cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
d46j48fx
Contributor I

Does an MDR solution work with or replace a SIEM?

Hi all!

 

Would I be correct in stating that a Managed Detection and Response (MDR) solution is an augmentation to and NOT a replacement for a Security Incident Event Monitor (SIEM)?

 

I have a strange feeling I am correct and that certain sales folk are trying to "sell" me something that they are touting as "better" than a SIEM but should not replace a SIEM.

 

Would appreciate your responses asap, even if it's a simple "Yes, you're right" or "No, you're wrong; let me explain why..."  🙂

 

Thanks,

 

Derek

3 Replies
Steve-Wilme
Advocate II

Many sales people will claim one technology or service is somehow better than another, but what you should examine is what risks do each counter.  Both appear to be detection approaches, so mapping where they fit against Mitre ATT&CK might give you an insight.  You may also want to consider if your organisation isn't subject to quasi regulation that requires you have a SIEM e.g. PCI DSS, some financial regs etc.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
jmikesmith
Newcomer III


@d46j48fx wrote:

Hi all!

 

Would I be correct in stating that a Managed Detection and Response (MDR) solution is an augmentation to and NOT a replacement for a Security Incident Event Monitor (SIEM)?

 

Until you asked the question, I'd not heard of MDR, so thanks for the heads-up. I found this blog from an MDR vendor. It would seem that MDR (at least in 2018) filled a gap that MSSPs weren't (aren't?) filling. It seems to be a professional service that includes a product (and perhaps more focused on the endpoints than on the data centre), whereas SIEM is mostly a product (that could be managed by a service provider, I suppose). The blog mentions that the MDR provider's service may not be compatible with your existing SIEM.

 

Mike

Caute_cautim
Community Champion

@jmikesmithIt is not quite black or white, as one suspects MDR has now been replaced with XDR, and in many forms, which indicates Threat Hunting is incorporated along with some SOAR or even XSOAR capabilities for Incident Response as well.  As many organisations are simply fed up with multiple solutions, they want a single dashboard.  

 

Have a look around, Palo Alto, Cisco, TrendMicro, Crowdstrike, Carbon Black and many more all expounding the next approach.   The world is moving extremely fast, and there are a lot of take outs going on.

 

References:  https://www.paloaltonetworks.com/cortex/xsoar

 

https://www.trendmicro.com/en_au/business/products/detection-response/xdr.html

 

And this is only a small vision of what is out there, a lot of consolidation and integration between partners is going on - which can either raise the risks, due to integration issues or even reduce the risks, if correctly done well.

 

Regards

 

Caute_cautim