SIEMs-as-a-service addresses needs of small, midsize enterprises

MSSPs are stepping in to make SIEMs practical for smaller firms

1 2 Page 2
Page 2 of 2

According to the latest 451 Research survey, 44 percent of respondents said that lack of expertise was limiting their ability to make full use of their SIEMs, and 28 percent cited inadequate staffing.

There's a lot of specialized knowledge that goes into setting up and managing a SIEM, said Blackenship. And if a staffer leaves the company, that creates an immediate gap that might be difficult to fill.

Plus, there's the whole issue of having people watching for problems around the clock.

Midsized companies that buy their own SIEM systems can use service providers to help cover systems during off-hours, or to fill in for staffers who are on vacation, away for training, or while positions are unfilled, said Blackenship.

"And you can rely on the outside subject matter expertise," he added. "This is what they do for a living, they're invested in training their people, in keeping their platform up to date, and providing other services like threat intelligence and incident response."

But more and more, outside service providers are providing both the SIEM system and the associated management, monitoring and forensic services.

Of course, that still leaves the issue of what to do when the MSSP finds a problem.

A company can easily go from being overwhelmed with SIEM management issues, to being overwhelmed with alerts from their MSSP.

This is a problem that some vendors are looking to address as well.

At Masergy Communications, for example, when the SIEM generates an alert, engineers first look at logs, scans, API data, and packet data to weed out false positives. The customers are informed via an email or phone call, depending on the severity of the alert, and Masergy can also step in and interact with peripheral devices to stop attacks.

"We work that out with the customer on how we'll go ahead in certain cases and block certain types of activity," said Craig D’Abreo, vice president of security operations at Masergy Communications.

Otherwise, all remediation takes place on the customer side, with Masergy just providing the forensic information about the attack.

But in its communications, Masergy not only provides the details of the problem, but instructions for how it should be addressed as well, and sends that to either the customer's help desk or IT department.

Another company that offers SIEM services to midsized companies is Arctic Wolf Networks.

One of its customers, sunglasses manufacturer and distributor Costa Del Mar, was too small for a traditional SIEM deployment, but big enough that it needed that level of security.

"We have a large enough user base that we definitely need to have those services active in our systems," said Glenn Shapanka, information technology director at Daytona Beach, Fla.-based Costa Del Mar. "But to hire someone and have 24-7 monitoring -- it just doesn't make any sense for us."

With an IT department of seven people, counting Shapanka himself, there aren't enough people to spare. And since the company didn't want to purchase and own the SIEM system, outsourcing the whole thing was the obvious choice.

"They mailed the devices to us, told us where to plug them in, and configured them remotely," he said. "They collect the logs, analyze them, and are very responsive. Not only in detecting unusual activities and alerting us, but also giving us recommendations for the fixes."

As with Lewiston, the engagement started out with a long list of problems that needed to be fixed.

After that, Costa Del Mar received monthly reports about new vulnerabilities.

"We closed things up, patched holes, and reduced risks," Shapanka said. "Then the reports got shorter, so we reduced them to once per quarter. We get calls if there's an emergency, but we don't get a lot of them - they're smart enough to know what is a real issue and what is just noise. Now remediation is pretty painless."

This story, "SIEMs-as-a-service addresses needs of small, midsize enterprises" was originally published by CSO.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)