Security operations · 4 MIN READ · LEO SZALKOWSKI · NOV 15, 2024 · TAGS: MDR / SIEM
How Expel MDR works to complement and transform your SIEM investment and security strategy
TL;DR
- This is part three of a three-part blog series on how MDR can transform your SIEM investment
- Understand why an MDR provider—like Expel—is a great tool for augmenting your SIEM capabilities (not replacing them)
- Dive into the specifics of how Expel MDR works in tandem with SIEM tools
This is part three of a three-part blog series: How MDR can transform your SIEM investment. You can find the full series here:
- Part I: understanding the difference between a security incident event management (SIEM) system and managed detection and response (MDR)
- Part II: the Cyber Kill Chain, the attack lifecycle, and where SIEM and MDR come in
- Part III: how Expel MDR can transform your SIEM investment and strategy
The benefits of Expel MDR for SIEM
In part one of this blog series, we explored the foundational differences between SIEM and MDR, and how you can strategically pair them to enhance your security resilience and previous tech investments.
In the second part of this series, we covered the lifecycle of an attack, and where and why we apply SIEM and MDR tools.
In the final part of this blog series, we’re going to dive into how Expel MDR specifically can transform your SIEM tools. But before we get into the hows, let’s review the benefits of combining SIEM and MDR, especially if you’re choosing Expel MDR. We support and transform your SIEM capabilities by:
- Delivering advanced threat detection capabilities that you actually want (or think you already have)
- Transforming your SIEM from an ingestion tool to a part of a responsive threat identification solution
- Providing 24×7 support from highly skilled security pros—which is especially helpful with monitoring the exponential amount of logs SIEM tools can store
- Customizing support based on what you need, not what we think you need
So how does Expel MDR support SIEM tools?
Expel MDR is tech-agnostic, and that applies to SIEM tools, too. Regardless of the investments you’ve already made, we’re here to enhance those purchases by improving your security resilience, and reducing security gaps, regardless of what’s in (or not in) your tech stack.
For us, that means providing everything you need to support your SIEM tools. This includes support for out-of-the-box (OOTB) and custom rules, investigation support, and the Expel SIEM Insights Report. And all of the info that fuels these insights stems from two places: SIEM detections, and SIEM data.
With detections originating from your SIEM
Many SIEM vendors provide a variety of OOTB detection rules that allow organizations to get up and running quickly. Some of these OOTB detections are good to go from the start, and others require some fine-tuning to better adapt to the environment. The goal with detections should always be to tune and adapt your detections to meet your needs. Expel proactively reviews these OOTB rules to determine which ones align with the overall Expel detection strategy.
In addition to the OOTB rules, organizations with a more mature detection and response program will develop and implement their own custom detection rules. These are typically built by dedicated teams, in conjunction with engineering, threat hunting, and the SOC to provide high-fidelity leads for analysts to investigate. These custom detections are generally tailored to their specific environment or based on threat intelligence.
Expel has developed a framework for evaluating customers’ out-of-the-box and custom detection rules based on various criteria, including the rule’s logic, the data sources it uses, and its potential impact on the organization. The rule review process is meant to analyze the set of detection rules and evaluate the highest fidelity alerts to surface to human eyes. Alerts that don’t meet the criteria are still processed and used as supporting evidence for other alerts across the customer’s security stack.
By regularly evaluating the effectiveness of their detection rules, organizations can ensure that they’re still providing the best possible protection. The idea here is to avoid treating every possible signal as immediately important, but rather provide high-quality, high-fidelity leads for the SOC to investigate. Excessive noise and false positives can quickly lead to alert fatigue and SOC burnout. Expel aides in this effort by regularly providing feedback and comments about rule performance and offering recommendations for tuning opportunities.
Finally, our SIEM Insights Report provides a birds-eye view of your SIEM investment by summarizing your custom rules’ recent performance, providing tuning recommendations to make them more performant, detailing your data utilization for detections, and identifying potentially risky configurations of your SIEM tools. This information can be used to identify trends, spot potential problems, and make informed decisions about how to improve your security posture.
With other data stored in your SIEM
We’ve discussed how detections originating from your SIEM tools help us protect your organization, but what about all the other data you’re sending to those tools? That’s where we automate.
Expel has developed bots responsible for enriching alerts with additional context, like IP information and domain reputations. And to make the information more powerful, these bots also provide context specific to your environment. When you onboard your SIEM tools with Expel, you enrich our bots’ capabilities to correlate data across your tech stack to surface alerts. That means we can augment alerts with specific details about the impacted host and user that you have stored in your SIEM.
In addition to traditional alert enrichment, we also correlate alerts across your security stack based on key evidence fields. This allows our SOC to have as much context and be as prepared as possible. And we can even run ad-hoc queries so our bots can retroactively uncover more information as needed for investigations.
What about those custom detections you have that don’t quite align with our detection strategy for sending to a human SOC analyst? We’ll check those alerts in your SIEM to see if any have triggered that are related to our investigations. This additional context gives our analysts a bigger picture of what activity took place, enabling them to take quicker action.
MDR and SIEM are like peanut butter and jelly—each is great on its own, but together they’re next-level. By leveraging Expel’s MDR service in conjunction with SIEM, organizations can significantly enhance their security posture and protect themselves from a wide range of cyber threats. If your organization is considering how to get more out of its SIEM investment, drop us a line.
