May 20, 2024
Security Incident and Event Management (SIEM) vendors made some big announcements recently. Exabeam and LogRhythm announced that they are merging. Meanwhile, IBM and Palo Alto Networks announced that Palo Alto Networks is acquiring the cloud version of IBM Security QRadar SIEM and will move existing customers to its own security operations platform, Cortex XSIAM (IBM will continue to sell and support the on-premises version of QRadar, at least for now). The new announcements follow Cisco’s announcement in March that it closed its acquisition of Splunk.
These changes are only the most recent of a long list of changes to the SIEM landscape that you as a Managed Detection and Response (MDR) provider have had to deal with. Over the years, one of the most notable changes in the SIEM space for MDR providers has been the jump from managing legacy SIEMs to managing next-gen SIEMs; a change that had a clear mix of advantages and disadvantages when delivering MDR services based on SIEM tools.
As SIEM tools have evolved from legacy systems to next-generation solutions, your experience and strategies have no doubt changed significantly. This blog explores the evolution that MDR providers have undergone, focusing on the transition from managing rule-based detection to advanced machine learning-based systems, and how MDR providers have navigated these changes. It also looks at the emergence of MDR security service delivery platforms (SSDPs), which are poised to help MDR providers like you overcome many of the challenges of managing clients’ SIEMs, challenges that are compounded by this week’s announcements.
Managing legacy SIEMs
SIEM tools have long been the backbone of cybersecurity efforts, helping organizations detect, respond to, and mitigate security threats. MDR providers like you have played a crucial role in managing these tools for your clients, helping ensure they have robust threat detection, investigation and response (TDIR) programs.
Legacy SIEM tools primarily relied on rule-based detection to identify security incidents. These systems used predefined rules to generate alerts when certain conditions were met. For example, a rule might have triggered an alert if a user attempted multiple failed logins within a short period.
Managing rule-based SIEMs required you to set up and maintain a comprehensive set of rules tailored to your clients' environments. This involved regular monitoring and updating of rules to keep up with evolving threats. You had to be vigilant, as these systems often generated a high volume of alerts, many of which were false positives. This likely lead to significant manual effort in sifting through alerts to identify genuine threats.
Legacy SIEMs also had other notable drawbacks. The high rate of false positives was a significant issue, leading to alert fatigue among MDR provider security teams. Managing these systems was labor-intensive, requiring continuous tuning and rule adjustments. Additionally, legacy SIEMs struggled with scalability and were often ill-equipped to handle complex, advanced threats.
That said, there were advantages to managing legacy SIEMs. They offered simplicity and predictability and were well-understood by seasoned IT professionals. Their straightforward nature also made them relatively easy to implement and manage.
Managing next-gen SIEMs
The arrival of next-generation SIEMs changed management requirements for MDR providers. Next-generation SIEMs incorporated machine learning-based User Entity and Behavior Analytics (UEBA) to enhance threat detection, Security Orchestration, Automation, and Response (SOAR) and data lakes. This new functionality, separately and together, had its own advantages and disadvantages for MDR providers.
As an MDR provider, UEBA allowed you to identify behavioral anomalies and thus detect sophisticated attacks that would have gone unnoticed by traditional rule-based systems. UEBA also automated the analysis of vast amounts of data to identify unusual activities. This reduced the reliance on manually defined rules and helped with the early detection of potential threats. As a result, you benefited from a more accurate detection system that adapted to changing behaviors and emerging threats.
SOAR streamlined the incident response process by automating repetitive tasks and orchestrating complex workflows across different security tools. SOAR allowed you to respond to incidents faster and more efficiently. Automation reduced human error and freed up valuable resources, enabling your security teams to focus on more strategic tasks. Orchestration ensured that different security tools worked together seamlessly, improving overall security posture.
