Blog

Move over SIEM, MDR will take it from here

In April 2020, an IDC report stated that “Billions of dollars are spent on products like SIEM that do not operate efficiently because they are ingesting too much data and delivering an overwhelming number of false positives … garbage in garbage out.” Mark Gillett, director of product management, and Simon Thomas, director, EMEA channels, deliver a global perspective on the failures of legacy SIEM vs. the future-proofed success of Managed Detection and Response (MDR).

BY Mark Gillett

September 29, 2020 | 6 MINS READ

Managed Detection and Response

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Depending on who you ask—and no matter where they live—it’s either an open secret or an obvious truth that legacy SIEM (Security Information and Event Management) hasn’t met expectations as a cybersecurity solution, let alone lived up to the hype that has surrounded it for what seems like forever.

Let’s quickly review why that’s the case and then turn to more important matters: how to achieve the desired security outcomes that once led us to consider SIEM in the first place.

How we got to now: a brief history of SIEM

The term “SIEM” itself first appeared in a 2005 Gartner Research report, capturing the amalgamation of Security Information Management (SIM) and Security Event Management (SEM)—functions which have existed in some form since the late 90s.

At inception, SIEM promised to aggregate security signals (primarily logs) and make them explorable via a single pane of glass. An admirable goal, but one that belies the complexity of the task and, rightly or wrongly, overlooks the key question of what one actually does with any insights that arise.

In pursuit of the one pane to rule them goal, SIEM platforms include a collection of aggregation, correlation, and alerting functions. For 15 LONG years a pattern has repeated:

And all the while, digital transformation means that the threat surface expands and highly motivated threat actors relentlessly innovate.

The problems endemic to SIEM platforms are well-documented and include:

To try and overcome these last two issues, SIEM vendors around the globe have claimed to augment their platforms to provide, or are being integrated with, User and Event Behavioral Analytics (UEBA) and Security Orchestration, Automation and Response (SOAR) functionality. Like SIEM, each of these is simply another tool; moreover, bolting SIEM to UEBA and/or SOAR introduces still more complexity.

Despite these shortcomings, SIEM platforms often appear as a default entry on cybersecurity shopping lists—and in 2015, SIEM was the fastest-growing security market segment. In part, this earlier popularity can be attributed to a business need to answer compliance questions: practically every regulatory compliance body has some text about log collection and review capabilities. So, many organizations decided that even though a log manager would suffice, they would go full-SIEM and grow into it over time.

Time, however, has proven this approach to be hopeful at best and Quixotic at worst: we find ourselves in the fourth and fifth generation of SIEM and still waiting for these platforms to deliver what is promised. And remember, even at its best a SIEM platform is only a piece of the detection puzzle.

Achieving a top-level business outcome—preventing and rapidly containing threats—requires considerably more. Perhaps that’s why Managed Detection and Response services are experiencing explosive growth.

Achieving real business outcomes: why MDR provides the answer

In August 2020, Gartner released the fifth edition of its Market Guide for Managed Detection and Response Services.

According to the Guide, Gartner has observed “a 44 percent growth in end users’ inquiries into MDR services during the past 12 months,” and the firm anticipates that “by 2025, 50 percent of organizations will be using MDR services for threat monitoring, detection, and response functions that offer threat containment capabilities.”

The guide highlights that one driving factor behind the growth of MDR is that security leaders recognize that detecting a threat quickly is meaningless without the ability to quickly and effectively respond.

More generally, the wider IT community is accepting the painful reality that all organizations are under attack—whether opportunistic or targeted—and that the threat landscape is constantly changing.

There are a number of factors that continue to evolve that only serve to increase the burden for already overtaxed IT teams:

In the modern security environment, SIEM is but one tool of many that make up or enable a multi-layered approach. And beyond the technology toolset, organizations need to also invest in people and processes: it takes all three to build and maintain a strong security posture.

Today’s organizations—especially small and medium businesses and the channels who serve them—are turning to MDR because of its proven ability to deliver real business results. MDR is able to do so because it overcomes the problems outlined above:

And the proof is demonstrated in real world experience. In eSentire’s case, the average is 35 seconds to initiate action (respond) and 20 minutes to isolate and contain a threat.

SIEM is a tool; MDR is a solution

The bottom line when it comes to SIEM is that a SIEM platform is just a technology tool (or toolkit). Some organizations will get use out of it eventually, provided they have the resources to install, build, maintain and extend the platform. But the last decade has shown quite clearly that most organizations, and especially small and medium businesses, are unable to attain the results for which they hoped.

While it’s true that the price tag for SIEM platforms has been trending downward, that really only applies to the upfront cost; the backend complexity will remain.

At eSentire, we encourage companies to take a business outcome-oriented approach to their cybersecurity needs. If your desired business outcome is wholly addressed by aggregating security events and information, then a SIEM might well be the tool you need, but experience shows that this well-defined and limited need represents only the minority of cases (and if you’re looking for regulatory compliance, then a log manager might do the trick much more cost-effectively).

In fact, we use a commercial-grade SIEM as an element within our overall enabling architecture … alongside our Atlas platform, proprietary machine learning algorithms, copious automation technologies, massive investment in people and processes, wide array of sensors, embedded agents to enable rapid response and so on.

We needed a next-gen SIEM as a piece within a larger MDR service.

Your business, we can assure you, needs the full capabilities of adaptive Managed Detection and Response to be set for now and the future.

Mark Gillett
Mark Gillett VP, Product

Mark Gillett is Vice President, Product Management at eSentire. He has nearly 25 years experience in the cybersecurity industry, driving the evolution of detection, investigation, and response from the early days of SIEM to modern-day Managed Detection and Response (MDR) and Extended Detection and Response (XDR). In his current leadership role at eSentire, Mark leads the product management function for the company's core MDR services, with a specific focus on in-house developed technologies that assist in delivering those services to customers. Mark holds a Bachelor of Science degree from Laurier University in Waterloo, Canada.

Simon Thomas
Simon Thomas Director, EMEA Channels

Read the Latest from eSentire