SIEM vs MSSP vs MDR vs SOCaaS

By Ron Samson Jr

Understanding Managed Security Services

Managed security services come in a wide range of potential offerings.  The available services can vary greatly from provider to provider, even if they are advertised as the same thing.  Understanding what to expect from each type of service is essential to selecting a provider and a service that meets your organization’s needs.

The Types of Managed Security Services

When selecting a managed security provider, you may come across a wide variety of terms, including security information and event management (SIEM), managed security services provider (MSSP), Managed Detection and Response (MDR), and SOC-as-a-Service.  Each of these terms can mean different things within the managed security field.

Security Information and Event Management (SIEM)

A SIEM system is designed to provide analysis of security alerts for a security team.  This typically involves collecting data from multiple sources (i.e. the security devices deployed on your network) and correlating this data for human analysts.  A SIEM system can be invaluable for incident detection and response since this alert correlation helps to differentiate false positives from real alerts.

A Managed SIEM service is primarily focused on operating the SIEM technology.  These systems often require tuning and maintenance for their deployment environment, and this is performed by the Managed SIEM provider.  However, the provider performs no security investigation, providing, at best, a feed of events and alerts to be investigated.

Managed Security Services Provider (MSSP)

Managed Security Services Providers (MSSPs) are the next step up from a Managed SIEM.  An MSSP will monitor network security events and send alerts to their customer if any anomaly is detected.

However, an MSSP will perform no investigation into the alerts that they send.  This means that an organization will receive false positives as well as actual alerts and will need to investigate and remediate any incidents in-house.  The primary purpose of the MSSP is to alert their customer when something unusual is occurring on their network.

MSSPs are the predecessor of Managed Detection and Response.  As a result, some MSSPs have begun branding their products using MDR terminology without providing any investigative services.  As a result, it is important to investigate a service provider’s capabilities before making a selection.

Managed Detection and Response

Managed Detection and Response (MDR) adds investigative capabilities to a security services provider.  An MDR provider will investigate alerts, eliminate false positives, and aid the organization to respond to any identified threats.  Some MDR providers include remediation services to help their customers recover from an incident.

Endpoint Detection and Response (EDR) is a subset of MDR focused on monitoring and securing endpoints within an organization’s network.  EDR services primarily consist of matching security events against patterns of known malware and quarantining devices as needed.  Often, the in-house security staff is responsible for remediation of the endpoints and bringing them back online.

SOC-as-a-Service

SOC-as-a-Service is a term that does not have a well-defined meaning within the industry.  In most instances, a SOC-as-a-Service provider acts as a full-function Security Operations Center (SOC), providing services similar to that of an MDR provider.

However, this is not always the case.  Before taking advantage of a SOC-as-a-Service offering, it is important to ensure that the services provided match your organization’s requirements.

Choosing the Right Security Service Provider

The choice between service providers boils down to an organization’s particular security needs.  Some important considerations include:

  • Type of data processed: Organizations processing highly sensitive and regulated data may require the rapid incident response capabilities provided by MDR.
  • In-house capabilities: An organization wishing to scale their in-house SOC may only require an MSSP for alert prioritization, while an organization with no in-house security capabilities may require the incident response offerings of an MDR provider.
  • Regulatory compliance: Different regulations require different levels of security monitoring and reporting, which may dictate the use of a certain level of service provider.

Based on these considerations, it should be possible to determine the type of managed security services provider that your organization requires.  The next step is to evaluate potential providers and determine if their services can meet your organization’s unique needs.

Looking for Managed Detection and Response or SOC as a Service?   See our service offerings

Clearnetwork Managed Detection and Response

Clearnetwork SOC as a Service