SKOUT Education Series: Managed SIEM vs MSSP | A Cyber 101 Resource
Blog Post Received from our Partner SKOUT
A Reader Recently Asked:
“What’s the difference between a Managed SIEM Service and a Managed Security Service Provider?”
It’s a question that doesn’t get asked often enough. and the differences can range from “pretty big” to “insanely different”.
Let’s dive a bit deeper and see what sets these two types of services apart:
Security Information and Event Management (SIEM) systems are designed to collect and analyze security and other logs from networking devices (like firewalls) as well as servers, appliances, VM’s and other infrastructure. In many cases they can also report on whatever they find. While a SIEM is an invaluable tool to have as part of your security protocols, they can be difficult to manage and require specialized training to use effectively.
A Managed SIEM Service (MSS) is a company that does what it says on the tin. They coordinate the collection of logs into the SIEM and handle data integrity, storage, and reporting operations. However, it’s important to note that how much of each of those a particular MSS does can vary wildly. Some simply coordinate gathering the logs and managing the actual SIEM platform itself; reporting on the raw data but not giving insight into what it means. Others handle storage and data management, but expect that the customer has one or more employees who will run reports and keep an eye on what’s actually going on. Still others may do analysis, but report on all anomalies they find – including those that aren’t actual threats. If your organization has cybersecurity personnel on the payroll, this service can be added into your overall security program, but probably isn’t sufficient to be a security program on its own.
MSS providers may manage a centralized SIEM for multiple customers, or may set up and manage individual SIEM platforms for each customer. Both methods are valid, so long as proper multi-tenancy restrictions are put in place so that customer data does not mix; and typically both types of solution sets can get the MSS job done.
A Managed Security Services Provider (MSSP) will do what an MSS does as part of their package of services, but most often goes beyond that by a good measure. MSSP’s will analyze the data that the logs represent to look for anomalies that may or may not be threats. They will then analyze those anomalies to determine if a threat exists, and what impact that threat could have on the customer’s data and systems. MSSP’s also have established methodologies to notify the customer of actual threats, and typically will also provide remediation guidance to help fix whatever security issues led to that threat event.