The True Cost: Managed vs Co-Managed SIEM

10/4/19 8:30 AM  |  by RedLegg Blog

Download The SIEM Service Comparison Data Sheet

If you’re hiring a provider to help with your company’s SIEM, you can normally choose from two options: co-managed and managed SIEM. While both solutions have their pros and cons, there’s a strong internal debate in the security community on which option is the best choice.

Security Information and Event Management (SIEM) has proved itself an essential security solution for enterprises. As SIEM software provides companies with real-time analysis of security alerts, SIEM makes IT teams more proactive in their fight against security threats.

So, in this article, we’ll introduce both SIEM options to you and help your company decide which may be best for your current needs.

Why Organizations Need SIEM Services

But before that, let’s review a few cases or reasons why organizations may seek help with SIEM.

In our first case, a firm has a large IT environment that is managed by a small staff. Because of this environment, team members spend more time putting out fires than completing projects. As the team doesn’t have sufficient resources, its members often ask other employees for help. They will also operate in reactive mode instead of being proactive, which can be a serious disadvantage when mitigating threats.

The firm may also want to focus its staff efforts on innovation instead of routine tasks. The consequence of this strategy includes long or forever-lasting projects as maintenance and routine tasks can tie up engineering hours.

When there’s a lack of visibility in an organization’s IT environment, SIEM can help. In this case, the team can collect only a limited number or no central logs. Due to the lack of visibility, IT members can easily get blindsided by security or operational issues with no predictability for system upgrades or expansion.

What Is Managed SIEM?

As its name suggests, managed (also called multi-tenant or SaaS) SIEM is completely handled and operated by a Managed Security Service Provider (MSSP). From the two options, managed SIEM is the most convenient service as the information security provider’s team deploys and monitors your SIEM. Therefore, SaaS SIEM eliminates the need to train your own personnel and onboarding becomes quicker.

When companies choose managed SIEM, the MSSP will most likely offer a Security Operations Center as a Service (SOCaaS) subscription. Along with its SIEM, SOCaaS lets organizations outsource their SOC to MSSPs too.

You can use managed SIEM, or you can tell the MSSP to service and monitor it on the cloud. If you choose the first option, your IT team has to run and maintain your SIEM. On the other hand, choosing the cloud option eliminates the need for physical infrastructures, such as servers or storage systems.

Firms in less technical industries and companies that have less time to devote to security practices are likely to outsource their SIEM. The businesses with managed SIEM are often using franchise type business verticals. In such cases, the organizations have to comply with different requirements at distributed sites with the technical work being done centrally within the company. The firms often pair SaaS SIEM with other fully managed services like Unified Threat Management (UTM).

What is Co-Managed SIEM?

Co-managed SIEM is a balance between self-managed and a SIEM operated by an MSSP. With this option, organizations have their own on-premises SIEM while a cybersecurity service provider’s team of experts actively helps in the management and monitoring of the customer SIEM environment. The service provider’s team collaborates with the company’s internal IT team, providing expert advice and information on major security incidents. Therefore, you have more control over your organization’s cybersecurity while the third-party operator reduces your team’s workload.

Companies like to choose co-managed SIEM when they have a decent in-house IT staff, but they lack the bandwidth to monitor alerts constantly. Such organizations often use the co-managed solution to cut operational costs while they are smaller but look to move many of the functions in-house as they mature. Co-managed SIEM is also known to be a positive step toward building an SOC within your own IT team.

Co-Managed vs. Managed SIEM

Now let’s compare the two SIEM solutions starting with the similarities. Both managed and co-managed SIEM will…

  • Optimize the value of your employees
  • Allow you to focus more on operations and company objectives
  • Allow for more innovation
  • Increase your costs but will ultimately be cheaper than a full in-house team
  • Help in building your Security Operations Center (SOC)
  • Improve the speed of incident response and investigation
  • Help you in managing your risks proactively
  • Help in monitoring advanced threats and intel
  • Provide continuous 24/7 protection for your company every day

The Benefits of Co-Managed SIEM

Builds your engineers’ skills and expertise. Instead of “eliminating” your IT team, the co-managed service provider’s team works with your engineers to build their skills and expertise. This can come in handy if you have plans to turn to self-managed SIEM after a time but your team doesn’t have the necessary skills.

