What is security information and event management (SIEM)?
Security information and event management (SIEM) is a type of software that is used to detect, prevent, and help resolve cybersecurity incidents while centralizing security event information across an entire network. In other words, SIEM tools are designed to help businesses identify cybersecurity vulnerabilities and threats before they can have a major negative impact on operations and product or service delivery.
Wondering how SIEM software works? SIEM solutions can vary in their specific capabilities, but at a high level they should be able to perform these core steps:
- Collect log and event data from an organization’s network devices, firewalls, wireless access points, servers, and more
- Aggregate the data collected from various sources into one place
- Analyze the aggregated data to identify potential threats
- Cross-correlate potential threats with other systems data and configuration information to determine if they are true threats
- Alert the organization of true threats so they can be further investigated and contained
While all of the above steps are important, #4 and #5 are what separate best-in-class SIEM tools from software that’s marketed as SIEM but doesn’t really get the job done. A robust SIEM solution must be able to cross-correlate data from all devices with configuration information, threat intelligence feeds, blacklists, geolocation data, and more in order to increase accuracy and ensure that all notifications are actionable.
A lackluster SIEM, on the other hand, is liable to produce false positives (too many notifications about unsubstantial threats) and/or false negatives (missed alerts about true threats). Whether that results in unnecessary calls in the middle of the night or insidious malware that goes undetected for a period of time, both outcomes can result in headaches and a potential loss of productivity and revenue.
It’s also worth noting that the need for organizations to enhance their ability to detect and respond to cyber threats is urgent: According to The State of SMB Cybersecurity in 2021 survey conducted by Vanson Bourne and commissioned by ConnectWise, 75% of business decision makers and 83% of IT decision makers are concerned their organization will be the target of a cybersecurity attack in the next 6 months.
The MSP role in security information and event management
As MSPs continue to play a bigger role in providing cybersecurity protection for companies, it’s important to learn how you can help improve your clients’ security through SIEM offerings and other services.
Risk Assessments
As the survey results above indicate, some of your clients are likely anxious about the likelihood of an impending cyberattack but may not know the best way to identify ways to improve their cybersecurity posture. Enter: risk assessments. Assessing risk requires the careful analysis of threat and vulnerability information to determine how a cyber incident could negatively impact a client as well as the likelihood that such circumstances or events will occur.
Offering strategic risk assessments shows clients that your MSP has their best interests at heart and that you are willing to be proactive about improving their cybersecurity. You may want to consider adding a risk assessment to your quarterly customer meeting. A comprehensive risk assessment should highlight:
- Network vulnerabilities
- Insufficient device management
- Data compliance issues
- Internal threats
- Potential impact of an incident
A risk assessment should also include a list of actionable recommendations so that your clients understand not only where problem areas exist, but also next steps they can take to shore up their defenses.
Threat intelligence
Staying vigilant about your clients’ cybersecurity and helping them stay ahead of potential threats can greatly reduce the effort you and/or the client would have to expend to remedy an actual data compromise. That’s why a growing number of MSPs are using threat intelligence providers, such as Information Sharing and Analysis Centers (ISACs), to gather data about emerging threats as they develop in real time. For example, the CompTIA ISAO is dedicated to developing the cyber resilience of MSPs.
To benefit from some of the best threat intelligence on the Internet today, MSPs can leverage curated threat feeds to better manage their clients’ threat indicators and give them more control over data security. For example, the ConnectWise Cybersecurity Research Unit openly shares intelligence discovered while threat hunting, which can be used to identify potential threats and filter out false positives.
Co-managed SIEM-as-a-service
SIEM tools are highly valuable for MSPs looking to offer cybersecurity services to their clients, but they come at a cost. SIEM software can be expensive and difficult to configure and implement, plus they may not have out-of-the-box integrations with all of your current systems and software. What’s more, one survey from 451 Research found that only 21% of organizations believe they are getting full value from their SIEM tools.
With co-managed SIEM-as-a-service, your MSP works in collaboration with cybersecurity experts to ensure you are offering clients optimum security (and value). Because the responsibility of managing the SIEM software is shared, you don’t have to incur extra costs such as hiring additional personnel, buying special equipment to host the software, or needing to conduct specialized training for your staff.
Co-managed SIEM-as-a-service featuring compliance automation is especially useful for serving clients that have compliance and regulatory requirements (HIPAA, PCI-DSS, etc.). When it’s time for an audit or exam, features like flexible log capture, retention, and review allow you to easily generate compliance reports and send them your client, making life easier for everyone involved.
