So after my last blog post I had quite a few replies, mostly asking about how it works, technical stuff, service level agreements, and if we had given any thought of other types of services that could be tied into what we have. I was glad it sparked some creative juices and got people thinking, and to be honest some of the ideas we’re pretty good. It’s one of those things where if I had all the resources in the world, I’d put 500 developers on implementing some of those ideas strait away. Unfortunately I don’t think that’s the case anywhere today. Everyone has to do things smarter – and money still isn’t growing on trees. At least here in Sweden it’s not; anyone want to chime in from my home back in San Francisco?

Anyhow, back to SIEMaaS. To get right to the core of it, and it may sound backwards, we offer a SIEM platform “as a service” and then we offer a “managed service” on top of that, being that we are an MSSP after all. So you get the managed data collection portion of the SIEM on your network, and then our SOC delivers services built upon the data. From a technical side yes it’s a bit more complex then that, but from a high level that’s the basics of how it works.

The “as as Service” SIEM Architecture

Something I try and push as much as possible when discussing what we’re doing is that what we’re trying to offer is a “solution to a problem”. We’re not selling a standalone application, a device, an appliance or some specific vendors platform. Those are the issues you shouldn’t have to worry about. And if you think about it, people acquire a SIEM system to solve a problem right? Often it’s for a single issue, or maybe a couple issues, in which case getting an entire SIEM deployment can often prove to be massive overkill. Ever been in a situation where the solution ends up being a bigger problem then the one you were trying to solve? That’s what SIEM can easily turn into, and I’ve seen it happen year after year, client after client.

The actual “managed” services

When we started to move from simple log management to this new offering, one of things I wanted to do was help solve this issue. I was simply tired of designing, selling, and implementing SIEMs that after 6-12 months were left for dead. The majority of the clients we worked with simply weren’t IT companies and IT Security and Infosec just weren’t part of their core business. They weren’t ready, or willing, to dedicate the time and resources to make their costly SIEM project work. What they really wanted was the end result, and not the headaches involved with getting there

Our customer portal gives you easy access to your data

We have designed our services offerings here to attempt to solve these specific issues so the customer can get what they really want, without having to worry about how they got it. No log parsers to worry about, no reports to write, and no system to learn. You have a 24/7 SOC watching your data, and only get contacted when something happens. Anytime you want to see what’s going on or to manage your issues, simply log into your customer web portal and take charge. Simple.

24/7 coverage from our experienced SOC Alert Operators

To do a quick recap, first you get a managed data collection infrastructure, like any other SIEM would have. We then connect to your data to our SOC, who monitor and act on alerts. You only get the end result: that phone call at 1am is an actual confirmed incident; the tickets we open have been verified as exceptions with the false positives are filtered out, and if something severe did happen, you get real actionable intelligence and our experienced SOC to help you manage it.

If you're only problem is PCI compliance, or you just want 24/7 log monitoring, or some other defined problem, how much sense does it make to acquire an entire SIEM? So what's the problem you're facing? Does it make sense for you to buy a SIEM, or would it make more sense to simply outsource the problem?

Think about it.