Security incident and event management (SIEM) is a well-established technology within InfoSec today. Highlighting this, enterprises have told 451 Research that SIEM is the security service they’re most likely to purchase from a managed security service provider (MSSP). Yet SIEM often falls short of CIOs’ expectations. Why is that?
Why SIEM?
SIEM has been widely adopted for several reasons.
Many organizations indicate they are understaffed and lack needed IT security expertise.
Another common problem: they do not have a security operations center in place. This means these organizations aren’t continuously monitoring threats and network integrity.
On top of that, regulated industries such as healthcare and finance are basically required to use SIEM, either as a service or managed internally.
Additionally, SIEM is easily upsold as a complement to a larger vulnerability management program.
What is SIEM Missing?
Despite the widespread adoption in the industry, many MSSPs are failing to deliver on the ‘managed service’ promise that enterprises expect from their SIEM, resulting in frustrated and disappointed customers.
Many SIEM deployments today are nothing more than a monitoring service, sending alerts to customers and letting them fend for themselves. Think of a security guard in a bank who lets management know they’re getting robbed but does nothing to stop it.
With the ideal SIEM solution, organizations wouldn’t have to hire round-the-clock security engineers nor would they have to manage or maintain the SIEM system. Threat detection and system administration would be left entirely in the hands of the MSSP. This arrangement is without a doubt the lower-maintenance, lower-cost option for most organizations.
However, achieving this ideal isn’t that simple. For MSSPs to offer all these services adequately, they’ll need to hire expensive security expertise, staffing a 24/7 security operations center (if one does not already exist), and scaling their security automation and orchestration tools to keep pace with the ever-increasing volume of alerts.
This will also require well-defined protocols detailing incident response procedures on a customer-by-customer basis, clear service level agreements and detailed reporting capabilities.
Enterprises are looking for custom-made solutions; one-size-fits-all doesn’t work in a world of varying regulatory requirements, dynamic infrastructures and transforming businesses.
SIEM + Service = Security Success
While SIEM itself can do the heavy lifting of monitoring a network and providing compliance reporting, the service provider can save the day by offering the short-handed enterprise the staff and resources to run and manage it all.
Any CIO considering a solid SIEM should examine the vendor’s service and follow through on threats to ensure they go beyond just the detection step.
The 451 Alliance is an invitation-only think tank for IT executives, technologists, and tech-adjacent professionals. Do I qualify?
