Will MDR solutions replace SIEM solutions in the future?
Let’s define a few terms before we start,
SIEM: SIEM is a software solution that collects log records of every endpoint and network activity, correlates these logs to identify indicators of compromise, and alerts security analysts when attacks are detected. They provide real-time analysis of security alerts generated by applications and network hardware. All modern SIEM provides,
- Data aggregation
- Forensic analysis
MDR: Managed detection and response improves threat detection monitoring and incident response capabilities via a turnkey approach to detecting threats that have bypassed other controls.
I have seen many mid and large-size customers struggling with SIEM solutions. SIEM is a must to have security tool to get a unified view of cyber threats across your distributed infrastructure. SIEM is as good as the “BMW X6” without a driver. You need highly qualified and experienced security professionals to operate and oversee a SIEM deployment. It can take up to six months to stabilize a SIEM solution and build effective use cases. According to a recent survey,70% of the respondents claim that SIEM technologies do not provide the most accurate, prioritized, and meaningful alerts. Also, a large number of respondents complained that they need a better understanding of the context associated with SIEM events, and it is very “noisy” and generates a lot of events and alerts that make it difficult to focus on what really matters.
Skilled manpower was one of the major reasons why SIEM deployment for mid-sized customers failed miserably.MDR platform’s major focus is on threat detection, triaging, forensics analysis, incident response with actionable intelligence.
As per Gartner report of 2017,
1. By 2020, 15% of organizations will be using services such as MDR, which is an increase from fewer than 1% today.
2. By 2020, 80% of worldwide managed security service providers (MSSPs) will offer MDR-type services.
What are the major characteristics of an MDR platform?
- Detect and respond to events that have bypassed preventive security controls.
- Built on a proprietary technology stack.
- Tools and detection methods differ from provider to provider with the use of logs, net flows, packet capture, endpoint activity, etc.
- MDRs can also complement SIEM solutions by taking input feed from them. Varies from provider to provider.
- Visible to the customer with targeted information, action-oriented advice, when alerted to a potential security incident.
- Incident validation and response services, which may include one or more actions, such as identifying indicators of compromise (IOCs), sandboxing and reverse engineering malware, and consulting on containment and remediation.
- Offering remediation actions as an additional service.
- Advanced analytics and log analysis with the help of big data platforms.
- Use of Machine Learning and Advance Behaviour Analysis
Who should use MDR services?
Any organization especially the mid-size companies can use MDR services to implement threat detection and incident response capabilities when they don’t exist or when managed security services haven’t met expectations. It can also be used as a turnkey where technologies, processes, and expertise are left to the service provider. It can also complement your existing security practice to detect advanced threats that bypass traditional perimeter devices.
MDR is still a new market and providers are using different approaches and trying to differentiate with exiting MSSP market. In the next few years, most of the MSSPs will be working to bridge the gap between MSSP and MDR service providers.
A few of the vendors you can consider for MDR services are,
1. Alert Logic
3. K2 Intelligence
I just looked at these to know more about the different types of services offered by MDR platforms. No recommendations. MDR service is still new in the market and you need to explore the service that is inclined towards your organization’s size, security maturity level, specific use cases, and existing threat detection and response capabilities.
So the Golden Question is,
Are you considering complementing your existing MSS/SIEM solution or replacement with MDR?
Please give your comments in the comment box below