Security information and event management (SIEM) systems are crucial to cyber security, providing a solution for collecting and analyzing alerts from all manner of security tools, network infrastructure, and applications. But simply having a SIEM is not enough because to be truly effective, it must be properly configured, managed, and monitored 24x7.

And there’s the rub: few organizations have enough security expertise in-house to properly configure and manage a SIEM, never mind monitor it around the clock. Without that, you can’t get the full value from your SIEM investment.

A managed SIEM service, such as the Trustwave Co-Managed SOC, provides a solution, as Gartner has made clear.

“Buyers who have invested in SIEM technology use Managed SIEM services to derive more value. They get assistance with decisions around strategy, architecture, maintenance, development, or support,” Gartner says in its Market Guide for Managed SIEM Services. “This leads to better security operations results.”

However, the “collect everything” strategy for a SIEM produces many more alerts, and creates more noise, both of which require human investigations to discover the true threats. This situation can quickly become overwhelming for a security team to handle, making them less effective. As alert fatigue sets in, many potential issues can go unresolved leading to an increased exposure to risk and the higher volume of logs you fed into a SIEM makes it more costly to operate.

SIEMs Explained

Customers need that assistance due to the inherent complexity of SIEMs.

The basic function of a SIEM is to collect security data from various components in your network, including cloud-based and on-premises. The trick to not collect every possible piece of data, as that will create the already discussed alert fatigue..

To be effective, a SIEM must be properly configured to your specific environment, targeting the use cases and applications that are most appropriate for your organization and its risk profile. Trustwave works with clients to determine if they are at risk of experiencing runaway costs from unnecessary telemetry sent to the SIEM or fees from excessive storage policies. Furthermore, our experts will personalize use cases from our extensive use case library, and build custom use cases, to align to the goals of your organization and security operations.

Security professionals must also periodically assess whether the SIEM is generating useful alerts. In fact, a misconfigured SIEM can be more of a liability than a benefit. A never-ending stream of alerts and false positives puts the security organization in constant fire-drill mode, potentially unable to have the resources to investigate or identify truly impactful alerts amid the din.

Managed SIEM services

As Gartner noted, managed SIEM services can fill the void. To date, such services have generally taken one of two varieties: Managed SIEM and SOC-as-a-Service (SOCaaS).

Managed SIEM services are much like managed services for firewalls and endpoint detection and response (EDR) tools in that they help customers manage their SIEM. Most will include SIEM deployment, configuration and management, and some may include ongoing optimization. Often, however, managed SIEM offerings do not include 24x7 alert monitoring.

With SOCaaS, your provider assumes ownership of the SIEM infrastructure and product licensing. Think of SOCaaS as an extension of the managed security service provider (MSSP) model, often aimed at smaller organizations that don’t already have a SIEM nor a security operations center (SOC). Instead, companies direct all the data the SIEM produces to their provider, who takes responsibility for correlating alert data and finding actionable alerts amid all the false positives.

Trustwave Co-Managed SOC

Managed SIEM and SOCaaS may indeed be a step forward for companies that don’t have the resources to manage their own SIEM. But the Trustwave Co-Managed SOC approach adds several elements that help companies derive maximum value from their SIEM investments.

Trustwave Co-Managed SOC takes a four-step approach based on proven processes and use cases, along with experience from the Trustwave SpiderLabs team.

The first is “consult and plan,” where security experts assigned to your account create a roadmap specifically for your business. These experts assess your current capabilities and security priorities. They build a transition plan and tune your SIEM based on your priorities, drawing from an extensive library of field-proven and industry aligned use cases, as well as custom use cases specific to your environment. They also provide predictable cost and capacity estimates, so you won’t be subject to the runaway costs that can quickly arise when you simply send all SIEM alerts to your SIEM provider.

Next comes “build and onboard,” following a proven methodology and best practices to get you up and running quickly, accelerating time to value with a dedicated governance team.

The next two phases are ongoing. In the “manage and monitor” phase, Trustwave acts as a true extension of your security team, increasing their productivity and freeing up resources. And of course, Trustwave provides 24x7 incident monitoring and investigations to help you prioritize incidents with actionable recommendations for immediate action, informed by SpiderLabs global threat intelligence.

Finally, your Trustwave named security advisor will continually tune your SIEM for optimal performance for the specific use cases and security policies that are most important to your organization. Trustwave uses an iterative, closed loop method to SIEM management that involves constantly learning from the alerts your SIEM produces and tuning it to become increasingly more effective at homing in on the most important alerts – helping you reduce alert noise by up to 90%.

Adding Managed Detection and Response (MDR)

Trustwave Co-Managed SOC is also a great complement to the Trustwave Managed Detection and Response (MDR) service. With MDR, Trustwave security analysts provide deeper threat investigation, threat hunting, and response at the endpoint. They investigate to understand the full impact of a threat, enabling a more informed response. Running Co-Managed SOC in parallel with MDR means you not only get alerted to your most serious threats on a 24x7 basis but enable Trustwave to respond and contain threats.

Implementing a SIEM is an important part of any cyber security strategy, and a managed service is often a requirement to properly configure, operate, and monitor your SIEM. But don’t settle for a service that doesn’t help you derive maximum value from your SIEM investment and your internal resources.

Trustwave Co-Managed SOC is designed to help you maximize the value of your SIEM investment and your internal resources. Our experienced SOC analysts can help you identify and investigate potential threats, while our MDR service helps you understand and contain any threat. With both services working together, you can be sure that your most serious threats are being monitored 24x7 and addressed quickly. To learn more about how our Co-Managed SOC and MDR services can help you, download our e-book, “Get Maximum Value from Your SIEM”, and visit our MDR webpage.

Learn more about how Trustwave Co-Managed SOC can help: download our new e-book, “Get Maximum Value from Your SIEM.”