Difference between MDR, SOC & SIEM
Exploring the differences between an MDR, managed SOC and managed SIEM, and which is best to protect your business.…
Gideon Donovan
Channel Partner Manager at Defense.com
19th April 2023
Organisations of all sizes continue to be the target of cyber attacks. With the rise of advanced cyber criminals and the increasing complexity of modern business operations, it is crucial to have the right solutions in place to detect potential attacks and prevent breaches.
As the threat landscape continues to evolve, this presents significant opportunities for managed service providers (MSPs) to expand their service portfolio, and do more to protect their clients from a wide range of threats.
SIEM and SOC are two key components of an effective security strategy, and many MSPs that don’t already offer these security monitoring services are now contemplating the best way to start. Should you build these capabilities in-house, or outsource them to a third-party provider?
In this post, we’ll explore why it is much more effective for MSPs to outsource SIEM and SOC functions to a Managed SIEM provider, compared to building and managing them both in-house.
As I’m sure you know, the cyber security industry is full of acronyms and buzzwords, so let’s start by quickly defining some key terms:
Now that we’ve got those covered, let’s dive in.
To be effective, a SOC needs to be operational 24/7 and staffed by experienced analysts so threats can be detected and investigated around the clock. In addition, a SOC team will need to utilise SIEM technology to collect security log data and raise alerts, which will need to be licenced and managed across your client environments.
So, if you’re looking to build a SOC team and manage a SIEM deployment in-house, here are three main challenges that you’re likely to encounter:
Building and operating an in-house SOC can cost a significant amount of money. 10-12 analysts are required to properly staff a SOC team and achieve 24/7 coverage. The average salary of a SOC analyst is £50,000 per year in the UK, or $90,000 in the US. That means you’re looking at a minimum annual cost of £500,000, or almost $1 million, for your team to be operating effectively.
When you consider the cost of hiring and retaining people, including any ongoing training requirements, the costs can quickly get out of hand. It also takes time for a SOC team to get up and running, so it could be many months before any real-world security improvements are seen.
In addition to the people, a SIEM platform would need to be licenced and deployed in order to collect logs and generate alerts for your customers. This in theory is simple, as there are many SIEM platforms out there. When you dive into the details, it’s clear that the costs of these tools can become astronomical when you factor in the log ingestion volumes across all of your clients.
As an example, if you chose Splunk as your platform of choice, under a consumption-based model you’d be charged around $630,000 per year for a maximum of 300GB log ingestion per day. Additional hardware and software licencing fees for on-premises deployments could set you back an extra $157,000 on top of that, and that doesn’t include the cost of any additional infrastructure you might need to set up.
For some context, 300GB equates to around 1.6 billion log messages, if the average message is 200 bytes in size. At Defense.com we have individual customers who send us in the region of 800 million logs per day, therefore when you consider all of the logs that could be sent by your clients, this could quickly add up if you have a platform that is priced on a consumption-based model. Storage costs can also start to spiral when you’re ingesting and retaining a large volume of log data.
When you total it all up, the minimum cost to get your service off the ground would be in the region of £1 million (or $1.6 million) per year, without taking any other infrastructure costs into account. However, even if you did have this budget to deploy a SIEM tool yourself, and recruit and maintain your own SOC team, you’d still need to find analysts to hire to in the first place. That brings us onto the next challenge.
For several years, the cyber security industry has been tackling a skills shortage. In fact, a recent (ISC)² study showed that the cyber security profession needs to grow by 3.4 million people to close the gap. That's a lot of roles to fill!
This makes it challenging to build and grow a SOC team, as it's hard to recruit and retain people with the required skills in a very competitive market. As a result, security professionals are in high demand, especially more experienced analysts. How do we know? Well, we have our own SOC team at Defense.com, so we know first-hand about the challenges of recruiting the right talent!
If you’re not able to find people with the right experience, then the next best option is to find less-skilled analysts that you can train over time. This approach can open up the talent pool of applicants, but you’ll need to ensure that you have a defined training process in place. This of course takes time, which is another contributing factor to why building a fully functional SOC team from scratch can take many months or even years.
When you engage with a Managed SIEM provider you can avoid the burden of ongoing recruitment and training. A Managed SIEM provider will take these responsibilities off your plate, so you can focus on other areas of your business. That leads us onto our third and last challenge.
Managing a SOC team and a SIEM platform can be complex and time-consuming activities that can distract you from your core business activities. By outsourcing these functions to a third-party provider, you can focus on your core competencies and leave threat detection and response to the experts. You can utilise your internal resources more effectively and focus on fixing issues for your customers instead of spending time identifying and investigating alerts.
For example, monitoring a client’s environment for cyber threats is no easy feat. To be effective, a SIEM platform needs to ingest vast amounts of log data from many sources to identify suspicious activity across an organisation's attack surface. An average SOC team can expect an average of 11,000 security alerts per day, so it’s clear to see how this can quickly become overwhelming.
Such a large number of notifications can cause alert fatigue for security teams. This is where genuine security risks will be missed, ignored or not dealt with in a timely manner, mainly due to the sheer volume of alerts being received. Alert fatigue typically occurs due to configuration issues, SOC teams not using their resources efficiently due to lack of skills/training, or that the SIEM platform being used does not have the automation needed to reduce the manual triage of security alerts.
To avoid alert fatigue it’s necessary to properly configure a SIEM deployment in the first place and tune it to the needs of your clients over time. This process takes time and will be required for each of your customers individually. This can place a considerable burden on your internal resources and, especially when your clients will all have different security requirements.
Outsourcing to a Managed SIEM provider also offers far more scalability than building the function yourself. This is because your chosen vendor will already have the necessary infrastructure and people in place to deliver the service and cater for any fluctuations in demand from your customers.
Instead of worrying about resource planning and scaling operations up or down depending on your customer needs, you can simply provide a consistent service offering and let your vendor do the hard work for you. This is a much more flexible approach and means you don’t have to worry about investing in additional technology or resources.
Don’t just take our word for it! Codestone Group are one of the UK’s fastest growing MSPs, supporting over 10,000 users. Watch the following video to find out why Codestone outsource their SOC and SIEM functions and how they seamlessly integrate Defense.com with their own customer support team. Codestone rely on the Defense.com SIEM platform and our expert SOC analysts to detect and respond to security events across their customer base.
With Defense.com you can deliver an end-to-end security operations solution to your end users, protecting them from advanced cyber threats and enabling them to focus on running their business.
To summarise, by outsourcing your SOC and SIEM to a third party you can:
By partnering with a managed SIEM provider such as Defense.com, you can expand your service portfolio and deliver more value to your customers, all without disrupting your own operations.
Gideon Donovan
Channel Partner Manager at Defense.com
Share this article
Exploring the differences between an MDR, managed SOC and managed SIEM, and which is best to protect your business.…
Read our introductory guide for everything you need to know about log monitoring. What it is, how it works, and why it is important for your UK business.…
Discover the dangers of retaining user access when employees leave the company and how to manage your risk of data breaches and cyberattacks.…
Through years of helping businesses improve their IT security, we’ve heard many times that small businesses feel particularly underserved…
Get actionable cyber security advice and insights straight to your inbox.