Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
It’s no secret that there’s difficulty in implementing, operating and deriving business value from SIEMs. Service providers love to promote FUD (fear, uncertainty and doubt) with baseless claims insinuating inevitable failure when trying to sign a prospect to a service contract that may not be necessary. Like many things in life it’s not always black or white, there are many shades of grey in between.
During the research phase of our recent service launch of esLOG, I sorted a mountain of statistics on the success and shortcomings of SIEM adopters. One thing became clear: there are factors that lead to varying levels of success and failure from a security point of view. Let’s start with the lay of the land to better understand these factors. According to Ponemon’s SIEM challenges report:
What does this mean? A SIEM is important, but less than half of adopters are essentially deriving value. What’s causing the disparity? Further research painted a clear picture on risk factors that have the greatest correlative effect upon success:
Let’s look at these at a high level to understand their context to the bigger picture.
Digital transformation is pushing visibility requirements well beyond the traditional perimeter. On-premises, cloud, or somewhere in between, most organizations are somewhere on the spectrum of hybrid IT transformation. In a recent study[2], SIEM users ranked greater visibility of network traffic as the second greatest challenge. While the section on visibility could continue for pages, two points emerge that organizations must take into consideration:
When it comes to dedicated personnel for SIEM administration and maintenance, according to Ponemon’s Study, 43 percent of organizations have less than one person, 36 percent have one person and only 22 percent have more than one. Interestingly, the third and fourth response in the same study said more staff were needed to optimize the SIEM to understand the data and remove complexity. However, organizations on average report they need 40 percent more security personnel. Unfortunately, when it comes to allocation of SIEM investments, 33 percent of costs are attributed to human capital. For most organizations, understaffing is a contributing factor to the delta of satisfaction. For organizations that are limited by headcount restriction, do not assume existing personnel can take on a challenge of this magnitude. Many enterprise-sized organizations have five or more dedicated personnel to continuous SIEM maintenance. If you are worried, look to augment until you have in-house capabilities.
According to Ponemon, the most important feature ranked by SIEM users today is detection of threats through advanced analytics. In addition, the third most important feature is correlation of events into single incidents. While many SIEMs come pre-built with big data analytics, machine learning, UBA, etc., the challenge of parsing data, configuring rules, alerts, etc. remains. Modern SIEM solutions were designed to look for known actions that are indicators of compromise, but they are not effective at detecting the unknown. This is partly because SIEM solutions are adept at handling traditional log data, but not other data types such as network packet, threat intelligence, asset context, and endpoint data, which often provide greater detective visibility when correlated with data from a SIEM. If your organization lacks these capabilities this could be an augmentation area.
In another Ponemon Study, enterprise organizations reported on average their SIEMs produced 17,000 alerts on a daily basis, while their IR teams could only investigate four percent of them. That’s 16,320 incidents that were marked as potentially malicious or in violation of policies that were ignored. SOC and IR teams are usually understaffed and overwhelmed. Chasing false positives ends up consuming precious time while trying to find a needle in the haystack. For SIEM users this problem has emerged to be the second and third priority to remedy in the next 12 months as organizations seek to automate manual tasks that consume SOC and IR teams and increase accuracy of security events. This factor can become the biggest contributor in the delta of SIEM satisfaction as detection and alerts on events are one thing, but the ability to quickly investigate and remediate is ultimately the difference between a blip on the radar and a business-disrupting event.
While these four factors are not the only influencers that affect success, they each have major implications in decision making for current and potential SIEM adopters. While many organizations have the resources and capabilities to meet these challenges, evidenced by the 48 percent of respondents who said they are satisfied in the SIEM Optimization Ponemon Study, there remains a delta that must be addressed for the other 52 percent. Otherwise organizations put themselves at additional risk.
For some, this means using managed SIEM providers to augment staffing. For others, it could mean outsourcing to an MSSP for staffing, management and alerting or an MDR provider to augment additional visibility, staffing, management and advanced detection and response. Wherever you are in your journey, look at your capabilities and ask yourself where you sit and the capabilities you need to augment to derive the most value if you were to adopt a SIEM right now. Measuring against these factors will help determine your expectations and roadmap for future success.
[1] Ponemon: Challenges to Achieving SIEM Optimization: March 2017
[2] Ponemon: Challenges to Achieving SIEM Optimization: March 2017
[3] Ponemon: Challenges to Achieving SIEM Optimization: March 2017
[4] Ponemon: Cost of Malware Containment Study