REDLEGG BLOG
Three darts in the bullseye of a dartboard.

Boiled Down: MDR vs SIEM vs MSSP

2/18/20 7:30 AM  |  by RedLegg Blog

When thinking about Managed Detection and Response, SIEM, and Managed Security Service Providers, which will help you do your investigation and incident response work best?

When we talk about MDR vs SIEM vs MSSp, what are their differences in application?

The MSSP

Essentially, MDR, which is really just managed endpoint detection and response (EDR), is a service that would be provided by the managed security service provider and so would managed SIEM.

MDRvsSIEM

MDR and SIEM

MDR and SIEM are different, and they both have value. There’s a large trend in the space now where people are devaluing a managed SIEM practice and focusing instead on the MDR practice.

We love MDR. It’s hyper important for the questions we have, questions around the host and what actually took place on the host. You can absolutely answer those questions with an MDR service.

Now, that does not devalue a managed SIEM service. There’s still value in aggregating our logs in one place and value in behavioral-based logic that comes across multiple log sources as well as empowering threat intel with a SIEM. There’s value in leveraging SIEM in an incident or malware investigation, but MDR also has a lot of value in that case. And it can’t be understated.

They really both have their place and can exist simultaneously. It’s like saying ‘should I have firewall logs or should I have security logs from my domain controller’? You shouldn’t have one or the other. They’re both helpful.

Using The Tools

If you’re going to do them in-house and you have a team to manage your EDR independently and also manage your SIEM independently, or if you need a provider because you don’t have the team-depth or need a provider for 24/7 services that you can’t support internally, then do that.

But when it comes to MDR, you are empowered to see what’s happening on the host and potentially do some light-level remediation. That’s something you can’t do with a SIEM. When it comes to a SIEM, you can’t step back and see your firewall logs vs your DNS logs. It’s all from a birds eye view of your network - you’re sort of honed in to that host-level view.

Now many EDR products allow you to do enterprise-wide searching but usually you have to have a starting off point. You either have that one infected host or now you can look for that executable or service or DLL or whatever your initial piece of information is, you can search laterally through your enterprise for that same piece of information. You can even have some heuristic behavioral-based rules in an EDR tool via an MDR service, but you lose that birds eye view of your entire network. You lose the ability to do any special custom log sources or custom alarming based on niche applications.

They’re both hyper valuable, and they are not mutually exclusive. They actually complement each other.

Tool Capabilities

In short, MDR…

  • Host level view
  • Light-level remediation
  • View by log type
  • Enterprise-wide, lateral searching
  • Heuristic behavioral-based rules

And SIEM…

  • Birds eye network view
  • Leveraged in incident and malware investigations
  • Aggregating logs
  • Behavioral-based logic
  • Empowers threat intelligence
  • Custom log sources
  • Custom alarming

Not MDR vs SIEM

Choosing one tools really limits your team's capability to see incidents from multiple angles. Whether you're thinking about MDR or SIEM, one may be better suited for your setup than the other, but that is highly dependent on your team, current tools, and business.

Learn more about MDR vs managed SIEM or check out the MDR and SIEM webinar to find which tool may be best for you.

Watch The MDR / SIEM Webinar

Subscribe to Our Blog

Follow everything RedLegg as we provide comprehensive solutions for real-world data protection and security challenges.

Related Articles

New eBook: Choose Your Best SIEM Service Provider siem, mss

New eBook: Choose Your Best SIEM Service Provider

Many organizations, maybe even yours included, have major flaws in their security operations. To help solve your ...