadership has – if it has any sense – already built this into the cost of doing business. One exception is if your organization is pursuing a cloud-only approach. Sorry, but there’s a less-than-silver lining to this: it’s entirely possible that any savings and flexibility you gain from a cloud approach will be shadowed by building a SIEM to keep track of it all.
On-premise MDR?
If none of the above applies, then there’s MDR. On-premise IT, the need to fulfill new security requirements as part of an ISO27001 accreditation, false positive rates of over 10% and threats from within and without all lend themselves to an MDR approach, especially one with some serious UEBA (User Entity and Behavior Analytics) chops. The same applies if you’re struggling with hiring or retaining skilled staff: assured response, the need to free up your existing IT security resource or the need to increase the capability of your team are all indicators that MDR might be the right option. The same applies if there’s no institutional threat hunting knowledge or if your security team can’t respond to alerts: MDR, either our own Countercept MDR or a managed EDR service from one of our partners, may well fit the bill. Local partners providing MDR are particularly valuable in situations where your organization has industry-specific requirements or prefers services delivered in languages other than international English. If a 24/7 Monitoring and Response service is not vital, a partner managed service is also appropriate in some cases. Finally, if you value a continuous feed of security insights and posture improvement recommendations when your organization isn’t under attack, then Countercept MDR is a really good fit; our threat hunters spend a great deal of their time researching threats and thinking like attackers, and passing these insights on to customers is part of their job.
What next?
If building your own detection and response set-up is attractive, but you need to develop a greater understanding of whether this is the right path, then you can always talk to one of our specialists about which approach is right for your organization.
If the middle ground – your own capability grounded with a strong EDR – appeals, then reading up on why you need EDR is the next logical step.
Finally, if a Managed Detection and Response answers a lot of your needs, then we’ve got 14 questions that will help you select the right MDR provider.
Identify your response gap
Do you have the capability to respond to an attack before it escalates to a major incident? Take a short risk assessment and get a tailored report about your risk levels - with practical recommendations on how you can develop your capabilities and processes.
Take quick assessmentEager to find the perfect solution for your needs?
Contact us and let our experts help you through the decision-making process.