In today’s ultra-competitive MSSP market, business owners are looking for ways to make their offerings more attractive to customers and their SOCs more effective. To that end MSSPs add new technology to their security offering stack with the hopes that prospective customers will see this addition as an opportunity to outsource some, or all, of their security monitoring. There is some validity to that strategy; Unfortunately the new technology often fails to deliver their stated benefits leading to higher customer churn. So while keeping your technology and security team abreast of the latest and greatest security technology is essential, sometimes you must look at what is already in your security stack.
The one technology I am referring to specifically is your SIEM. Depending on who you talk to, we are currently in the third or fourth generation of SIEM technology; however, when I talk to practitioners, their frustration level with their SIEM is at Defcon.
MSSPs continue to use a SIEM that is not delivering what they need because of the time and resources required to rip and replace it with something that will probably leave them with similar disappointment.
Let me talk about three ways this old SIEM (or even not-so-old SIEM) is causing more harm than you think.
SIEMs are Lazy
There, I said it, but we all know that SIEMs, up until recently, didn’t work smarter, they made you work harder. While they did allow you to collect all kinds of logs and correlate alerts from different security controls, the result you would get was only as good as your most ingenious security analyst. If they were a security ninja with a vast understanding of the threat landscape and knew how to write intelligent correlation rules, you were probably loving your SIEM.
If your team is like most, where companies try and lure your best players away, you’d see a dramatic shift in your SIEMs effectiveness if they did leave. Yes, NG-SIEM providers are trying to address this issue by delivering more out-of-the-box content (the jury is still out on it’s effectiveness). Nevertheless, just like that package of Oreo’s your kids open and forget to close correctly, that content quickly becomes stale, leaving you with the task of creating new rules or scouring communities for content you can import. Bottom line, the SIEM, even NG-SIEMs, are leaving the heavy lifting to your team, hampering your ability to add the number of customers your team could handle without this burden.
SIEMs are Data Hogs
Cybersecurity today is a data problem, scratch that, it’s a BIG BIG data problem. With so many products in use daily, the volume of logs a typical mid-size company generates is ridiculous. While specific industries require complete log collection and review to comply with this or that regulation, many customers that might look at an MSSP are not trying to solve a compliance problem. Instead, many are looking to do a better job of identifying and mitigating threats before they can harm their business. SIEMs, in their inherent, built-in bias to complete data collection, means that a security team looking to identify threats will wade through oceans of irrelevant log data in the hopes of uncovering a danger. It’s not an impossible task since you are probably doing this today, but imagine if you were a 49er panning for gold in the 1840s. Instead of using a pan to sift through small amounts of silt for gold, you decide to use a giant bucket with the hopes of eyeing that valuable mineral. Which do you think would take longer? Of course, I know this isn’t an apple-to-apple comparison, and our advanced computing capabilities can speed up the process. However, saving a few minutes a day adds up, especially across a SOC with ten, twenty, or fifty security analysts. Bottom line – SIEMs are great at solving pure compliance use cases since they collect all log data, but for security use cases, which is what you are typically selling, you need tech that understands the difference between relevant security logs and irrelevant ones, and only collects what it needs.
SIEMs don’t like Everyone
When I was running product marketing for another vendor (who shall remain nameless), one of the most common questions was, “Do you support XYZ product?” or “Can I bring in data from ABC product?” Savvy security buyers who have been around the vendor circus once or twice understand how security vendors will downplay the lack of pre-built integrations to your products. They will say things like, “I can get that for you, no problem,” or “I’m sure it’s on the way; let me get back to you,” while in reality, they will have to go back to their integration team and beg and plead for a new integration, especially if they need to close your deal to hit their number for the quarter. Now someone in the integration team whips up a one-off script that shows data flowing from your product into the SIEM backend, hoping no one takes a fine tooth comb to what was delivered. Again, if you have been around for a minute, I am sure this sounds familiar.
The sad reality is that most SIEMs are challenging to integrate, given the underlying complexity of their data models. You might be able to write your integrations, and if that is the case, great, but what happens when the SIEM vendor rolls out a new version and breaks your integration? It’s back to the drawing board. Bottom line – out-of-the-box integrations to a SIEM that work are what you should expect from your SIEM vendor. If that isn’t what you are getting today, your customer onboarding time will suffer, and, worst case, you will lose out on business waiting for your SIEM vendor to deliver an integration that you hope works.
We have helped many MSSPs see the benefits of ripping out their old or not-so-old SIEM and replacing it with our Stellar Cyber Open XDR Platform. With our platform, you get. Want to learn more? Contact Steve Salinas ([email protected]).