SOC-as-a-Service, MDR, and Managed SIEM. What’s the Difference?

As if protecting ordinary businesses from cybersecurity incidents ranging from unauthorized logins and denial-of-service (DoS) attacks to ransomware and phishing wasn’t complicated enough, the cybersecurity solution landscape is highly fragmented with a myriad of gaps and overlaps – making it a daunting task to piecemeal a proper managed security portfolio to protect yourself and your customers.

This fragmented marketplace is the natural result of both A) the hard truth that cybersecurity is indeed complex and multi-layer security is a necessity and B) human nature to find a “silver bullet” technology that will make the problem go away.

In the spirit of converging the various cybersecurity technologies and services into more holistic and effective solutions, some new concepts have evolved that are easily conflated. Let’s break these concepts down so as you shape your managed security portfolio, you can better understand the nuances and be sure you are getting what you expect.

First, it’s important to understand what any of these concepts should be aiming to accomplish. There are two similar cybersecurity frameworks Netsurion likes to offer as a guide. First, the NIST Cybersecurity Framework which centers on five controls – Identify, Protect, Detect, Respond, Recover. A similar model is what Netsurion solutions focus on – Predict, Prevent, Detect, Respond (PPDR). Ultimately, the following solution concepts should aid you in rounding out your ability to meet the five controls in the NIST Cybersecurity Framework or the four PPDR capabilities.

There are three core functions that in various ways, are leveraged to deliver these “converged” managed security solutions.

  1. SIEM: Security Information and Event Management (video) is the backbone of the cybersecurity stack in that it collects, aggregates, and analyzes event data from all of the disparate systems within the network.
  2. EDR: Endpoint Detection and Response are designed specifically to continuously monitor and respond to advanced threats directly at the endpoint (workstation, server, etc.) level.
  3. SOC: Security Operations Centers are teams, likely in a specific physical location, of security analysts, threat intelligence experts, and SIEM and EDR administrators providing 24/7 monitoring and working in conjunction following a particular cybersecurity runbook and incident response playbook.

With that in mind, let’s now untangle these commonly conflated solutions so you can better understand what you are getting with each as you build out your managed security services.

  • SIEM-as-a-Service (SIEMaaS): Also called “cloud SIEM”, is basically Software-as-a-Service licensed on a monthly basis and hosted, maintained, tuned, and patched to work optimally so that you don’t have to worry about the infrastructure, log storage, or system administration. But you still have the responsibility to drive it to get value out of it.
  • SOC-as-a-Service (SOCaaS): In this case, you receive the SOC “function” as a service. Not just the software, but also the people, the processes, and the SIEM platform/tool necessary to perform the network and endpoint threat monitoring, detection, and response for your organization.
  • Co-Managed SIEM/SOC: This is a version of SOC-as-a-Service in which you play a more active role in the shared responsibility of determining and carrying out the security operations strategy. A cybersecurity runbook with an incident response (IR) playbook typically outlines the shared responsibility tailored to your organization.
  • Managed Detection and Response (MDR): This is a managed threat detection, response, and remediation service that is a good fit for organizations who either must, or prefer to outsource the hands-on remediation tasks necessary to fully respond to and recover from a cybersecurity incident. MDR services are typically very focused on threat detection and may or may not have SIEM capabilities like log collection and retention that are necessary to fulfill regulatory compliance requirements.

For MSPs aiming to round out a mature managed security practice while maintaining the customer relationship and hands-on remediation services that result from threat detection and response solutions, SOC-as-a-Service or the more robust and flexible Co-Managed SIEM/SOC typically fit best.

Mystified by other cybersecurity buzzwords like Artificial Intelligence, Machine Learning, and UEBA? Read our 3-Minute Breakdown of Cybersecurity’s Biggest Buzzwords.

Blog courtesy of Netsurion, which offers the EventTracker security platform. Read more Netsurion guest blogs here.