The Top 5 Legacy SIEM Failures for MSSPs

After 25 years of working for and with service providers, I have seen many successes and some fairly significant failures in delivering services. While this list focuses on the failures of legacy SIEMs in the world of MSSPs, don’t fret. As Henry Ford once said, “Failure is simply the opportunity to begin again, this time more intelligently.” The future for MSSPs, MDRs, and SOCaaS vendors is the Modern SIEM.

Author: Jared Hufferd
Author: Jared Hufferd, director of security partner sales, Sumo Logic.

#1 Single point of failure creates reputation failure

As the service provider market matured and the journey toward five 9s progressed, significant progress was made in technology to support the much-coveted SLA customers use to hold their SP vendors accountable. However, legacy SIEMs have suffered limits both from the perspective of technology and cost for the high-availability needed to avoid single point of failures. True high-availability requires, from south to north, redundant synchronized data lakes, redundant application servers, and meshed networks with redundant switches and firewalls and dual homed internet connections. All of this redundancy comes at a 2X+ cost. So, most mid-size and small service providers tend to cut corners and take the risk of outage. Outages mean not meeting your SLA. Outages mean your customers may be out of compliance. Outages mean notifying your customers of lost data. Outages mean reputation failure.

#2 Upgrades can downgrade services

We all know the advantages of upgrades to platforms: new features, better security, and bug fixes. However, we’ve also all experienced the downfall when our smartphone or laptop upgrades, and the device no longer works properly. That inconvenience is mild compared to when the access to hundreds of customer data points becomes unavailable, or even worse, is lost completely when your upgrade goes wrong.

#3 Limiting customers limits success

Many service providers limit their customers when they limit their services. Making the step from managed firewall to Managed Detection & Response (MDR) opens the gates to more revenue but opening the gates to additional revenue from other siloed divisions within their customers’ businesses can exponentially increase revenue and create greater customer stickiness. Legacy SIEMs do not address the modern needs of Development and Operations organizations. DevSecOps is the modern approach, and those that are not addressing it are doomed to fail.

#4 Missing sources equals missing detections

We have all heard the expression “Garbage In Garbage Out”, GIGO. The antonym applies as well to “Value In Value Out”, VIVO! When data into the SIEM is limited to traditional security sources like firewalls, IDS, or simple AD logs, the value of the findings are also limited and therefore fail to provide the whole picture. Value comes from seeing the entire attack surface, e.g. EC2 instances, Kubernetes/Docker, O365/other SaaS, and on-prem switches/routers/servers/apps.

#5 Confidentiality only is not full security

In the security world, “CIA” has nothing to do with a certain US intelligence agency. These three letters stand for Confidentiality, Integrity, and Availability, otherwise known as the CIA Triad. While many MSSPs spend most of their effort on confidentiality and somewhat on integrity, assuring availability of a customer’s operational data has not been a focus for MSSPs. Failing to address customers’ availability monitoring needs is only providing a partial solution.

Availability is the third leg of the security stool. Monitoring, alerting, and diagnosing availability issues of operational data not only completes the CIA Triad but differentiates your services versus the competition. Whether it's DDOS, internal threats, or misconfigurations, your customers want to know about and how it correlates to the entire security threat landscape.


Born in the cloud, modern SIEMs overcome the failures of the legacy approaches. Today’s cloud native SIEMs have resiliency of the micro-systems architecture and availability from the world’s largest cloud providers. Due to Agile methodologies on micro-systems architectures, upgrades on cloud native SIEMs can be accomplished with zero downtime. And, expanding Total Addressable Market (TAM) by cutting across your customers' silos is easy when you have one unlimited platform that can take in ALL Development and Operation data to provide cross department visibility and complete the CIA Triad.

For a guide on how to build a practice around a Modern SaaS SIEM, please visit:

Jared Hufferd is director of security partner sales at  Sumo Logic. Read more Sumo Logic guest blogs here.