What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Aug 17, 2022
Increase in Observations of Socgholish Malware
THE THREAT Starting in early August 2022 and continuing through the month, eSentire identified a significant increase in Socgholish (aka. FakeUpdates) malware incidents. Socgholish is a loader type…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Sep 29, 2020

Move over SIEM, MDR will take it from here

In April 2020, an IDC report stated that “Billions of dollars are spent on products like SIEM that do not operate efficiently because they are ingesting too much data and delivering an overwhelming number of false positives … garbage in garbage out.” Mark Gillett, director of product management, and Simon Thomas, director, EMEA channels, deliver a global perspective on the failures of legacy SIEM vs. the future-proofed success of Managed Detection and Response (MDR).

6 minutes read
Speak With A Security Expert Now

Depending on who you ask—and no matter where they live—it’s either an open secret or an obvious truth that legacy SIEM (Security Information and Event Management) hasn’t met expectations as a cybersecurity solution, let alone lived up to the hype that has surrounded it for what seems like forever.

Let’s quickly review why that’s the case and then turn to more important matters: how to achieve the desired security outcomes that once led us to consider SIEM in the first place.

How we got to now: a brief history of SIEM

The term “SIEM” itself first appeared in a 2005 Gartner Research report, capturing the amalgamation of Security Information Management (SIM) and Security Event Management (SEM)—functions which have existed in some form since the late 90s.

At inception, SIEM promised to aggregate security signals (primarily logs) and make them explorable via a single pane of glass. An admirable goal, but one that belies the complexity of the task and, rightly or wrongly, overlooks the key question of what one actually does with any insights that arise.

In pursuit of the one pane to rule them goal, SIEM platforms include a collection of aggregation, correlation, and alerting functions. For 15 LONG years a pattern has repeated:

And all the while, digital transformation means that the threat surface expands and highly motivated threat actors relentlessly innovate.

The problems endemic to SIEM platforms are well-documented and include:

To try and overcome these last two issues, SIEM vendors around the globe have claimed to augment their platforms to provide, or are being integrated with, User and Event Behavioral Analytics (UEBA) and Security Orchestration, Automation and Response (SOAR) functionality. Like SIEM, each of these is simply another tool; moreover, bolting SIEM to UEBA and/or SOAR introduces still more complexity.

Despite these shortcomings, SIEM platforms often appear as a default entry on cybersecurity shopping lists—and in 2015, SIEM was the fastest-growing security market segment. In part, this earlier popularity can be attributed to a business need to answer compliance questions: practically every regulatory compliance body has some text about log collection and review capabilities. So, many organizations decided that even though a log manager would suffice, they would go full-SIEM and grow into it over time.

Time, however, has proven this approach to be hopeful at best and Quixotic at worst: we find ourselves in the fourth and fifth generation of SIEM and still waiting for these platforms to deliver what is promised. And remember, even at its best a SIEM platform is only a piece of the detection puzzle.

Achieving a top-level business outcome—preventing and rapidly containing threats—requires considerably more. Perhaps that’s why Managed Detection and Response services are experiencing explosive growth.

Achieving real business outcomes: why MDR provides the answer

In August 2020, Gartner released the fifth edition of its Market Guide for Managed Detection and Response Services.

According to the Guide, Gartner has observed “a 44 percent growth in end users’ inquiries into MDR services during the past 12 months,” and the firm anticipates that “by 2025, 50 percent of organizations will be using MDR services for threat monitoring, detection, and response functions that offer threat containment capabilities.”

The guide highlights that one driving factor behind the growth of MDR is that security leaders recognize that detecting a threat quickly is meaningless without the ability to quickly and effectively respond.

More generally, the wider IT community is accepting the painful reality that all organizations are under attack—whether opportunistic or targeted—and that the threat landscape is constantly changing.

There are a number of factors that continue to evolve that only serve to increase the burden for already overtaxed IT teams:

In the modern security environment, SIEM is but one tool of many that make up or enable a multi-layered approach. And beyond the technology toolset, organizations need to also invest in people and processes: it takes all three to build and maintain a strong security posture.

Today’s organizations—especially small and medium businesses and the channels who serve them—are turning to MDR because of its proven ability to deliver real business results. MDR is able to do so because it overcomes the problems outlined above:

And the proof is demonstrated in real world experience. In eSentire’s case, the average is 35 seconds to initiate action (respond) and 20 minutes to isolate and contain a threat.

SIEM is a tool; MDR is a solution

The bottom line when it comes to SIEM is that a SIEM platform is just a technology tool (or toolkit). Some organizations will get use out of it eventually, provided they have the resources to install, build, maintain and extend the platform. But the last decade has shown quite clearly that most organizations, and especially small and medium businesses, are unable to attain the results for which they hoped.

While it’s true that the price tag for SIEM platforms has been trending downward, that really only applies to the upfront cost; the backend complexity will remain.

At eSentire, we encourage companies to take a business outcome-oriented approach to their cybersecurity needs. If your desired business outcome is wholly addressed by aggregating security events and information, then a SIEM might well be the tool you need, but experience shows that this well-defined and limited need represents only the minority of cases (and if you’re looking for regulatory compliance, then a log manager might do the trick much more cost-effectively).

In fact, we use a commercial-grade SIEM as an element within our overall enabling architecture … alongside our Atlas platform, proprietary machine learning algorithms, copious automation technologies, massive investment in people and processes, wide array of sensors, embedded agents to enable rapid response and so on.

We needed a next-gen SIEM as a piece within a larger MDR service.

Your business, we can assure you, needs the full capabilities of adaptive Managed Detection and Response to be set for now and the future.

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
Mark Gillett
Mark Gillett Director of Product Management
Simon Thomas
Simon Thomas Director, EMEA Channels