For Global companies in the UK & USCompare the market
Our shortlist comparison tool compares the latest SIEM managed & DIY services with SASE/SSE Cybersecurity options.
It takes just few minutes to find Managed SIEM services that fit your specific needs across Medium to Large National and Multinational businesses.
Answer a handful of questions and tell us your high level technical and business needs.
Netify logic will immediately match your answers with providers which match your needs.
Netify apply free advisory resources via Zoom or on-site throughout North America and the UK.
SIEM solutions come in many different shapes and sizes, but they are all meant to provide platform which is configured to receive events from any event source. Examples of event sources could include physical access control solutions (key fobs, biometric solutions, etc…), the logging apparatus built-in to operating systems of workstations and servers, network infrastructure devices like switches, routers, and firewalls, IoT (Internet-of-Things) devices and sensors such as smoke alarms, cameras, and motion detectors, or collaboration platforms like Teams or Zoom. The SIEM solution also provides the ability to filter or search, categorize, prioritize, or track events, and notify stakeholders with alerts or even trigger mitigation actions (like disabling accounts) when configured to do so.
Managed SIEM services are also available in a variety of delivery methods, each providing various degrees of included management and setup services to fill gaps where the client organization does not want to, or does not have the means to, handle such a deployment in-house. For instance, there are services that offer the design and basic, out-of-the-box configuration and integration, while the customer is meant to provide any custom configurations or rules and any integrations not already available. In other cases, providers will offer to manage and monitor a customer’s existing SIEM, leaving the deployment, configuration and integration to the client organization. Finally, other offerings will include a more completion solution from design and implementation to integration, configuration, monitoring, and response.
The choice of what should be managed by the client and what should be managed by the provider will always be up to the client and therefore is the client’s responsibility to understand what aspects of the SIEM solution should be handled by a third-party provider and what should be handled internally. A Security Integration and Events Management (SIEM) solution is an essential component of the modern security stack. A SIEM’s job is invaluable; taking events and information from all of the other systems and security solutions in place and making them available in one location with unique capabilities centered around supporting human decision making. It is essentially the central hub for the security information. SIEM’s are undeniably vital but, on the other hand, can be complicated with complex deployment procedures, each dependent on many variables. Also, SIEMs generally need regular upkeep as well as constant analysis and adjustment when security events are received. The industry has also seen that, broadly, qualified cybersecurity analysts and experts are difficult to find in the current job market. All of these factors are potential roadblocks for organizations looking to implement a SIEM solution.
With the required planning, integration(s) with other 3rd party security solutions and event sources, initial deployment and configuration, and continuous fine-tuning, it is no surprise that organizations are heavily leaning toward managed SIEM solutions to help solve their need to turn events into actionable intelligence.
Managed SIEM providers offer the SIEM solution that an organization desires along with all the ancillary services required to design, implement and maintain the solution, as well as the skilled personnel required to analyze, investigate and remediate threats and incidents. A managed SIEM provider will take an inventory of all the security solutions and event sources across the enterprise estate, determine which integrations are required, design the solution using existing or custom integrations, implement and configure the solution, assign analysts or a team of analysts to monitor the solution and, finally, provide any updates, configuration changes or new integrations that may become necessary. This approach is much simpler for an organization to implement as the heavy-lifting will be managed by a third party. In many cases, this approach may even end up being less costly when considering the cost of hiring, training and retaining skilled analysts required to fully benefit from a SIEM deployment.
The following details the different options which exist for IT teams considering managed services.
IT teams should consider the following components when comparing SIEM services.
Artificial intelligence in managed SIEM solutions has been able to provide more pertinent alerts, more accurate prioritization/classification of events and even configuration automation to detect new rules and alerts that should be implemented. Detecting threats and hunting persistent threats has become a major focus for AI in general, specifically in SIEM solutions.
For organizations already hosting their infrastructure, data and even software on the cloud (or working in that direction), managed SIEM cloud-based solutions with cloud-to-cloud integrations offer the easiest integration and the most out-of-the-box solutions for this type of environment, enabling organizations to implement zero-trust network access quickly and conveniently with deep insight and analysis.
