When thinking about Managed Detection and Response, SIEM, and Managed Security Service Providers, which will help you do your investigation and incident response work best?
When we talk about SIEM vs MDR vs MSSP, what are their differences in application?
MDR and SIEM
MDR and SIEM are different, and they both have value. There’s a large trend in the space now where people are devaluing a managed SIEM practice and focusing instead on the MDR practice.
We love MDR. It’s hyper important for the questions we have, questions around the host and what actually took place on the host. You can absolutely answer those questions with an MDR service.
Now, that does not devalue a managed SIEM service. There’s still value in aggregating our logs in one place and value in behavioral-based logic that comes across multiple log sources as well as empowering threat intel with a SIEM. There’s value in leveraging SIEM in an incident or malware investigation, but MDR also has a lot of value in that case. And it can’t be understated.
They really both have their place and can exist simultaneously. It’s like saying ‘should I have firewall logs or should I have security logs from my domain controller’? You shouldn’t have one or the other. They’re both helpful.
Using The Tools
If you’re going to do them in-house and you have a team to manage your EDR independently and also manage your SIEM independently, or if you need a provider because you don’t have the team-depth or need a provider for 24/7 services that you can’t support internally, then do that.
But when it comes to MDR, you are empowered to see what’s happening on the host and potentially do some light-level remediation. That’s something you can’t do with a SIEM. When it comes to a SIEM, you can’t step back and see your firewall logs vs your DNS logs. It’s all from a birds eye view of your network - you’re sort of honed in to that host-level view.
Now many EDR products allow you to do enterprise-wide searching but usually you have to have a starting off point. You either have that one infected host or now you can look for that executable or service or DLL or whatever your initial piece of information is, you can search laterally through your enterprise for that same piece of information. You can even have some heuristic behavioral-based rules in an EDR tool via an MDR service, but you lose that birds eye view of your entire network. You lose the ability to do any special custom log sources or custom alarming based on niche applications.
They’re both hyper valuable, and they are not mutually exclusive. They actually complement each other.
In short, MDR…
- Host level view
- Light-level remediation
- View by log type
- Enterprise-wide, lateral searching
- Heuristic behavioral-based rules
- Birds eye network view
- Leveraged in incident and malware investigations
- Aggregating logs
- Behavioral-based logic
- Empowers threat intelligence
- Custom log sources
- Custom alarming
Not MDR vs SIEM
Choosing one tools really limits your team's capability to see incidents from multiple angles. Whether you're thinking about MDR or SIEM, one may be better suited for your setup than the other, but that is highly dependent on your team, current tools, and business.