Cutting through the jargon; why every security operation needs SIEM, SOC and MDR

IT security is filled with jargon, and that can make it obtuse at the best of times. However, there are three terms that are particularly worth understanding, as they can be critical to the ongoing security of any modern IT environment: SIEM, SOC and MDR.

First of all, SOC, which stands for “Security Operation Centre”. The best way to think of a SOC is as a hub or central command post, responsible for everything in IT from networks and devices, to information stores and cloud environments. The SOC is the place where every event is logged within the organisation, and it comprises both people (the IT security team), software, and processes.

One of those key software applications within the SOC is SIEM, which stands for “Security Information Management System”. In basic terms, a SIEM is a software-driven solution that monitors the entire IT environment for potential threats, based on the policies that you set. When there is unusual activity detected in the environment, a SIEM will send through alerts to the relevant IT security team members for further investigation.

The challenge with both the SOC and SIEM is that it can become a labour intensive part of the business. Even when leveraging the automation that is available through many modern SIEM solutions, there is still the need to be responsive to alerts and the need to continually train and monitor the environment for new threats and examples on unusual behaviour.

However, one of the great strengths of SIEM is that it can be delivered over the cloud and therefore operate as a managed service. A partner can take on the role of monitoring and alert response, helping businesses to keep their IT security teams lean. Furthermore, a managed SIEM solution is rapidly scalable and that can significantly improve Mean-Time-To-Detect and Mean-Time-To-Respond. Finally, when leveraging off the capabilities of a partner, managed SIEM can help to close gaps in the business that the internal IT security team may not have otherwise thought of.

More broadly, organisations can also access managed services that cover the entire gamut of what the SOC does, and this brings up the third acronym: MDR, or Managed Detection & Response. MDR combines human expertise with SIEM solutions for a comprehensive managed service, and offers a number of benefits to organisations, including:

  • Expanded visibility – the managed services provider will be able to monitor the entire environment, including offsite endpoints and edge deployments, in collaboration with the activities of your internal team, for much deeper coverage.
  • More rapid evolving detection – because the MDR provider has broad range of customers and sectors, it also evolves its threat detection capabilities more quickly and with more data.
  • Faster response – the MDR provider can act as a “filter” of sorts, alerting their customers of confirmed threats, and saving the internal IT security team from a lot of investigation work.

Australia faces a massive looming cybersecurity skills shortage. Research suggests that we could be as much as 18,000 skilled employees behind where we need to be. This makes filling and equipping a SOC internally a monumentally expensive proposition for businesses, as SOCs are labour intensive business units. The final benefit of managed services, whether it be simply managed SIEM or the more comprehensive MDR, is that organisations can access security talents that they otherwise wouldn’t have available to them.

Even the largest of enterprises will generally work with MDR providers to compliment their own internal skills, and the blend of the two provides for better security coverage across the organisation. However, for SMEs, MDR might well be the only way to resource a SOC, and protect the business with this critical cog in the security machine.

For more information on SIEM, SOC and MDR, contact Protectera today.