Security operations · 2 MIN READ · MATT DUBIE · AUG 23, 2023 · TAGS: MDR
SIEMs are used widely by security organizations. When paired with managed detection and response, they can be even more efficient and effective.
According to one survey, two-thirds of organizations use a security information and event management (SIEM) solution in their security operations center (SOC). Many also purchase a managed detection and response (MDR) service, which can enhance an organization’s SIEM alerts. For organizations employing SIEM technology, MDR represents an opportunity to significantly boost efficiency and security readiness—and it may also strengthen return on investment (ROI) and total cost of ownership (TCO) propositions.
What SIEM and MDR do
SIEM primarily focuses on event correlation and log analysis. It collects and analyzes data from multiple sources within the network, such as firewalls, servers, and applications, to detect security events and potential threats. It also aids in regulatory compliance by providing centralized logging, reporting, and auditing capabilities.
MDR services can augment SIEM technology by evaluating its alerts to understand their meaning. SIEMs often come with built-in vendor alerts and security operations teams can additionally create custom SIEM rules to analyze and summarize logs so they align with the team’s objectives. However, creating these custom rules increases the team’s workload, as they need to not only analyze the alerts, but also continuously tune rules to make sure they’re seeing the alerts they want to see.
MDR services can integrate with a SIEM to analyze the SIEM alerts, prioritize which alerts need attention, and enrich with context so that analysts fully understand the situation. MDR services offer their own detection libraries, which results in higher-fidelity alerts (and fewer SIEM alerts for the team to continuously tune). Together, the two improve a security team’s speed, effectiveness, and efficiency.
Reduced false positives
One of the big challenges with SIEM solutions is the high number of false positives, which drives alert fatigue. MDR helps mitigate the challenge by applying both people and technology to analyze SIEM alerts and identify potential false positives, reducing alert fatigue, and allowing security teams to focus on genuine threats. By eliminating noise and providing usable intelligence, MDR allows security personnel to dedicate their time and resources to critical incidents.
Proactive threat hunting
MDR teams can also make excellent use of SIEM’s log management capabilities to search for indicators of compromise (IOCs) and potential vulnerabilities in proactively hunting for threats. The power of SIEM’s data aggregation and MDR’s human intelligence helps organizations identify and mitigate threats before they cause significant harm. Some MDR providers, like Expel, also offer regularly scheduled, hypothesis-based threat hunting that looks back over time to identify silent attacks that may have escaped detection the first time around (threat actors often know how to game detection tools). Regular threat hunting offers security teams an additional layer of protection that complements MDR’s more reactive IOC-based hunts, affording insights into the environment that offer a stronger defensive posture.
(Threat hunting is a complementary functionality to MDR and is purchased separately.)
Continuous improvement and scalability
MDR services continuously evolve and adapt to emerging threats. Providers invest in research and development, making sure their detection capabilities remain as current as possible (attackers never stop innovating, so defenders can’t, either). This means when there’s a new threat, you won’t need to update all of your custom rules to defend against it.
MDR can supercharge your SIEM investment and adapt to whatever your SOC needs to do with your SIEM. You can accelerate time-to-value and simplify how you view SIEM security alerts, so that you get the answers you need out of your SIEM sooner and more time back for your team.
MDR and SIEM are like peanut butter and jelly—each is great on its own, but together they’re next-level. If your organization is considering how to get more out of its SIEM investment, drop us a line.