With fully managed SIEM solutions, organizations are afforded a greater deal of agility than traditional SIEM solutions as the provider can help ease the burden of development, planning, support, and implementation. When workflow changes or detection engineering are required, no one from within the organization must be pulled from other tasks when a fully managed SIEM is in place.
Managed SIEM solutions are delivered in several ways. Some are deployed as virtualized appliances which can be implemented out-of-the-box and dropped into the organization’s infrastructure. Once provided with connectivity and service accounts for integration, the managed SIEM provider can handle the rest of the deployment. In contrast, cloud delivered solutions are generally going to be built with a great deal of predefined rules and policies that are templated from the provider, leading to easy implementation, deployment and upkeep, but this generally requires a cloud-first architecture to make use of cloud-to-cloud integrations.
As an organization the adopts a managed SIEM solution, the customer can expect to get notifications for any event that may indicate a threat or incident, and status updates indicating whether incidents are resolved or not. However, this can be overwhelming and result in ‘alert fatigue’, so fine-tuning is required to ‘reduce noise’ and ensure that alerts are only being generated when an action or decision is required. Also, there will be some level of analysis needed for alerts that AI, if implemented, will not be able to handle. The customer needs to dictate how to handle these as there may be an abundance of benign alerts that require human interaction.
Once a configuration and design has been chosen, the provider will deliver whatever resources are required to implement the solution and documentation on how the testing will take place to fine-tune the solution to be as efficient as possible and reduce human interaction wherever possible. Especially when AI is deployed, this will likely include some period of time, often called a ‘learning period’, for which there will be many benign alerts and potentially even missed incidents while the algorithms ‘learn’ the environment.
Support is a critical part of any managed service offering. When someone attacks and/or the SIEM encounters technical difficulties at 2300 hours on Christmas Eve, it is vital that the organization knows that someone is available to assist. It is crucial to understand what support levels exist and the associated support level agreements (SLAs). With an in-house or on-premise solution, if something goes wrong, the customer should have all of the necessary access to the platform and underlying infrastructure if they need to solve a problem. However, with a managed solution, the customer likely doesn’t have administrative access to the entire solution and its underlying infrastructure, so they’re at the mercy of the managed service provider to support them.
Managed SIEM provides added security for organizations with remote users by correlating security information around their activities with other available information like times when they normally login or their geographic location. This information can be helpful in responding to common remote access threats like ‘impossible logins’, which may otherwise go unnoticed. In cases where it’s necessary to disable accounts until events are investigated, a managed SIEM will often times allow for immediate review of all relevant factors and enable mitigation with very little downtime, allowing the user to get back to performing their job duties as quickly as possible.
A managed service provider’s service level agreement (SLA) is possibly the single most important document they will provide to you during the contracting process. This is going to set the stage for how all issues and incidents’ are handled. Often times, the SLA varies depending on the price paid or the tier purchased for support. It is critical to understand this agreement and be willing to accept and expect exactly what is written out here, because the provider is bound to deliver exactly what’s in this agreement and no more, while the system is running flawlessly, and when scheduled queries or reports grind to a halt on a holiday.
SIEM is a vital part of SASE (Secure Access Security Edge), as the goal of a SIEM is to integrate and gather information that can be analyzed from all information or security systems. When organizations move security to the edge it is important to consider the ramifications on the SIEM solution’s visibility. As SD-WAN solutions do not operate in a traditional network, the traditional SIEM and integrations may have difficulties gaining insight into all networks if proper planning isn’t done before making big network changes.
Who will onboard new accounts – the managed services provider or the customer? Questions like this are important to consider when adopting a managed service provider, because they will help uncover obstacles that you may not have considered (like ensuring that the service provider’s personnel have appropriate security clearance and network accounts or administrative privilege required to provision accounts, for instance).
Out-of-the-box configurations and capabilities widely vary and will be different with each solution. It is important to understand what is being provided before investing time and resources into a project like this. Even when customers find that a given solution largely encompasses their needs, there will always be some fine-tuning required.
Consider the items below when creating your vendor shortlist.