As IT systems and security threats become more numerous and complex, smaller organizations struggle to pull together all the information they need to stay secure. There’s just too much data coming from too many systems, and the results of a cybersecurity risk assessment can be overwhelming.
Enter the SIEM solution. It’s the bedrock of cyber security managed services. The good news is that it’s much easier to get a SIEM solution than you might think.
What is a SIEM solution?
Simply put, SIEM (Security Information and Event Management) is all about 1) aggregating as much security information as possible in a single user interface, and 2) empowering administrators to respond to security events from within that interface.
Organizations can manage their SIEM in-house, or they can work with a managed provider who installs, configures, and monitors the SIEM solution for them. This is the best path for organizations that have limited resources for IT and cybersecurity.
But not all managed SIEM providers are created equal. It takes discernment to get the best value.
Here are 10 things to look for in a managed SIEM provider.
1. A provider who offers real-time, human monitoring 24x7x365
Having a SIEM solution isn’t enough. You also need people watching it. And if those people are going to make decisions based on what they see, they’d better be cybersecurity experts.
A good managed SIEM provider will keep eyeballs on your system 24x7x365. This way, nothing slips through the cracks.
2. A provider who not only notifies, but remediates
24x7x365 monitoring is one thing, but when something happens, who’s going to fix it? You, or the managed SIEM provider?
Some organizations may have the resources on staff to address a cybersecurity incident, any time of the day or night. However, smaller companies typically can’t respond in real time. Instead, the first person to come into the office the next morning discovers notifications that have been sitting for several hours.
You don’t want to end up there. The longer a security incident goes on without remediation, the greater the risk to your business.
This is why the best managed SIEM providers not only notify you of problems—they also remediate them.
If you have a limited IT team (or no IT team), you definitely need a provider who can fix problems for you. (More on that below—see “A provider with a service guarantee.”)
Also consider whether you need local support. While a managed provider can access your systems remotely, you may want a local presence for regular check-in meetings or onsite assistance if an incident occurs.
3. A provider who’s familiar with SIEM for your industry
Different industries come with unique challenges in cybersecurity. Regulatory compliance, ways of interacting with customers, and work processes all influence the way a SIEM solution should be implemented.
As you’re evaluating providers, check to see if a given vendor has implemented managed SIEM solutions for other companies in your industry. You’ll want to find a partner who knows the challenges of your industry—and how SIEM can solve them.
4. A provider who can explain their plan for comprehensive rule coverage
When it comes to SIEM configuration, the devil is in the details.
Your SIEM coverage is only as good as your ruleset.
A good provider should offer detailed opinions and recommendations for your ruleset—and those opinions should flow from deep experience and data analysis. The more comprehensive the provider’s experience, the better. Ideally, you’ll want to ensure your provider aligns their standard ruleset with a widely accepted framework.
5. A provider who can configure your SIEM solution top-to-bottom
It’s not enough to know what your ruleset should look like.
Your provider should also be able to configure your SIEM solution, putting that ruleset into practice. You want a partner with both strategic and tactical expertise in managed SIEM solutions.
6. A provider who can integrate SIEM practice with IT practice
Numerous IT systems feed data to the SIEM, which means your IT practice and your SIEM solution need to work hand-in-glove.
It’s difficult to get this comprehensive, integrated plan if your SIEM provider doesn’t also offer managed IT services. Ideally, you’ll want to find a partner who’s comfortable consulting on every aspect of your IT practice (and who’s ready to fill in the gaps that your team can’t cover). When you engage this type of relationship, you get a long-term strategic plan for your IT practice—with managed SIEM baked in from the beginning.
7. A provider who offers predictable costs
Organizations with fewer IT resources (or none at all) tend to operate in “react” mode, rather than planning proactively. Generally, this means the fewer IT resources you have on staff, the greater the uncertainty surrounding your IT and cybersecurity costs.
A managed SIEM partner helps solve this problem—provided they also offer managed IT services and strategic IT roadmap development.
Simply put, you need someone in the driver’s seat who can align your technology roadmap with your overall business goals. Once you and your managed provider have a plan in place, including a SIEM solution, you can control your IT costs proactively rather than reacting to emergency situations.
8. A provider who offers total transparency (PLUS a client dashboard)
When it comes to managed IT and cybersecurity, some providers don’t like to offer total transparency. Whether they’ve made mistakes in the backend, or they’re afraid they will, they prefer to withhold some information from clients.
When it comes to a managed SIEM solution, your provider should let you see everything. If they’re doing their job, they have nothing to hide. Even if they make a mistake, you want a partner who will own up to it.
This is why the best managed SIEM providers practice total transparency with clients. Look for a partner who offers a real-time client dashboard for all things cybersecurity. That way, you have access to the same information that your managed provider uses.
(Hint: That’s what we offer here at Corsica Technologies.)
9. A provider with specialists in all relevant disciplines
A SIEM solution provides a comprehensive view of your cybersecurity landscape.
Just how comprehensive?
A typical SIEM solution reads data from sources as diverse as network logs, workstation logs, web application logs, firewall logs… the list goes on.
That’s why a good managed provider will support your SIEM solution with specialists in every relevant discipline. When you’re evaluating providers, make sure you get:
- Virtual CIO
- Virtual CISO
- Security Architects
- Systems Architects
- Network Architects
- Network Engineers
- Security Analysts
- Business Analysts
- End User Support Team
The more disciplines your SIEM provider covers, the more value you get out of the relationship. These specialists will help you keep up with the latest trends and security risks in technology. They’ll also help determine the best solutions to support, protect, and grow your business.
10. A provider with a service guarantee
A managed SIEM solution is only as good as the people responding to incidents. So, who’s going to fix things when the unthinkable happens?
The best managed SIEM providers offer a service guarantee. This spells out exactly what you can expect of them when an incident occurs. Specifically, a good provider should offer services for containment, eradication, and recovery following a cybersecurity incident, all at no additional cost. With clearly-defined cost limits, the best service guarantees should cover:
- Ransomware infection
- Business email compromise
- Regulatory or compliance fines
- Business income loss
- Legal liability
The takeaway: Ask A LOT of your managed SIEM provider
Not all providers are created equal. When you’re evaluating a managed SIEM solution, look for a partner who goes above and beyond. They should offer total transparency, showing you the same information they work with. They should also offer a service guarantee—and they should know SIEM inside and out, particularly in the context of your industry.
Keep these things in mind, and you’ll easily find the right provider for your organization.