It’s finally time. You’ve reached a tipping point and are ready to give your security organization the boost it needs—but there are so many options out there. Which is the best for your team? You could build an in-house security operations center (SOC), utilize a SIEM, or outsource to a managed detection and response (MDR) provider (otherwise known as SOC-as-a-service or SIEM-as-a-service). It’s your job to figure out which one will ultimately benefit you and your team.
In our latest webcast, we interviewed Charles Chastain, network and sysadmin at Patagonia, and James Cairns, security architect at Bow Valley College, about their decision process and buying criteria, as well as Joseph Blankenship, principal analyst at Forrester, who shares Forrester’s latest research and his experience in this market:
Short on time? Grab the on-demand webcast to watch later and check out the highlights below:
Q: Why is a SOC, SIEM, or MDR important?
Joseph: We researched companies across all industries and sizes and found that 56% were breached in the last 12 months. Their No. 1 challenge was dealing with the complexity of their IT environment. We as security professionals need to be aware of this, and to do that, we need to monitor continuously. The problem is, security teams can’t get everything done because of how many alerts and data they’re bombarded with, meaning they often need outside help.
SIEMs still exist and can be useful, so long as they’ve evolved past being rule-based systems. But it’s led to the emergence of MDR, which is focused on detecting threats in an environment. MDR takes a more proactive approach, is vendor-agnostic, and can provide richer, more actionable analytics. Security professionals often ask me which approach is best for them—and what it comes down to is the size of their security team, resources, expertise, environment needs, and how much they want to outsource.
Q: What was the primary driver for you to implement a SOC, SIEM, or MDR? What were some of your criteria?
Charles: We had a small network and security team using an MSSP—the problem was, we were spending more time explaining our network and assets than actually addressing alerts. We felt it would be easier to bring this all in-house by developing a SOC. To do this, however, we needed systems and solutions with low overhead so that our small team could easily spin them up and get immediate value. When we came across InsightIDR, we liked that it had low overhead and could be easily scaled across our entire organization. With pre-built alerts baked in, a huge chunk of the work was already taken care of, meaning as soon as we spun it up, we could start getting actual alerts. From there, we could tweak it to make the alerts even more actionable for our environment. Our SOC doesn’t have to worry about how to gain visibility or manage security infrastructure—InsightIDR now helps us with that.
James: I’m a team of one, so my main goal was how I could do more with less. Being in the education sector, we face increasing attacks, especially with cryptojacking and ransomware, so I needed a way to get ahead of this. We certainly didn’t want Bow Valley College to make the front-page news. This was our internal push to bring things together and take a different approach.
Another big driver we had was meeting the needs of PCI compliance, which InsightIDR helps us to do through monitoring and metrics reporting.
Q: How has a SIEM helped you since implementing it?
Charles: Within Rapid7’s SIEM, InsightIDR, we use two key metrics dashboards. The first is a dashboard with analytics that our SOC team wants to see on a daily basis and can pull from if we’re doing an investigation. The second is a dashboard we can generate and share with management—things like actionable alerts, DNS queries, failed logins, etc.
InsightIDR also enables us to monitor our PCI networks by generating logs with tags to see alerts coming from these networks. This has been helpful so that we can detect potentially malicious traffic.
James: InsightIDR helped us step through the requirements of our recent PCI audit with ease, since many of the requirements were satisfied with the solution. We could easily demonstrate metrics around what’s being done and could verify that the requirements for PCI were being fulfilled by pulling up various metrics reports. Our auditors really appreciated how fast and easy going through our whole architecture was, which made their job (and mine) much easier.
Q: Since partnering with Rapid7, how has your network visibility and detection improved?
Charles: InsightIDR has helped us get ahead of our biggest threat today: account takeovers. If successful, these attacks can expose our proprietary information to other vendors. However, InsightIDR helps us detect anomalous user behavior through user behavior analytics (UBA), which addresses a huge risk for us.
James: Prior to using InsightIDR, we didn’t have any products in place to help with this. That meant we had very limited visibility, so when we partnered with Rapid7, it was quite an eye-opener to see what was actually happening across our environment. This was a quick win for us. Now, with InsightIDR sitting on top of our infrastructure and conducting analytics, we have visibility end-to-end.
For more, including advice for a team setting up a SIEM for the first time and developing an incident response plan and playbooks, check out the full webcast here.