cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer I

MSSP SIEM Deployment Strategies

I am looking to use a MSSP for SIEM services however, does anyone know of a strategy where you have both internal & external logging?   Maybe where your internal log server sends to MSSP.      

1 Solution

Accepted Solutions
Newcomer I

Re: MSSP SIEM Deployment Strategies

Hello Mik3,

Without knowing anything about your systems or the MSSP you're considering, I can only speak in generalities.  SIEMs collect log events and then process them using a correlation engine to try to detect anomalous behavior.  One of the difficulties with SIEMs is that the volume of events can be enormous, and a large portion of the events will be irrelevant to any security monitoring or investigation.  The problem is, it's difficult to determine which events will ultimately be irrelevant, so the tendency is to collect more than necessary.

SIEMs also often license based on the ingest volume, so they become more expensive.  The MSSP probably needs to pass that cost on, unless they're using something like ELK stack.  If the MSSP is processing your events remotely, you might need a separate network connection to avoid congesting your primary internet lines.

One strategy in that sense, would be to not just perform initial log collection internally, but also perform some primary filtering.  So at the time of collection, additional filtering would be applied to separate events that are interesting for the SIEM and forward them externally to the MSSP, where the remainder are either dropped or stored locally depending on what your retention policy is.  The MSSP would have some boilerplate use cases that they could get you started with, and then devise new use cases more applicable to your systems as they get better acquainted with your systems.

Does that help?

Dan Peterson

1 Reply
Newcomer I

Re: MSSP SIEM Deployment Strategies

Hello Mik3,

Without knowing anything about your systems or the MSSP you're considering, I can only speak in generalities.  SIEMs collect log events and then process them using a correlation engine to try to detect anomalous behavior.  One of the difficulties with SIEMs is that the volume of events can be enormous, and a large portion of the events will be irrelevant to any security monitoring or investigation.  The problem is, it's difficult to determine which events will ultimately be irrelevant, so the tendency is to collect more than necessary.

SIEMs also often license based on the ingest volume, so they become more expensive.  The MSSP probably needs to pass that cost on, unless they're using something like ELK stack.  If the MSSP is processing your events remotely, you might need a separate network connection to avoid congesting your primary internet lines.

One strategy in that sense, would be to not just perform initial log collection internally, but also perform some primary filtering.  So at the time of collection, additional filtering would be applied to separate events that are interesting for the SIEM and forward them externally to the MSSP, where the remainder are either dropped or stored locally depending on what your retention policy is.  The MSSP would have some boilerplate use cases that they could get you started with, and then devise new use cases more applicable to your systems as they get better acquainted with your systems.

Does that help?

Dan Peterson