How MSSPs Can Implement the New CISA Guidance for SIEM and SOAR

On May 27^th 2025, CISA (the US Cybersecurity & Infrastructure Security Agency), along with some of its partner organizations, released guidance for organizations seeking to procure Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms.  

For Managed Security Service Providers (MSSPs), this guidance validates the importance of SIEM and SOAR technologies and the choice to deliver a Managed SIEM service as part of your offerings. However, CISA also notes that managing SIEM and SOAR tools can involve challenges.

In this blog, we provide an overview of the new guidance including the benefits of SIEM and SOAR tools, review the challenges highlighted by CISA, and discuss how ContraForce can help MSSPs using Microsoft Sentinel overcome those challenges.

Guidance Overview

The main takeaway from the new guidance from CISA is that security executives and practitioners improve their organization’s cybersecurity when they implement SIEM and SOAR technologies. CISA states that the benefits of these technologies include:

• Improving the visibility of an organization’s attack surface.

• Facilitating the rapid detection of, and response to, cyber-attacks.

• Streamlining the handling of cybersecurity incidents.

The guidance is almost entirely provided through three separate resources. Two focus on implementing SIEM and SOAR platforms. The other provides recommendations on how to prioritize the ingestion of logs into a SIEM to enhance threat detection in a cost-effective manner.  

The guidance will be helpful for MSSPs looking to deploy or improve their own Managed SIEM offerings. In particular, you can use the guidance to get ahead of the challenges that come with providing a Managed SIEM to your customers and identify ways to mitigate them in advance of commencing your service delivery.

Challenges of a Managed SIEM Offering

The guidance includes 4 notable challenges for MSSPs. One of the related resources, “Implementing SIEM and SOAR platforms: Executive guidance”, highlights two notable technical challenges managing SIEM and SOAR tools: detection accuracy and accurate response actions.

‍

Challenge #1: Detection accuracy

According to the Executive Guidance, the first challenge is detection accuracy, “ensuring that the SIEM produces alerts when cyber security events and incidents are occurring and, inversely, no alerts when no events/incidents are occurring.”  

As an MSSP managing your customers’ security, you don’t want to miss an ongoing cyber attack. A missed ransomware attack could cause brand, reputational and financial damage to your customers, and even knock them out of business.  

Similarly, inaccurate alerting could also lead to too many alerts. Your SOC team could be overwhelmed by false SIEM alerts leading to unexpected analyst costs and margin erosion. They may also overlook cyber-attacks because of the high volume of alerts and thus miss the signal for the noise.  

Solution #1: Pre-built analytic rules

To help you improve your detection accuracy, the ContraForce Platform includes a Content Management System (CMS). The ContraForce CMS makes managing SIEM analytic rules easy. ContraForce provides expert created rules for Microsoft Sentinel data sources that your staff can turn on or off with the ease of a toggle switch. Analytic rules can also be set to automatically update.

Challenge #2: Accurate Response Actions

According to the Executive Guidance, the second key technical challenge is, “ensuring that the SOAR only takes appropriate action in response to actual cyber security/incidents, and does not take action against regular network activity or that impedes human incident responders.”

This challenge is echoed in the Practitioner Guidance resource, “If the SOAR’s response functionality is not properly configured and maintained, the platform may misidentify regular user or system behavior as an event or incident and take automated measures to isolate and respond.”

Solution #2: No-code response automation

To eliminate misconfiguration issues, the ContraForce Platform comes with pre-configured response automation workflows mapped to the underlying security incidents. These no-code response actions (called ContraForce Gamebooks) can easily be chained together to respond to complex multi-stage attack scenarios. To maintain response accuracy, ContraForce automatically provides Gamebook recommendations for SIEM incidents based on a mapping of MITRE D3FEND response actions to MITRE ATT&CK TTPs.  

Gamebooks vary by entity type: user, device, email, file, URL and cloud IP address. For example, a user-based response action might entail invalidating that user’s existing sessions or resetting their password.

Challenge #3: Initial and Ongoing Costs

In addition to technical challenges, the Executive Guidance explicitly discusses the challenge of managing the cost of using SIEM and SOAR tools and recommends that security teams look for potential hidden costs. In addition to software licensing, it cites potential costs that could include:

• Collecting, ingesting, storing, and analyzing logs.

• Implementation, particularly training costs.

The Guidance says that organizations “should be mindful of the potential to incur very significant costs if ingestion is not carefully managed.” For MSSPs, this advice applies in particular to those MSSPs with a service model that is inclusive of their customers’ log costs.  

MSSPs whose customers are responsible for their own log-related costs can still benefit from this guidance by advising their customers on ways to reduce their costs. One useful resource for doing so is our report “How to Estimate and Optimize Microsoft Sentinel Costs”.

Solution #3: Cost-effective service delivery platform

ContraForce reduces log management costs. With ContraForce, your customers' Microsoft Sentinel data stays in their environment. There are no additional cloud infrastructure requirements and no added Microsoft Azure costs.

ContraForce also streamlines the expertise and resources needed to manage Microsoft Sentinel. You can onboard clients within a few minutes and easily manage multiple clients and multiple security tools simultaneously in a single dashboard. ContraForce also automates analytic rules, incident enrichment, and response actions at scale.  

You can use these cost savings to scale up your businesses and achieve both financial and operational advantages over your competitors.

Challenge #4: Cautions with outsourcing

Finally, MSSPs should be aware of the Executive Guidance caution to organizations that, “outsourcing can produce visibility gaps, work duplication, and communication difficulties.”  

Solution #4: Improved visibility

Here again, ContraForce can help MSSPs improve their service delivery. To start, the ContraForce Platform is integrated with many leading ticketing and IT service management solutions including ServiceNow IT Service Manager, Jira Service Management and Datto Autotask PSA. These integrations make it easy for both you and your customers to track incident volume and status.

Second, you can use ContraForce to provide your customers visibility of their security posture by giving them with access to their workspace in the ContraForce platform through the use of ContraForce Identify and Access Management. One benefit of ContraForce IAM is that you can control at the user-level whether your customers can manage incidents, run Gamebooks and perform other tasks. These authorizations allow you to increase visibility, clarify responsibilities, and improve communications with your customers.

To learn more about the ContraForce platform, schedule a demo.  

‍

‍

‍