Modernize in 2021: 5 Critical Features for a Modern Managed SIEM Service

SIEM is the cornerstone of any MSS portfolio. SIEM provides many of the controls required for security compliance, the ability to alert on indicators of compromise, and a data repository for forensic investigation. Selecting which solutions to support, either as part of a technology stack or in a “walk in, take over” format, has implications for not only the efficacy of the service, but also its commercial viability.

Author: Roger Shepard, head of global security partner sales and OEM, Sumo Logic

Evaluating a SIEM for a single environment rather than as the basis of a managed service is like choosing a car for personal use versus providing rideshare services. Personally, you may prefer a big engine coupe with a convertible top, but your customers will not be happy when you show up at the airport. The best choice would be a sedan that can accommodate riders comfortably while keeping fuel costs as low as possible. Similarly, there are several considerations that are unique to managed services. These 5 attributes are critical for any MSP or MSSP to consider as they think about delivering value to their customers faster and more cost effectively.

1. Low Total Cost of Ownership (TCO)

Understanding the total cost to implement and maintain any platform is critical to long-term success in an MSS offering. If this cost is underestimated, profitability is sacrificed. If the cost is too high, then it is impossible to pass on a competitive price to the customer. Initial startup costs for a SIEM service usually requires a significant capital investment up front with the assumption that eventually the economy of scale will generate increased profits as customers are onboarded. The downside is that as more customer data is consumed and analyzed, performance begins to degrade. This necessitates further investment into compute and storage. Leveraging SSD or other high-end types of hardware can improve performance, but it also adds to the cost.

Another consideration when evaluating the total cost of ownership of a SIEM solution is continuity and disaster recovery. Most enterprise organizations want assurance that their data is secure, is continuously available, and is protected in case of disaster. This requires having redundant instances of the data or ideally the entire infrastructure. Best practices dictate this be located far enough from the primary datacenter that a natural disaster impacting one will not impact the other.

An alternative to bearing these costs is SaaS. Leveraging a SaaS SIEM eliminates the “rest of the iceberg” costs associated with managing a SIEM, shortens the time to market, and provides immediate access to cost efficiencies.

2. Fast Time to Value

The time, cost, and complexity involved in setting up most SIEMs prohibits service providers from being able to demonstrate efficacy during the sales process. Furthermore, it can take weeks or more often months to successfully deploy that SIEM service once a contract is signed. This delay and the associated work involved requires either an up front enablement fee or additional services costs that are amortized over the contract.

The holy grail in security services is a solution that deploys quickly and shows value right away. Some vendors try to accomplish this by setting up POC’s under tightly controlled conditions with scripted scenarios. Others just use demo environments that may or may not represent the actual experience once deployed.

This is another area where SaaS can provide tremendous value. The right service can dramatically reduce the time needed to set up a new customer instance and visualize customer data almost immediately. This is key to show the customer what value the service brings in real time with live data. The ability to show immediate value is a major differentiator among MSSPs and results in a much higher close rate versus presentations and virtual demonstrations.

3. Scalable, Cloud-Native Architecture

Modern applications, distributed environments, and dramatically higher data volumes require a scalable, elastic, and resilient architecture that is cost prohibitive to all but the largest providers. A cloud-native solution, not just a legacy solution that has been ported to a cloud environment, gives service providers the flexibility and performance needed to meet the demands of modern IT and compete at the highest levels.

Recently, an MSSP hosting a legacy SIEM for a Fortune 500 enterprise experienced issues that illustrate this point. As the customer’s demand for data ingest and visibility increased, the performance of the solution began to degrade. In this case, the customer wanted access to their log data for their own operational and investigative use cases. As data sources were added and additional users began querying that data, performance across the organization plummeted and impeded SOC detection and investigations for all customers since they shared the same platform. The MSSP was forced to invest in additional infrastructure to maintain performance. This stop-gap solution worked for a few months, but inevitably, as the demand grew, performance continued to degrade. Ultimately, the customer fired the MSSP in favor of implementing their own SIEM.

A cloud-native architecture such as Sumo Logic provides effectively limitless scalability, with no discernible degradation in performance regardless of how much data is ingested, or how many concurrent users are leveraging that data. You can ingest and analyze any amount of data with machine learning capabilities and are not limited by the number of users using the system. Additionally, modern IT requires compatibility with new technologies that most legacy SIEM cannot support, such as microservices, containers, and Kubernetes. Analysts expect over 85% of organizations to adopt some form of cloud-based SaaS solution by 2020. The next generation of MSSPs must use a next generation cloud SIEM to be competitive in a saturated market.

4. Flexibility

There is no “one size fits all” when it comes to SIEM. The customer environment, data sources, industry, and size all play a part in finding the right solution. The more flexible a solution is when it comes to what data types are supported, where they are coming from, and how the data is processed, the broader the target market available.

Most organizations today do not fit the standard legacy architecture model of server and workstations at a brick and mortar location protected by a firewall. They have distributed offices and employees, local and cloud applications, and no obvious perimeter. A modern SIEM therefore must be able to support a wide variety of sources regardless of where they originate. Further, a service provider must be able to customize how the data is processed and create custom views and alerts. Out of the box rules may be adequate for smaller organizations, but as a service provider, it is often necessary to create custom alerts and correlations for threats or use cases that are unique to an environment. This flexibility is crucial to providing services that are differentiated and customizable.

5. Credibility

The easiest way to establish credibility of a service is to leverage proven technologies. This can be established through analysts’ reports, but these are increasingly behind in evaluating the latest solutions. In reviewing solutions, it is important to understand a) what is their customer track record and b) does the solution follow best security practices in a demonstrable way.

With over 1200 different vendors, there are endless solutions that promise to be the best, most effective tool to detect or prevent cyberattacks. Given the large number of options and the consistent churn of vendors who enter the market, fail to live up to their claims, and disappear, it is crucial that a service provider look past the hype and validate that their chosen solution has a solid, referenceable customer base. Logos alone do not guarantee a solution is viable, but they are certainly an indication of adoption and credibility. Many customers will not want to use technologies that do not have an established customer base or are not recognized in the industry, regardless of how well the service provider has done positioning their service. By leveraging an established solution, the service provider can focus on the added value of services and not have to overcome uncertainty with the technology.

Compliance is a major driver among customers who purchase SIEM services, so MSSPs are often required to provide compliance attestations on their solution. If hosting a solution, the service provider should consider all the associated controls in their environment required to demonstrate compliance to the most common standard (PCI, NIST, HIPAA, etc).

If selecting a SaaS SIEM, they should be able to provide third party attestations at a minimum for SOC 2 Type 2 and PCI, ideally for ISO 27001 and FedRamp.


Choosing the right platform to provide managed services is crucial to providing demonstrable value to customers while maintaining a sustainable margin. Sumo Logic has developed a practice builder program to help providers develop services based upon our continuous intelligence platform. This involves understanding the provider’s competencies, customer base, and strategy and building a tailored plan that includes training, sales enablement, and joint marketing to launch the service. By partnering with Sumo Logic you can help launch and grow your security practice in a more efficient and profitable manner.

For more information, please Contact Us.

Roger Shepard is head of global security partner sales and OEM at Sumo Logic. Read more Sumo Logic guest blogs here.