Customization. Co-managed SIEM allows for more customization. Therefore, the service provider’s team will work with you to create custom weekly reports on the data you need. You can also ask the firm to run their own ad hoc reports and investigations at any time.

Custom tuning and rules. This option also allows custom tuning and rules that apply to the customer’s environment, a useful feature as better custom tuning provides more accurate identification of threats and incidents. And you don’t lose this perk even if you switch to a full in-house IT team later on.

Works with you. A co-managed SIEM service provider works with the customer. As the client is a critical part of the escalation chain for incident management, the co-manager couldn’t allow itself to keep the organization in the dark.

Quicker problem resolution. The service provider’s team of experts can intervene and resolve operational issues on systems they have access to. This allows for a quick and efficient problem resolution.

If you think increasing the efficiency of your cybersecurity comes with more workload for your employees, then you are wrong. Co-managed engineers will even take over and handle support issues with manufacturers, which can save your staff from being stuck on several multi-hour long support calls. As your IT team doesn’t need to interact with the manufacturer in such cases, they will have more time to work on productive projects.

More flexibility. Compared to managed, co-managed SIEM gives you more flexibility as your company can contact the co-manager’s security experts any time (even with special requests). And more control since your cyber security remains in the hands of your IT team.

Onboarding. While some parts of co-managed SIEM onboarding are quick, others can take some time. Building management access and evaluating a company’s needs generally takes the same amount of time as with a managed solution. However, the customization that comes with co-managed SIEM can lengthen the onboarding process. 

As managed solutions use only basic, out-of-the-box rules, it will be much quicker to build up the SIEM system in a managed environment. But there is a trade-off: whether the time-efficiency of managed SIEM will be worth it for your company to lose the flexibility and the control co-managed solutions offer. You should always remember that proper security is neither quick nor convenient.

The Benefits of Managed SIEM

As mentioned before, managed SIEM is more convenient and time-efficient than its co-managed sibling. You don’t have to train your IT team as all your SIEM operations are outsourced to the MSS provider. Also, as this solution takes every SIEM-related task out of your company’s hands, some of your employees can be replaced or re-focused on other operations.

However, managed SIEM often provides you canned “one size fits all” reports that might contain insufficient information for your organization. You need access to new, useful information on your firm’s security, not data that you already know.

As outsourced MSS providers do not work actively with your IT team, they are looking at the network through a keyhole. Therefore, decisions on the severity of network issues are often based on limited knowledge. And this is only one among the many consequences of the managed SIEM operator working for you, but not with you.

Your SIEM tuning stays with the MSSP, which gives you absolutely no information and access to customization perks when you switch providers.


We should admit that RedLegg is biased as we offer our clients  co-managed SIEM services. But we truly think co-managed is the better option for many teams looking to build their SOC and looking to continue building their own in-house team.

While we believe co-managed SIEM is better overall, there are some instances when managed would be a better option for your company. Therefore, you should know the current lifecycle of your business, where it is and where it is heading, and choose the solution you think is the best for your company in its current situation.

Your SIEM, Your Team, Our Flexibility

Already decided to go with co-managed SIEM? Great. Then you’ll get these unique benefits:

  • Take advantage of the service provider’s expertise to improve your team’s skills
  • Custom weekly reports and ad hoc investigations any time, whenever you need them
  • The service provider will work with you, not for you
  • Quick problem resolution
  • Frees up resources for your IT team as the co-manager handles manufacturer issues
  • Custom tuning and rules for more accurate threat and incident identification
  • More flexibility and control

Remember the following when utilizing a co-managed SIEM solution. You control the situation, not the security provider.

Download The SIEM Service Partner eBook

Want something else to read? Dive deeper into what is co-managed SIEM, find the effort difference between in-house and co-managed SIEM, or diagnose why your SIEM deployment is taking forever.

Get Blog Updates

Related Articles

9 Ways to Leverage SIEM Integration for Faster and More Effective Investigations siem

9 Ways to Leverage SIEM Integration for Faster and More Effective Investigations

Introduction to SIEM Integration Security Information and Event Management (SIEM) technology provides insight into your ...
SIEM Alerts Best Practices: Tuning for Fatigue Reduction siem

SIEM Alerts Best Practices: Tuning for Fatigue Reduction

Every day cyber threat actors attempt to find vulnerabilities in connected devices, networks, and enterprise systems.