SOC, SIEM, or MDR? How to Choose the Right Options for Your Infosec Program

Share and earn Cybytes
Facebook Twitter LinkedIn Email

It’s finally time. You’ve reached a tipping point and are ready to give your security organization the boost it needs—but there are so many options out there. Which is the best for your team? You could build an in-house security operations center (SOC), utilize a SIEM, or outsource to a managed detection and response (MDR) provider. It’s your job to figure out which one will ultimately benefit you and your team.

In our latest webcast, we interviewed Charles Chastain, network and sysadmin at Patagonia, and James Cairns, security architect at Bow Valley College, about their decision process and buying criteria, as well as Joseph Blankenship, principal analyst at Forrester, who shares Forrester’s latest research and his experience in this market:

[On-Demand Webcast] Future-Ready Detection & Response: SOC, SIEM, or MDR?

Watch Now

Short on time? Grab the on-demand webcast to watch later and check out the highlights below:

Q: Why is a SOC, SIEM, or MDR important?

Joseph: We researched companies across all industries and sizes and found that 56% were breached in the last 12 months. Their No. 1 challenge was dealing with the complexity of their IT environment. We as security professionals need to be aware of this, and to do that, we need to monitor continuously. The problem is, security teams can’t get everything done because of how many alerts and data they’re bombarded with, meaning they often need outside help.

SIEMs still exist and can be useful, so long as they’ve evolved past being rule-based systems. But it’s led to the emergence of MDR, which is focused on detecting threats in an environment. MDR takes a more proactive approach, is vendor-agnostic, and can provide richer, more actionable analytics. Security professionals often ask me which approach is best for them—and what it comes down to is the size of their security team, resources, expertise, environment needs, and how much they want to outsource.

Q: What was the primary driver for you to implement a SOC, SIEM, or MDR? What were some of your criteria?

Charles: We had a small network and security team using an MSSP—the problem was, we were spending more time explaining our network and assets than actually addressing alerts. We felt it would be easier to bring this all in-house by developing a SOC. To do this, however, we needed systems and solutions with low overhead so that our small team could easily spin them up and get immediate value. When we came across InsightIDR, we liked that it had low overhead and could be easily scaled across our entire organization. With pre-built alerts baked in, a huge chunk of the work was already taken care of, meaning as soon as we spun it up, we could start getting actual alerts. From there, we could tweak it to make the alerts even more actionable for our environment. Our SOC doesn’t have to worry about how to gain visibility or manage security infrastructure—InsightIDR now helps us with that.

James: I’m a team of one, so my main goal was how I could do more with less. Being in the education sector, we face increasing attacks, especially with cryptojacking and ransomware, so I needed a way to get ahead of this. We certainly didn’t want Bow Valley College to make the front-page news. This was our internal push to bring things together and take a different approach.

Another big driver we had was meeting the needs of PCI compliance, which InsightIDR helps us to do through monitoring and metrics reporting.

Q: How has a SIEM helped you since implementing it?

Charles: Within Rapid7’s SIEM, InsightIDR, we use two key metrics dashboards. The first is a dashboard with analytics that our SOC team wants to see on a daily basis and can pull from if we’re doing an investigation. The second is a dashboard we can generate and share with management—things like actionable alerts, DNS queries, failed logins, etc.

InsightIDR also enables us to monitor our PCI networks by generating logs with tags to see alerts coming from these networks. This has been helpful so that we can detect potentially malicious traffic.

James: InsightIDR helped us step through the requirements of our recent PCI audit with ease, since many of the requirements were satisfied with the solution. We could easily demonstrate metrics around what’s being done and could verify that the requirements for PCI were being fulfilled by pulling up various metrics reports. Our auditors really appreciated how fast and easy going through our whole architecture was, which made their job (and mine) much easier.

Q: Since partnering with Rapid7, how has your network visibility and detection improved?

Charles: InsightIDR has helped us get ahead of our biggest threat today: account takeovers. If successful, these attacks can expose our proprietary information to other vendors. However, InsightIDR helps us detect anomalous user behavior through user behavior analytics (UBA), which addresses a huge risk for us.

James: Prior to using InsightIDR, we didn’t have any products in place to help with this. That meant we had very limited visibility, so when we partnered with Rapid7, it was quite an eye-opener to see what was actually happening across our environment. This was a quick win for us. Now, with InsightIDR sitting on top of our infrastructure and conducting analytics, we have visibility end-to-end.

For more, including advice for a team setting up a SIEM for the first time and developing an incident response plan and playbooks, check out the full webcast here.

Helpful Rapid7 ResourcesInterested in test-driving Rapid7’s SIEM solution, InsightIDR? Start a free trial.Looking to build or optimize a SOC? Rapid7 can help.Looking for managed detection and response services? Our army of cyber-guardians are ready to help.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?