Managed security services come in a wide range of potential offerings. The available services can vary greatly from provider to provider, even if they are advertised as the same thing. Understanding what to expect from each type of service is essential to selecting a provider and a service that meets your organization’s needs.
When selecting a managed security provider, you may come across a wide variety of terms, including security information and event management (SIEM), managed security services provider (MSSP), Managed Detection and Response (MDR), and SOC-as-a-Service. Each of these terms can mean different things within the managed security field.
A SIEM managed service system is designed to provide analysis of security alerts for a security team. This typically involves collecting data from multiple sources (i.e. the security devices deployed on your network) and correlating this data for human analysts. A SIEM system can be invaluable for incident detection and response since this alert correlation helps to differentiate false positives from real alerts.
A Managed SIEM service is primarily focused on operating the SIEM technology. These systems often require tuning and maintenance for their deployment environment, and this is performed by the Managed SIEM managed service provider. However, the provider performs no security investigation, providing, at best, a feed of events and alerts to be investigated.
Managed Security Services Providers (MSSPs) are the next step up from a Managed SIEM. An MSSP will monitor network security events and send alerts to their customer if any anomaly is detected.
However, an MSSP will perform no investigation into the alerts that they send. This means that an organization will receive false positives as well as actual alerts and will need to investigate and remediate any incidents in-house. The primary purpose of the MSSP is to alert their customer when something unusual is occurring on their network.
MSSPs are the predecessor of Managed Detection and Response. As a result, some MSSPs have begun branding their products using MDR terminology without providing any investigative services. As a result, it is important to investigate a service provider’s capabilities before making a selection.
Managed Detection and Response (MDR) adds investigative capabilities to a security services provider. An MDR provider will investigate alerts, eliminate false positives, and aid the organization to respond to any identified threats. Some MDR providers include remediation services to help their customers recover from an incident.
Endpoint Detection and Response (EDR) is a subset of MDR focused on monitoring and securing endpoints within an organization’s network. EDR services primarily consist of matching security events against patterns of known malware and quarantining devices as needed. Often, the in-house security staff is responsible for remediation of the endpoints and bringing them back online.
SOC-as-a-Service is a term that does not have a well-defined meaning within the industry. In most instances, a SOC-as-a-Service provider acts as a full-function 24/7 Security Operations Center (SOC), providing services similar to that of an MDR provider.
However, this is not always the case. Before taking advantage of a SOC-as-a-Service offering, it is important to ensure that the services provided match your organization’s requirements.
The choice between service providers boils down to an organization’s particular security needs. Some important considerations include:
Based on these considerations, it should be possible to determine the type of managed security services provider that your organization requires. The next step is to evaluate potential providers and determine if their services can meet your organization’s unique needs.
Looking for Managed Detection and Response or SOC as a Service? See our service offerings
Organizations heavily invested in the Microsoft ecosystem face an interesting decision when selecting endpoint protection.…
Choosing the right endpoint security solution can make the difference between stopping a breach early…
Cyber threats have become so sophisticated that detecting them requires more than just installing antivirus…
Modern organizations face relentless cyber threats from multiple directions—ransomware gangs, nation-state actors, insider threats, and…
You've invested significantly in security tools over the years. Firewalls, endpoint protection, email security, network…
Cybersecurity teams face an overwhelming challenge: how do you spot a genuine threat when your…
