SIEM, EDR or MDR – What is the Right Solution for You?
Our suggestion is to approach the topic from a risk management perspective. How valuable are your company’s crown jewels? Are you operating in a highly regulated industry? What have you got to lose in case a breach happens? How costly will it be to remediate?
Answering these questions will help you figure out, if you should be investing in your own resources and technology, or is outsourcing to a managed service provider the best solution for you.
Let’s take a look at the different options.
Operating a SIEM Solution Requires Skilled Personnel
Implementing tools such as security information and event management (SIEM) and forensic software can be costly and time-consuming. It usually takes 1-2 years to implement an SIEM solution and it’s not rare that the deployments run over budget and schedule. And it’s definitely not only a decision to acquire technology, but also to invest in your team.
The only way to get valid or actionable data from an in-house solution such as an SIEM system is by having experts on staff. However, the main challenge of building up breach detection and response capabilities is trying to hire and retain cyber security talent. Frost & Sullivan predicts a shortfall of 1,8 million cyber security professionals by 2022. So, the resources are scarce, and scarce resources are costly.
The fact that cyber attacks do not only happen during business hours will add to the cost. If you are a high-profile target, you will need people working in shifts around the clock in your security operations center (SOC).
Balancing the Cost and Availability with an EDR Solution
Implementing an endpoint detection and response (EDR) solution is a quick way to set up capabilities to detect and respond to advanced threats and targeted attacks, which might bypass traditional endpoint solutions.
EDR provides visibility and intelligence, but companies may face the same challenges as described above with SIEM. You’ll need qualified staff to filter out the false positives, find actionable data and respond to the discovered threats. And again, finding and retaining cyber security talent is an issue, which will only become more pressing in the coming years.
The most advanced EDR solutions can automate the monitoring to cover the needs 24/7. That means your IT team can operate during business hours to review the detections, and automation takes care of the rest. Furthermore, the solutions can guide you to isolate and remediate the threats quickly.
It is important to understand the difference between endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions. EPP runs with minimal supervision, while EDR detects threats that require attention. Someone will always need to review the detections.
To make it easier for resource-constrained IT teams, monitoring of the detections can be outsourced to a managed EDR service provider.
High Availability at Lower Cost with a Managed Detection and Response (MDR) Service
Another option with 24/7/365 availability at a much lower cost than having your own cyber security specialists is a managed detection and response (MDR) service.
Let’s take a look at an example to demonstrate the huge amount of data that cyber security experts have to deal with. Our sensors collected around 2 billion events from a customer installation over a period of one month. The systems filtered that number down to 900,000 suspicious events. Only 15 out of those were confirmed to be real threats.
In comparison, with an in-house SIEM solution, your own staff or outsourced resources would have to comb through those 900,000 suspicious events to screen out the noise and false positives to finally discover the real threats. Laborious jobs like that can cause fatigue in even the most diligent analysts, not to mention the need for the 24/7 availability of such a team.
From the example above, the following presentation elaborates on one of the biggest reasons why your organization should consider a managed security service instead of an in-house SIEM deployment for breach detection and response: cost, cost, cost!
Building in-house breach detection and response capabilities is difficult. When chosen right, a managed detection and response (MDR) service provider actually becomes your cyber security partner: its capabilities become an extension of your own.
That’s why we recommend you to consider a managed detection and response service over the DIY approach.
How to Make the Decision on Your Security Investment?
The options presented above are not mutually exclusive. We have experience with several customers, who are using a combination of SIEM, MDR and SOC. The MDR is used for detection as well as to guide the SOC team to respond to threats. MDR or EDR solutions can augment the internal SOC team, for example with extended availability.
A proper risk analysis helps determine your cyber security investment level. An overview of the risks related to your business enables educated decisions on their mitigation. Tools such as F-Secure’s Cyber Breach Impact Quantification service help accurately quantify the value of security and risk management. When you know exactly, what a breach could cost your organization, it is easy to justify investments.
Want to know more? Read our Guide to Detection and Response
Categories