Security information and event management (SIEM) systems are crucial to collecting and analyzing incoming cyber threats, but many companies need help to tune and monitor them properly.
These firms enlist a security service provider to do it for them. That often leads to the question of whether a managed detection and response (MDR) service is also necessary.
In short, yes, adding MDR is a strong move as it adds deep threat investigation, threat hunting, and response actions at the endpoint. Simply put, a managed SIEM service identifies threats, and MDR helps neutralize them.
Closely examining the functions of each of these cybersecurity offerings helps illustrate why MDR and managed SIEM services – or, even better, a service such as Trustwave’s Co-Managed SOC (SIEM) – work better together.
Co-Managed SOC is a form of managed SIEM or SOC-as-a-Service offering. While there are differences between the three offerings (as detailed in Trustwave’s guide to managed SIEM providers), they all help organizations manage SIEM complexities. The services typically include SIEM licensing, deployment, and configuration, and some (not all) offer 24x7 monitoring.
The idea with any managed SIEM service is that the provider will help set up the SIEM such that it identifies the type of threats you most care about. The goal is to eliminate false-positive alerts, leaving only confirmed threats that require immediate action. (Trustwave’s offering takes a more consultative approach that involves continually fine-tuning the SIEM with use cases, which, we know are crucial for optimal performance).
The next step is taking action on the threats identified. This is where the MDR service comes in to play.
The best MDR providers are able to correlate alerts coming from high-value sources across a hybrid-cloud environment with a large attack surface and zero in on those that are indicative of an actual threat.
Once the SIEM identifies a confirmed threat, responses vary by MDR provider in terms of what happens next. Often, the provider will alert the client’s security team to the threat but leave it up to the team to respond.
However, Trustwave provides deeper threat investigation, threat hunting, and response at the endpoint. Trustwave will investigate to understand the full impact of a threat, enabling a more informed response. Then the Trustwave Information Security Adviros assigned to the client will pass along any recommendations.
That should be the bare minimum you expect from an MDR service provider. But the upper echelon providers also integrate third-party technologies through bi-directional APIs and incorporate additional intelligence sources for higher fidelity threat detection. In Trustwave’s case, that includes intelligence from our own SpiderLabs threat research team.
At that point, Trustwave’s MDR team follows pre-defined protocols to contain or mitigate the threat, either on their own or in conjunction with your team. When necessary, Trustwave can also seamlessly enlist its digital forensics and incident response (DFIR) team to conduct a thorough forensics investigation aimed at helping clients recover after a breach emergency. That is an important consideration. When you’re in the midst of a cyberattack scrambling to find a DFIR team can lead to disaster.
While managed SIEM services are essential for identifying and managing cyber threats, integrating MDR significantly enhances overall security. MDR provides advanced threat investigation, proactive threat hunting, and immediate response actions, particularly at the endpoint level. This combination ensures that threats are not only detected but also effectively neutralized. By leveraging both managed SIEM and MDR, organizations can achieve a more robust and comprehensive cybersecurity posture, ultimately leading to better protection against evolving cyber threats.
To learn more, download our e-book, "Get Maximum Value from Your SIEM," and visit our MDR webpage.