Co-managed SIEM — and the overlapping offerings of managed SIEM and SIEM-as-a-service — have become a popular managed security service, delivered by specialized providers, MSSPs, and even some of the “big four” firms.
The model can work in a few ways. One is where the service provider has their own SIEM, which they connect to the client’s tools to ingest logs. The service provider then maintains and operates the SIEM, on behalf of or in collaboration with the client’s team. Another option is for a client that has a SIEM to contract the service provider to share the responsibilities of managing and monitoring the SIEM.
In either case, the service provider might also help tune the SIEM, develop rules and provide a level of threat analysis that is then provided to the client for action. Having a co-managed SIEM is a great way for organizations to ensure a 24/7 SOC when they don’t have the internal resources.
For MSSPs who want to add SIEM management to their services, and for co-managed SIEM providers who want to improve their offerings and stand out, security orchestration, automation, and response (SOAR) can be the missing component they need.
Co-Managed SIEM Services Have Unique Challenges
The challenges that SOAR helps co-managed SIEM providers solve relate to integrating with security tools for data ingestion and orchestration. One industry analyst we spoke to said that he often sees co-managed SIEM sales proposals that limit the client to 10 data sources, even though a SIEM can ingest from hundreds of sources. This suggests that service providers struggle to cover their clients’ entire environments without additional resources. For service providers that have dozens, or even hundreds, of clients, the benefits of being able to easily onboard and integrate with data sources will quickly multiply.
Orchestrating actions is even more of a challenge. The extent may vary depending on the business model, but a co-managed SIEM provider will need some ability to push actions to a client’s stack. This might be as simple as querying an endpoint protection tool for additional data, or as involved as executing an incident response playbook across the environment.
Solving Problems with Orchestration
Some co-managed SIEM providers have a proprietary XDR (eXtended detection and response) that overcomes some of the challenges we’ve discussed, such as sorting ingested data into an enriched queue and triggering response actions. However, building such a platform is not feasible for most providers.
Because SOAR is designed to easily integrate with the widest range of tools, the addition of SOAR can make it easier to onboard new data sources, ingest more types of data, and monitor clients’ entire environments. SOAR also enables orchestration across other tools without additional development of features or integrations.
Using SOAR can remove the limit on data sources, including other SIEMs. Currently, many co-managed SIEM providers focus on a single SIEM product. SOAR makes it much easier to switch between SIEM vendors, so providers don’t have to lose out on customers who prefer a different SIEM.
Ultimately co-managed SIEM vendors that use SOAR stand out with a more complete offering, get access to more market share, and improve their own efficiency.
About D3 Smart SOAR for MSSPs
D3 Security supports MSSPs around the world and enables high-value services with its Smart SOAR platform. D3 Security supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, D3 is vendor-agnostic and independent, so no matter what tools your clients use, its unlimited integrations will meet their needs.
D3’s Event Pipeline can automate the alert-handling capacity of dozens of analysts, while reducing alert volume by 90% or more. Watch this case study video with Trifork Security to see how a successful MSSP uses Smart SOAR.