The coronavirus scenario is fueling an already hot trend in Security Information & Event Management (SIEM) tool deployment among SMBs. SIEM is a relatively broad and mature technology category with a plethora of options.
If you’re considering (or already have) a SIEM solution, at what point do you move up to a Security Operations Center (SOC)? And should you be managing your SIEM or SOC environment in-house, or leverage a Managed Security Service Provider (MSSP)?
This and a full slate of issues around SIEM are covered in a recent episode of The Virtual CISO Podcast, which features Danielle Russell, Director of Product Marketing Management for AT&T Cybersecurity, a SIEM and threat intelligence leader. Interviewing Danielle is host John Verry, Pivot Point Security’s CISO and Managing Partner and a long-time SIEM proponent.
How does a SOC compare to a SIEM solution?
According to Danielle, “A SIEM is a tool. It’s a security technology that you might include as part of an overall cybersecurity program. A SOC… is where you start to see the people, process and technology of cyber risk management and cybersecurity coming together.”
Further, if you’re contemplating SIEM versus SOC, a factor in that equation is whether it should be a managed SIEM or a managed SOC, or a related MSSP offering. Especially for SMBs, that’s a question of available resources.
Danielle suggests some questions that SMBs can ask to clarify their needs: “Who is the person on my team or the people in my organization or in a provider’s organization who are going to be using the SIEM? Who is going to be doing the security plumbing, the security work to get the information that I need into my SIEM to bring in threat intelligence that’s timely and diverse and helps to resiliently detect threats into that environment? And then who is actually looking through those security alerts, triaging them, escalating them, and walking through that security investigation and response process all the way through remediation?”
“I think even before an organization says, ‘Aha, we have a compliance requirement. We need to go get a log manager. We need to go get a SIEM,’ it’s worth asking, ‘Who is going to manage it and… what is the objective and then who’s going to participate in getting it there?’,” recommends Danielle.
John then addresses the issue of in-house versus MSSP:
“I might manage the SIEM internally because I’ve got enough security team… Or I might use an external third party to care and feed for the SIEM.”
“And then the same thing on the SOC side—because they might have someone sitting looking at screens and responding to those events internally, or where they might have a third-party operating 24×7 on their behalf and either taking some level of action and/or escalating to them,” John adds.
At the end of the day, a SIEM solution represents a tool. Like any tool, it needs to be maintained, updated, reconfigured, etc. And someone has to be in a position to respond to alerts and notifications from the tool. “Who’s going to take that action” is a crucial question that helps drive the whole InfoSec technology/service discussion.
This blog post is derived from an episode of The Virtual CISO Podcast that features Danielle Russell. To listen to the complete episode and others like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can check out all our episodes here.