The difference between MDR, SOC and managed SIEM

A Security Operations Centre (SOC) combines people, processes and technology. In a SOC team you will find a group of analysts monitoring the output of tools like endpoint protection software, firewalls, switches and other products and services, all integrated by a SIEM solution. The role of the SOC is to proactively detect and highlight cyberattacks to businesses to ensure they mitigate the risk before they experience a breach again. The SOC team will notify customers or colleagues of the threat, help triage the incident and provide remediation advice.

A managed SOC service typically involves outsourcing your SOC team to a third party, who will operate and maintain your existing SIEM deployment. This is becoming much less common in the market, as this type of solution requires the vendor to already have a working knowledge of your particular SIEM solution and how it has been deployed. The challenge is that these vendors will often only be able to integrate with and add value to particular SIEM technologies, which may not match with your existing deployment.

As SIEM tools rely on security experts monitoring the alerts it generates, businesses often prefer to choose a managed SIEM service instead. This is where a vendor will deploy their own SIEM technology and combine it with their own SOC team to detect cyber threats 24/7 on your behalf. As many businesses don’t have the experience or budget to build and manage a SOC in-house, outsourcing is the more affordable and valuable option, delivering greater ROI and security coverage.

It's important to note that a managed SIEM solution detects threats, raises alerts and provides remediation advice. This type of service doesn’t typically respond to threats or remediate issues on your behalf. There’s another acronym for that, and it’s called MDR!

MDR stands for Managed Detection and Response and combines technology and human expertise to detect and respond to advanced threats through mitigation and containment. The purpose of an MDR service is to detect cyber threats and respond to them before they become breaches. If a breach does occur, an MDR service will help contain the threat whilst allowing more time for security analysts to investigate and minimise the business impact.

At its core, MDR services deliver holistic end-to-end management of cyber threats. This is a new approach as it adds the ‘response’ element that traditional SIEM tools lack. MDR combines the best of SIEM and SOC to protect your business in real-time and reduce the time it takes to detect and respond to threats. It’s estimated that by 2025, half of organizations will be using MDR services because of this.

MDR uses a SIEM as one of its core technologies, but it takes this to the next level, as it’s not just about correlating log events but about enriching that data and combining results from many different sources, and providing much needed mitigation and containment out of the box.

The key differentiator between an MDR solution and a managed SIEM service is that MDR also helps to respond to security events, in addition to detecting and investigating them. For example, if a SOC analyst has enough data to suggest that an endpoint has been compromised, with an MDR solution they can take action and isolate the device from the rest of the network to contain the threat. In a managed SIEM service, this action would typically need to be taken by your own team.

We’ve talked before about how outsourcing a SOC is almost always the right option compared to building one in-house. But should you get your own SIEM or choose a managed service? Picking the right solution for you is important as every business differs in its requirements and resources.

SIEM is good for businesses that:

• Have an experienced team that know how to setup, tune and operate the SIEM
• Have enough resources and knowledge to interpret logs and action intelligence independently
• Already have technology that can quickly mitigate cyber threats or block attacks
• Have the time to conduct daily reviews
• Have a well-defined incident response process and know how to triage incidents
• Have a team that can conduct threat monitoring and incident response 24/7, or have an on-call process with well configured automated alerting
• Understand how their business could be targeted by cybercriminals and how a SIEM solution would help to speed up the incident response process by detecting suspicious activity

Outsourced services like managed SIEM are good for businesses that:

• Don’t have a well-functioning SIEM or the time to maintain a SIEM
• Don’t have existing solutions that can mitigate threats, or a strong security strategy
• Don’t have the time, resource or expertise to threat hunt and look to identify whether you have already been breached or are under an attack
• Don’t have the time to regularly review logs to meet security best practice and compliance mandates
• Don’t have a team to cover 24/7 threat monitoring requirements
• Require extra support to triage incidents
• Lack expertise to contain a breach
• Do not have the budget to build or maintain a SIEM or SOC in-house

MDR takes this one step further and help businesses proactively respond to threats and assist with incident response where required.