Co-managed SIEM—along with the overlapping offerings of managed SIEM and SIEM-as-a-service—has become a popular managed security service, delivered by specialized providers, MSSPs, and even some of the “big four” firms.
The model can work in a few ways. One is where the service provider has their own SIEM, which they connect to the client’s tools to ingest logs. The service provider then maintains and operates the SIEM, on behalf of or in collaboration with the client’s team. Another option is for a client that has a SIEM to contract the service provider to share the responsibilities of managing and monitoring the SIEM.
In either case, the service provider might also help tune the SIEM, develop rules, and provide a level of threat analysis that is then provided to the client for action. Having a co-managed SIEM is a great way for organizations to ensure a 24/7 SOC when they don’t have the internal resources.
For MSSPs who want to add SIEM management to their services, and for co-managed SIEM providers who want to improve their offerings and stand out, D3 Smart SOAR can act as the missing piece that solves common problems, enhances capabilities, and makes the service feasible.
Co-Managed SIEM Services Have Unique Challenges
The challenges that SOAR helps co-managed SIEM providers solve relate to integrating with security tools for data ingestion and orchestration. One industry analyst we spoke to said that he often sees co-managed SIEM sales proposals that limit the client to 10 data sources, even though a SIEM can ingest from hundreds of sources. This suggests that service providers struggle to cover their clients’ entire environments without additional resources. For service providers that have dozens, or even hundreds, of clients, the benefits of being able to easily onboard and integrate with data sources will quickly multiply.
Orchestrating actions is even more of a challenge. The extent may vary depending on the business model, but a co-managed SIEM provider will need some ability to push actions to a client’s stack. This might be as simple as querying an endpoint protection tool for additional data, or as involved as executing an incident response playbook across the environment.
Solving Problems with Orchestration
Some co-managed SIEM providers have a proprietary XDR (extended detection and response) that overcomes some of the challenges we’ve discussed, such as sorting ingested data into an enriched queue and triggering response actions. However, building such a platform is not feasible for most providers.
Because SOAR is designed to easily integrate with the widest range of tools, its addition can make it easier to onboard new data sources, ingest more types of data, and monitor clients’ entire environments. SOAR also enables orchestration across other tools without additional development of features or integrations.
What Makes Smart SOAR Perfect for Co-Managed SIEM Providers
Smart SOAR has several characteristics that make it better suited than other SOAR platforms to help co-managed SIEM providers. The first is that D3 offers unlimited, vendor-agnostic, professionally built and maintained integrations. This takes a huge burden off of the service provider by eliminating the time they would have spent coding integrations, keeping them updated, and troubleshooting issues. The fact that D3 is vendor-agnostic means that the service provider is never limited by the tools their clients use; Smart SOAR can work with all of them, with no preferred suite of products.
Smart SOAR also supports multitenancy, so you can switch between each SIEM instance you manage, all from a single interface. This is already a huge timesaver for our MSSP partners. Client instances are kept securely segregated, while maintaining the ability to deploy updates and content at scale.
Our automation-powered, five-minute onboarding process is also a major advantage for co-managed SIEM providers with a large client base. Setting up a new client in Smart SOAR is handled in a simple automated playbook, so connecting their tools to your SIEM is never a drain on your resources.
Microsoft Sentinel and Smart SOAR
One of the most popular SIEMs for co-managed services is Microsoft Sentinel. Smart SOAR is the ideal SOAR integration for Sentinel, thanks to our close relationship with Microsoft as a member of the Microsoft Intelligent Security Association (MISA). We developed a solution to enable bi-directional sync with Sentinel, which means service providers can consolidate individual tenants of Sentinel on Smart SOAR, with any changes made in one platform automatically reflected in the other.
That’s just one of the many features of our deep integration with Sentinel. You can see in detail how the two platforms work together for enhanced threat detection and response in this blog post.
If your focus is on Splunk, IBM Security QRadar, Google Chronicle, LogRhythm Axon, or any other SIEM, we integrate with those as well.
Conclusion
There is explosive growth in the market for co-managed SIEM providers. Whether you are already providing those services or looking to break in. Adding Smart SOAR to your offering will help you stand out with better services, operate efficiently at scale, access more of your client base’s security spend, and grow your profit margins.
Read this whitepaper to learn more about how D3 Smart SOAR enables higher-value services for MSSPs.