When you’re deciding how to spend your valuable cybersecurity budget, it’s important to understand the options and differences between them. There is a lot of confusion between MDR (Managed Detection and Response), and SIEM (Security Information and Event Management). Many people often wonder about the difference and if you can replace your SIEM with an MDR. It becomes even more confusing when a vendor throws in the term MSS (Managed Security Service) — rightly so as a managed SIEM and an MDR are technically both Managed Security Services.
Here’s what you need to know about SIEM, MDR, MSS providers, and how to tell what you may need.
SIEM stands for Security Information and Event Management. It is a security solution that combines security information management (SIM) and security event management (SEM) into one security management system. SIEM, pronounced “sim,” collects event log data from a range of sources, identifies activity that deviates from the norm with real-time analysis, and takes appropriate action.
SIEM is important because it can help organizations detect threats before they disrupt business. It surfaces user behavior anomalies and uses artificial intelligence to automate many of the manual processes associated with threat detection and incident response.
SIEM can be used for a variety of purposes, including:
MDR is a threat detection measure, utilizing an array of tools (sometimes even a SIEM). MDR attempts to find the needle in the haystack, typically using machine learning and behavioral analytics as well as a human with the goal being to proactively disrupt an attack.
SIEM can be a valuable tool for organizations of all sizes, but it is especially important for large organizations with complex IT infrastructures.
SIEM solutions typically include the following features:
SIEM solutions can be deployed on-premises or in the cloud. On-premises solutions offer more control over the data and the security of the solution, but they can be more expensive to implement and maintain. Cloud-based solutions are less expensive to implement and maintain, but they may offer less control over the data and the security of the solution.
MDR can be a valuable tool for organizations of all sizes, but it is especially important for organizations that lack the resources or expertise to manage their own security operations. MDR can help organizations improve their security posture, reduce the risk of security breaches, and comply with regulations.
MDR services typically include the following features:
In the simplest terms, there are two major differences. First, MDR is a service while SIEM is a technology. Second, SIEM takes in information and then allows you do decide what to do about it, while MDR takes a proactive approach at stopping threats from the start.
You can think of it as a SIEM is spraying a mass area for mosquitoes and hoping to get everything, whereas an MDR is swatting them individually after isolating which ones were the most likely to bite. An advanced and modern MSSP is trying to know about all of the mosquitoes, report on them all and swat the ones most likely to bite.
If you are an organization that falls under a regulatory compliance it’s likely that MDRs may not measure up to the compliance requirements. This would have to be evaluated individually to be sure, but most compliances have not caught up to MDR as a service. Another area in compliance that can be an issue for MDR is log availability and retention. Most SIEMs will be able to collect and retain all logs, where MDR is trying to pinpoint meaningful logs.
After considering all the facts, the answer to “Can I replace my SIEM with MDR?” is still a difficult question to answer but probably not, and you probably shouldn’t.
Ideally, you would use both, but if it comes down to one or the other the managed SIEM will likely give you more bang for your buck. As time goes on it’s highly likely that MSSPs and SIEM tools will incorporate MDR and MDR will start to evolve to include SIEM elements.