Security information and event management (SIEM) systems are crucial to cyber security, providing a solution for collecting and analyzing alerts from all manner of security tools, network infrastructure, and applications. But simply having a SIEM is not enough because to be truly effective, it must be properly configured, managed, and monitored 24x7.
And there’s the rub: few organizations have enough security expertise in-house to properly configure and manage their SIEM, never mind monitor it around the clock. Without that, you can’t get the full value from your SIEM investment.
A managed SIEM service, such as the Trustwave Co-Managed SOC, provides a solution, as Gartner has made clear.
“Buyers who have invested in SIEM technology use Managed SIEM services to derive more value. They … get assistance with decisions around strategy, architecture, maintenance, development, or support,” Gartner says in its Market Guide for Managed SIEM Services. “This leads to better security operations results.”
Customers need that assistance due to the inherent complexity of SIEMs.
The basic function of a SIEM is to collect security data from various components in your network, including cloud-based and on-premises. But you don’t want to collect every possible piece of data, as that would quickly become overwhelming to monitor, serving only to increase operational costs without effective outcomes.
So, to be effective, a SIEM must be properly configured to your specific environment, targeting the use cases and applications that are most appropriate for your organization and its risk profile. And it’s hardly a “set it and forget it” endeavor. Rather, the SIEM must be continually tuned over time depending on the results it delivers, the health of its data feeds, and to keep up with changes in your environment.
Security professionals must also periodically assess whether the SIEM is generating useful alerts. In fact, a misconfigured SIEM can be more of a liability than a benefit. A never-ending stream of alerts and false positives puts the security organization in constant fire-drill mode, potentially unable to have the resources to investigate or identify truly impactful alerts amid the din.
Managed SIEM Services
As Gartner noted, managed SIEM services can fill the void. To date, such services have generally taken one of two varieties: Managed SIEM and SOC-as-a-Service (SOCaaS).
Managed SIEM services are much like managed services for firewalls and endpoint detection and response (EDR) tools in that they help customers manage their SIEM. Most will include SIEM deployment, configuration and management, and some may include ongoing optimization. Often, however, managed SIEM offerings do not include 24x7 alert monitoring.
With SOCaaS, your provider assumes ownership of the SIEM infrastructure and product licensing. Think of SOCaaS as an extension of the managed security service provider (MSSP) model, often aimed at smaller organizations that don’t already have a SIEM nor a security operations center (SOC). Instead, companies direct all the data the SIEM produces to their provider, who takes responsibility for correlating alert data and finding actionable alerts amid all the false positives.
Trustwave Co-Managed SOC
Managed SIEM and SOCaaS may indeed be a step forward for companies that don’t have the resources to manage their own SIEM. But the Trustwave Co-Managed SOC approach adds several elements that help companies derive maximum value from their SIEM investments.
Trustwave Co-Managed SOC takes a four-step approach based on proven processes and use cases, along with experience from the Trustwave SpiderLabs team.
The first is “consult and plan,” where security experts assigned to your account create a roadmap specifically for your business. These experts assess your current capabilities and security priorities. They build a transition plan and tune your SIEM based on your priorities, drawing from an extensive library of field-proven and industry aligned use cases, as well as custom use cases specific to your environment. They also provide predictable cost and capacity estimates, so you won’t be subject to the runaway costs that can quickly arise when you simply send all SIEM alerts to your SIEM provider.
Next comes “build and onboard,” following a proven methodology and best practices to get you up and running quickly, accelerating time to value with a dedicated governance team.
The next two phases are ongoing. In the “manage and monitor” phase, Trustwave acts as a true extension of your security team, increasing their productivity and freeing up resources. And of course, Trustwave provides 24x7 incident monitoring and investigations to help you prioritize incidents with actionable recommendations for immediate action, informed by SpiderLabs global threat intelligence.
Finally, your Trustwave named security advisor will continually tune your SIEM for optimal performance for the specific use cases and security policies that are most important to your organization. Trustwave uses an iterative, closed loop method to SIEM management that involves constantly learning from the alerts your SIEM produces and tuning it to become increasingly more effective at homing in on the most important alerts – helping you reduce alert noise by up to 90%.
Adding Managed Detection and Response (MDR)
Trustwave Co-Managed SOC is also a great complement to the Trustwave Managed Detection and Response (MDR) service. With MDR, Trustwave security analysts provide deeper threat investigation, threat hunting, and response at the endpoint. They investigate to understand the full impact of a threat, enabling a more informed response. Running Co-Managed SOC in parallel with MDR means you not only get alerted to your most serious threats on a 24x7 basis but enable Trustwave to respond and contain threats.
Implementing a SIEM is an important part of any cyber security strategy, and a managed service is often a requirement to properly configure, operate, and monitor your SIEM. But don’t settle for a service that doesn’t help you derive maximum value from your SIEM investment and your internal resources.