Threat monitoring for SMBs: SIEM vs SOAR vs MDR
Small-and-medium-sized businesses (100 to 999 employees), or SMBs, can generate a lot of log data on a daily basis—and monitoring all that data for threats can feel like searching for a needle in a haystack.
Using a SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) can help businesses make sense of this noise and find threats, but there’s bad news for resource-constrained SMBs: These solutions are expensive and need dedicated staff to properly use and monitor.
Luckily, there are a few ways SMBs can reap the threat monitoring benefits of a SIEM and SOAR without paying an arm and a leg for them or having a full-on Security Operations Center (SOC). Managed Detection and Response (MDR) is one option, as are managed SIEM and SOARs, and we’ll cover both in this post.
First, let’s dive in why SOAR and SIEM are important, the differences between them, and how MDR and other services can help resource-constrained SMBs leverage SOAR and SIEM capabilities for their business.
What are SIEM and SOAR and why are they important for threat monitoring?
Both SIEM and SOAR platforms aggregate log data throughout your business’ infrastructure and monitor it for potential threats, but SOAR takes things a step further through its data enrichment and automated response capabilities.
SIEM and SOAR are both important for one big reason: logs. Many, many logs.
Logs are records of things that have happened on our systems and networks. By looking at the logs of security software such as firewalls, servers, and networking equipment, we can identify potential malicious activity. For example, if you’re looking at firewall logs and find traffic getting sent out that doesn’t look like the rest of your traffic, that could be a sign of an attacker exfiltrating data.
But firewalls alone can generate up to a terabyte of log data on a daily basis. Factor in all the disparate log data being generated by all of your operating systems, endpoints, applications, and so on, and it’s clear why doing manual log analysis isn’t an option.
In a nutshell, both SIEM and SOAR take the logs being generated by your business and present it to you in an easy to understand way. By filtering massive amounts of security data and prioritizing alerts, SIEM and SOAR streamline compliance reporting and improve the efficiency of handling incident activities.
SIEM vs SOAR: What’s the difference?
To better understand the differences between SIEM and SOAR, let’s take the analogy of driving a car. Let’s say you want to know the status of different parts of the vehicle—for example, tire pressure, brake fluid levels, air filter condition, and so on.
You can think of a SIEM as being the software that takes all this data and presents it to you on your dashboard, notifying you of any potential issues. Just like how our car software can compile information about different parts of the vehicle, a SIEM can aggregate security data from across your business.
Now, let’s say our software also pulled in third-party data to get a better overall picture of our car’s health. For example, what if our car referenced an updated database of common issues with our model to help troubleshoot problems?
At a high-level, this is what a SOAR platform does for businesses: enriches data with external sources, such as from threat intelligence feeds and endpoint security software, in order to improve detection accuracy. Not only that, but SOAR can also immediately take action on alerts, which could include automatically isolating compromised endpoints before threats can proliferate.
SIEMs are not a replacement for SOARs, and SOARs are not a replacement for SIEMs: The two are actually great complements of one another. SIEM platforms identify potentially anomalous activity, and SOAR platforms contextualize those alerts and apply automated remediation measures as necessary.
Are there prerequisites for SOAR/SIEM?
Since both SIEM and SOAR offer broad security insights with options for automated remediation, it’s clear that most businesses can benefit from using them. But for some SMBs, the question is one of practicality: SIEMs and first-generation SOAR platforms are anything but cheap and easy-to-use.
SIEM solutions alone cost about $50,000 on average, ranging from a minimum of $20,000 to upwards of $1M. That’s before we even factor in the cost of monitoring them: a SIEM/SOAR needs at least a few full-time security analysts to use, and a fully staffed, 24×7 team could easily cost more than $1 million.
All of this is to say that there are serious budget and staffing prerequisites to use a SIEM/SOAR—but that’s not all. If your business has fewer solid cybersecurity fundamentals, a SIEM and a SOAR shouldn’t be too high up on your list.
“A SOAR platform is never going to be the first thing you bring into a security program,” says Josh McCarthy, Chief Product Officer & Co-Founder at Revelstoke, the first low-code, high-speed SOAR platform.
“You need a basic security infrastructure in place before you can implement a SOAR and hope to be successful,” says McCarthy. “You need at least a SIEM, Endpoint Protection (EPP), some anti-phishing stuff–things that generate alerts for SOAR to work with and generate efficiency through automation.”
If you’re an SMB with solid security fundamentals and enough budget to buy and operate a SOAR/SIEM, you still want to steer clear of first-gen SOARs that are more complex (and expensive) to use.
“First-gen SOARs are very, very code heavy,” says McCarthy. “The only customers that we ever saw successful with those platforms were the ones that either had a dedicated development team attached to the SOC and had SOAR business administrators or response administrators attached as well.”
Revelstoke’s low-code SOAR platform helps overburdened IT teams gain greater visibility, decrease mean time to respond (MTTR), automate alert triage, and establish more consistent processes.
Learn more about the differences between first-gen and next-gen SOAR, and about how Revelstoke and Malwarebytes work together to automate Endpoint Detection and Response.
MDR vs Managed SOAR/SIEM
To reap the benefits of a SOAR/SIEM, resource-constrained SMBs will usually have to turn to a Managed SIEM/SOAR or a MDR provider. In a Managed SIEM/SOAR setup, SIEM/SOAR providers contract with a third-party service provider to host and monitor a SIEM/SOAR application on their servers.
The most basic managed SIEM providers host your SIEM/SOAR tools, manage the collection of security and event logs, and report on the results. Managed Service Providers (MSPs) are a little more pricey, but offer a greater variety and level of service.
MDR is also an outsourced service, but is different from a Managed SIEM/SOAR in that MDR is not only focused on collecting and analyzing logs, but on proactive threat hunting, risk investigation, and remediation as well. Driven by a team of seasoned analysts, MDR encompasses the advantages of both human expertise and endpoint detection and response (EDR) technology.
In a nutshell, both MDR and Managed SIEM/SOAR solutions are simpler (and cheaper) than spinning up your own SIEM/SOAR solutions yourself, but MDR is arguably the better choice for SMB threat monitoring due to its ability to detect and respond to threats in a timely manner.
Streamlining threat monitoring and elimination for SMBs
When it comes to threat monitoring, there’s no doubt that SMBs could benefit from a SIEM/SOAR. Both of these solutions give businesses a wide-look at potential threats across their infrastructure, and a SOAR even automates responses to detected malicious activity.
The unfortunate reality, however, is that the huge amount of cash needed to purchase and operate SIEM/SOAR platforms effectively prices out more resource-constrained businesses.
Managed SIEM/SOAR services are one great option for SMBs lacking the budget and staff to operate a SOAR/SIEM round-the-clock, but these solutions take a more passive approach to threat monitoring since they only report on what has already happened on a network instead of actively searching for new threats or even remediating them as necessary.
In contrast, MDR services offer a team of professionals using an array of tools, including SIEM, SOAR, and EDR, to monitor your network 24×7 for threats. MDR takes a far more proactive approach to threat monitoring than Managed SIEM/SOAR by actively investigating risk and threats across the full spectrum of attacker activity, not just through looking at logs. By outsourcing your SOC to an MDR provider, you have access to a trained team of specialists that can triage events, remediate incidents, and perform active threat hunting, making it a much more holistic alternative for SMB security than Managed SIEM/SOAR.