Data lakes played a crucial role in next-gen SIEMs by providing centralized data storage for large volumes of security data. They allowed you to analyze and correlate data from various sources. With data lakes, you could store and analyze vast amounts of data without worrying about storage limitations. This enhanced threat intelligence by allowing for deeper data correlations and insights. Centralized data management also simplified compliance and reporting.
As part of a next-gen SIEM, the new functionality of UEBA, SOAR and data lake features likely helped you to stay ahead of emerging threats.
However, this new functionality also resulted in additional complexity. You faced a steeper learning curve and were potentially challenged with integration and data privacy. Ensuring that these systems were properly configured and maintained required significant expertise and investment.
Managing SIEMs using an MDR security service delivery platform (SSDP)
It is likely that the recently announced SIEM ownership changes will compound the challenges of managing both legacy and next-gen SIEMs for you. You will likely have to bring new SIEM tools under management. You will also have to assist your clients to move between SIEM tools, while being careful to provide continuous TDIR during the migration. An MDR SSDP can help you overcome both the new challenges posed by the recent changes announced by the SIEM vendors as well as inherent challenges of managing a SIEM as part of your MDR services.
An MDR SSDP is a Software-as-a-Service (SaaS) tool that allows security analysts to manage TDIR as an overlay to one, or many, SIEM and Extended Detection and Response (XDR) tools. An MDR SSDP allows you to decouple the services provided by your analysts and engineers from the automation provided by the platform when it comes to delivering an MDR offering for your clients.
Notably, MDR SSDPs have specific advantages for MDR providers in the face of the rapidly changing SIEM vendor landscape. To start, your analysts don’t need to familiarize themselves with each new SIEM tool under management since incidents and their associated information are normalized and presented in a universal format in the platform console. Your analysts can work in a familiar interface, irrespective of whether your clients’ underlying SIEM (or XDR) tools change or are replaced.
An MDR SSDP also allows your analysts to manage multiple SIEMs (and XDRs) from the same console without having to pivot to other screens. This is helpful if you have a client that has multiple tools, for example because of M&A activity. It can also be helpful if a client is migrating from one SIEM vendor to another as you can manage both SIEMs simultaneously from a single console until the migration is complete.
There are other advantages inherit in MDR SSDPs. For example, you can add MDR services for additional SIEM tools with much lower entry costs and a shorter time to market. You can also reduce your staffing costs by reducing SIEM-specific knowledge requirements when hiring new staff. Standardization also allows for additional operational efficiencies by maturing your operating models and allowing you to take a more programmatic approach to TDIR.
Finally, an MDR SSDP can allow you to democratize detection and response by providing your clients with direct access to the platform. This enables you to provide your clients with improved visibility and provides them with the ability to self-service additional security and compliance initiatives.
Conclusion
The evolution from legacy to next-gen SIEMs has transformed how MDR providers manage security incidents. While legacy systems offered simplicity and predictability, they struggled with scalability and advanced threat detection. Next-gen SIEMs, with their machine learning, UEBA, SOAR, and data lake capabilities, provided superior threat detection and response. However, they also presented MDR providers with challenges in terms of complexity and integration. The accelerating changes in the SIEM vendor landscape compound that complexity.
As the SIEM vendor landscape continues to evolve, it's crucial for you to evaluate whether you can reduce the cost and time you require to manage SIEMs and consider upgrading to an SSDP. Staying updated with the latest technologies can also significantly enhance how you manage your clients’ security posture and resilience.
If you are interested in exploring a MDR SSDP, ContraForce offers consultations and demos to help you make an informed decision. Contact us today to learn more.
About ContraForce:
ContraForce enables the development and delivery of profitable and scalable security service offerings. ContraForce’s SecOps Service Management platform reduces complexity for the security analyst by hyperautomating time-consuming tasks across the Microsoft security stack, empowering them with insights and frictionless access to information and remediations. The result is massive improvements for Managed Service Providers (MSP) and Managed Security Service Providers (MSSP) in analyst efficiency and security effectiveness. Learn more about the ContraForce Platform.
