Skip to main content

There are a variety of ways to approach managed security services, each of which has strengths and meets different needs. Determining which approach works best for your company is crucial for both safeguarding your digital assets and giving you access to the data you need to make informed decisions about your security posture. 

Different Approaches to Managed Security 

Managed SIEM & SIEMaaS 

Managed SIEM and SIEM as a service are solutions that companies typically license on a month to month basis. With this model, the company managing your service will handle all of your patching and hosting concerns. This convenient approach means that individual companies don’t need to worry about upfront costs (which can be a barrier to smaller companies) or handle any of the infrastructure maintenance or log storage associated with traditional SIEM.  However, with this model, the client is responsible for managing their SIEM and its alerting. 

Benefits 

There are a variety of benefits associated with choosing a Managed SIEM or SIEMaaS approach: 

  • Lower barrier to entry, since the cost is spread out monthly. This can make this option attractive to smaller businesses or those with modest budgets. 
  • Limited to no deployment knowledge needed. The company providing the service handles the deployment as well as any patches or maintenance, making this option easy to maintain on the customer end. 
  • Log storage burden is removed. Customers do not need to worry about how their logs are being stored or for how long. They simply specify how long their logs need to be stored, and their pricing option is adjusted accordingly. 
  • No infrastructure system administration. The service provider handles all infrastructure and maintenance related tasks. 

Drawbacks 

The Managed SIEM and SIEMaaS model also has its drawbacks: 

  • Relying on a third party to maintain systems and uptime. A good service provider will do everything they can to minimize disruptions and maximize uptime, but relying on a third party for maintenance does limit how much control the client has over their infrastructure. 
  • Long term costs can be more expensive than internal hosting. While monthly payments lower the cost of entry, these monthly payments frequently add up to more than it would cost to host the system internally. 
  • The client is still responsible for SIEM rulesets and alerting. While the service provider will deploy and configure your system, the client is responsible for determining how incoming data is interpreted and setting up their own alerts to flag potentially suspicious activity. 
  • Hiring and keeping SIEM and SOC employees is traditionally difficult. SIEM and SOC employees are in high demand, so having a dedicated SIEM or SOC employee on staff (if you can manage to hire one) can be expensive. With this model, you will need to have a SIEM employee on your team to correctly manage your SIEM. 

Managed SOC & SOCaaS 

Managed SOC and SOCaaS are, in essence, an extension of Managed SIEM and SIEMaaS. With this model, clients can access the actual security operations center, allowing you to manage and configure your SIEM as needed. With this approach, the client gets both the SIEM and access to a team of experts who will monitor your network for suspicious activity and respond to potential threats.  This model is also typically billed on a month to month basis. 

Benefits 

There are a variety of benefits associated with choosing a Managed SOC or SOCaaS approach: 

  • Monthly payments mean a low cost to entry. This can make this option attractive to smaller businesses or those with modest budgets. 
  • Limited to no deployment knowledge is needed on the client side. The company providing the service handles the deployment as well as any patches or maintenance, making this option easy to maintain on the customer end. 
  • Log storage burden is removed. Customers do not need to worry about how their logs are being stored or for how long. They simply specify how long their logs need to be stored, and their pricing option is adjusted accordingly. 
  • No infrastructure system administration. The service provider handles all infrastructure and maintenance related tasks. 
  • Hiring and keeping SIEM and SOC employees is traditionally difficult. With a SIEM based model, you will need to have a SIEM or SOC expert on staff to ensure your system is running smoothly. However, with a Managed SOC or SOCaaS model access to a team of security experts means you no longer need to have specialized staff to manage, monitor, and maintain your system. This not only relives staffing burdens but also provides you with a much larger pool of knowledge to draw on since even the best security expert can’t be an expert in everything. 
  • Access to a team of experts. With a team of security experts on your side, you can rest assured that everything possible is being done to safeguard your digital assets. Should an incident occur, your company can draw on the experience and expertise of this highly qualified team, allowing you to minimize or even avoid damage and downtime. 

Drawbacks 

The Managed SOC and SOCaaS model also has its drawbacks: 

  • Relying on a third party to maintain systems and manage uptime. A good service provider will do everything they can to minimize disruptions and maximize uptime, but relying on a third party for maintenance does limit how much control the client has over their infrastructure. 
  • Less control over monitoring and response. While some organizations may view not having to watch for and respond to potential threats as a benefit for organizations that wish to remain in control of the entire process, this outsourcing of responsibilities can be a drawback. 
  • Require qualified workers on staff to remediate threats. While the service provider may handle threat monitoring and response, it is still up to the individual client to remediate any damage caused by an attack. While the service provider’s experts may be able to offer advice, it ultimately falls on the client to deal with any resulting damage after a cybersecurity incident. 
  • SIEM knowledge isn’t owned by the customer. Because the customer is able to offload much of the daily responsibility of monitoring and managing the system as well as vetting and responding to threats, all of that critical knowledge stays with the service provider. This means that if a client chooses to end their agreement with the service provider, they are left without the skills they need to defend their network on their own. 

