The Effort Difference: In-House vs Co-Managed SIEM

9/11/19 7:30 AM  |  by RedLegg Blog

Download The SIEM Service Partner eBook

When thinking about the cost of managed SIEM, we know that in secret you might actually be wondering about the difference in effort among your options. Will it be more effort to manage your own SIEM in-house versus building your SOC with a partner?

If fully outsourcing to an MSSP is not an option at this point in your company’s lifecycle, co-managed SIEM could be a viable option for you.

RedLegg’s Manager of MSS Operations hopes to answer a few questions you may have about the effort difference when it comes to co-managed SIEM.

Q: How difficult is the SIEM infrastructure setup in a co-managed SIEM model?

A: Physically, you would need to rack and stack the device, but if we are involved in the deployment, we will be able to make recommendations you may not consider otherwise that could dramatically impact infrastructure decisions. Two heads are better than one, sort of thing.

Q: How does the hiring process change? It’s 24x7, right?

A: When doing in house, you’ll hire your team by hand. If you go the co-managed route, you’re hiring one company already built with a trusted team of expert engineers. Both ways, your team is selected by you: the difference is making one hiring decision versus multiple. And whoever is on your team already can be trained and can learn from the co-management team.

I’d also stress that the minimum to run a truly 24x7 crew in-house requires 4-5 people on staff: salary, benefits, equipment, licensing, training, etc. It adds up quickly. Staffing alone is going to run about $250K per year. That’s bare minimum headcount, just keeping the lights on. Everyone is burning out and in a “looking for the exit” type of work environment. With a co-managed model, we do our best to not burnout our engineers.

Q: What about the difference in training the staff?

A: Co-managed takes the guess work out of training since we develop training paths in-house and focus on what will be truly relevant to analysis. Our team members are not only trained on the SIEM but are trained on other Managed Service products we support and have a much broader knowledge base than an in-house analyst dedicated to one solution might.

With an in-house model, you’ll be training your team on operations as they’re hired. With co-managed, no training is required, just a few meetings to make sure we understand your entire business. This will also help build your existing team members’ knowledge who are still in-house.

Q: Is onboarding easier?

A: I hate saying onboarding takes a few days because that timeline is only in extreme cases, but it is generally much quicker than onboarding in-house simply because the infrastructure, playbooks, analysis methodology, and staffing is already in place.

Q: And what about deployments? Will co-managed save me time and energy?

A: A co-managed deployment is not only quicker, but it takes the prep-work out of the equation and allows you to focus on what will make the most immediate impact to your security posture. Rather than thinking about playbooks, methodology, staffing, etc, we provide the framework with our standard rule package that covers the most frequent security gaps we encounter and this requires much less information from you to stand up and tune. Throughout tuning, we provide feedback on alarm behavior and forming trends to help drive tuning for your best interest, based on our experiences in other client environments as well as current events. 

Q: Will routine tasks still eat up engineer hours?

A: With an in-house team, your engineers will be reviewing logs and may have little time for remediation or threat/vulnerability management. Co-managed SIEM takes those routine tasks off your plate, so your team members can focus on the future. We take on the role of being reactive and allow you to focus on being proactive in your security posture. Rather than staffing for monitoring situations that may never arise, you can focus on maintaining other infrastructure or maintaining other labor-intensive security products like User and Entity Behavior Analysis (UEBA) which requires a more intimate knowledge of the company’s inner workings.

Q: What happens with event escalation?

A: Co-managed does all the work for you based on pre-established criteria.

Q: Will it be difficult to complete tuning?

A: This is a process in co-managed SIEM where we’d tune multiple times to get the settings just right. And when you’re done with a co-managed SIEM provider the rules and tuning stays with you. It’s an investment up front but pays off in the long run as you build your SOC.

Q: What’s the effort involved if I’m looking to gather threat intel?

A: Redlegg’s Analysis Platform is kind of an in-house variant of a SOAR, Security Orchestration Automation Response, but optimized for managing multiple clients. Not all SIEMs are created equal and SOAR fills some of the gaps. LogRhythm has good built-in automation and integrates nicely with our Analysis Platform to achieve a comparable solution.

Q: When we look to the future, how difficult will it be for my team to innovate?

A: Like we said, you can actually get there with co-managed SIEM. You’ll feel like you’re finally getting ahead. Not only is there down time allowing you to focus on internal initiatives, our MSS is constantly working on innovations to improve our operational efficiency and provide a better service to the client. Many of our innovations are based on direct client feedback, and we frequently identify specific clients to help us test use cases and fine tune our new processes. Clients have a voice in our MSS and usually fail to realize how much more amplified their frustrations might be with an in-house solution where they need to build policies from scratch.

Q: Obviously, reporting and compliance are important. How difficult is it to work with a co-managed provider on this?

A: In-house reporting takes valuable time from managing your systems. Co-managed SIEM provides the reports you want.

Q: How much of a responsibility is it to partner with a co-managed SIEM provider? Will I have less responsibility than an in-house model?

A: Let’s be clear: You’re still responsible for your team and the relationship you have with your co-managed SIEM partner. You communicate with one or maybe two people from your co-managed SIEM provider, like they’re another employee. Except this employee can do a lot more for you in the same amount of time. And with a co-managed SIEM provider, you always know what’s going on with what you’re managing. We don’t leave you in the dark.

But you are still responsible for the future of your security posture. We just help you in that journey.

Q: When it comes to building my SOC which option is less effort: co-managed or in-house?

A: It’s more effort to build an SOC by yourself or your in-house team than it is to get some help while you transition to that stage. There’s really no extra effort in asking a co-managed SIEM provider for help. We just help you get to where you want to go. And when you don’t need us anymore, you don’t need us anymore. Our feelings aren’t hurt.

Download The SIEM Service Comparison Data Sheet

For further reading, check out pretty much everything you need to know about co-managed SIEM, the cost difference between fully managed vs co-managed SIEM, or how to prepare well for your SIEM deployment.

Get Blog Updates

Related Articles

9 Ways to Leverage SIEM Integration for Faster and More Effective Investigations siem

9 Ways to Leverage SIEM Integration for Faster and More Effective Investigations

Introduction to SIEM Integration Security Information and Event Management (SIEM) technology provides insight into your ...
SIEM Alerts Best Practices: Tuning for Fatigue Reduction siem

SIEM Alerts Best Practices: Tuning for Fatigue Reduction

Every day cyber threat actors attempt to find vulnerabilities in connected devices, networks, and enterprise systems.
Critical Security Vulnerabilities Bulletin