Determining the Best Approach to Suit Your Company’s Needs 

There is no universal checklist companies can use to determine which approach to security is best for their needs. This decision needs to be made on a business by business basis. However, there are a few steps you can take to help you determine which approach is best for your needs: 

  • Assess your organization’s security maturity level. Before you can make a decision, you need to determine if your organization is mature enough in their security journey to handle the daily operations required by a SIEM. 
  • Take stock of your resources. Depending on your budget, it may make more sense to purchase a SIEM and handle everything internally. However, this internal approach can be costly and requires that you have enough knowledgeable individuals on staff to manage your SIEM correctly and effectively. As such, this option is not typically available to most businesses. 

Choosing Managed SIEM or SIEMaaS 

Organizations that either don’t wish to handle their security operations internally or can’t afford to but have the knowledgeable staff necessary to manage a SIEM internally may find that a Managed SIEM or SIEMaaS approach is best. This approach removes the burden of large, upfront costs by relying on a software as a service model and leveraging the talents and expertise of internal staff to handle ongoing management, monitoring, and maintenance concerns.  However, this approach can still be risky, since a highly competitive job market means that qualified employees may be difficult to hang onto. 

Choosing Managed SOC or SOCaaS 

This model can be ideal for some organizations because it removes the financial burden of purchasing a SIEM and hiring expensive and highly sought-after employees to maintain, manage, and monitor the system.  Once mostly adopted by small and medium-sized businesses (SMBs) with a compliance need, this option is becoming increasingly popular among companies of all sizes and in all verticals.  As such, the market has exploded, with some SIEM/SOC service providers even claiming that they can get a full SIEM or SOC system up and running for your company in less than one business day. Whether these claims are strictly true remains to be seen, but since most traditional SIEMs take weeks, months, or even years to deploy effectively, any approach that shortens this timeline without cutting corners or sacrificing quality may be worth considering.  For organizations with no concerns over outsourcing, the Managed SOC or SOCaaS model may be the best choice. 

Why SOCaaS is Moving Downstream 

SOCaaS is moving downstream for a few reasons: 

  • The cost is dropping. As more vendors enter the market, the price of SOCaaS products and services continues to drop. This lower price means more SMBs or organizations with modest budgets can explore how a SOCaaS could benefit them and put this option within reach. 
  • SOCaaS companies have recognized that SMBs are underserved. Even five to ten years ago, there were almost no SOCaaS companies targeting SMBs. Most SOCaaS companies were targeting large businesses who could either afford a SIEM/SOC or had a compliance need. 
  • Compliance is top of mind for more companies. Ten years ago, most SMBs could get by without needing to worry about the same compliance concerns that plagued large organizations. However, this is increasingly no longer the case as more businesses of all sizes in select verticals find themselves increasingly bound by strict security regulations that must be observed to stay in business. 

How to Choose the Right Solution to Suit Your Needs 

The first thing you and your team need to determine when considering a SOC or SIEM approach is what you are looking to get out of this service. Take the time to lay out the defined needs and wants of your business. As I always say, it doesn’t really help you get to your true destination if you are looking at the wrong map.  Once you have determined your needs, you can begin to look for a solution that meets them. When choosing a solution, you should consider how cost-effective the solution on offer is and whether it will be able to grow with your business over time. Growth over time is vital because your organization’s security needs are far more likely to grow than shrink as your business expands. 

Red Flags to Watch For 

Customers should also be wary of solutions that calculate their monthly bill based on data storage or data flow rate. Models like this mean you will likely end up paying significantly more money for your security solution than if you had taken your business elsewhere and can leave you feeling nickeled and dimed. Instead, look for a solution that provides good value for what you are paying for.  Make sure you choose a SIEM or SOC that communicates regularly. I’ve heard from too many businesses that say they haven’t heard from their security services provider or had an alert in the last six to ten months. Without regular updates, you have no idea whether the company you hired is doing a good job or even doing anything at all. Even if you are hiring a SOC to handle most of your security burden, you still need to know that they are actually doing the work you are paying them to do.  Is your current managed security solution meeting your needs? The experienced team at Cedant is here to help keep your network secure. Contact us today to get started.