Many SOC-as-a-Service providers (and, for the matter, MSSPs) use a commercial SIEM as the foundation of their practice. While this is an expedient way to get into the business of operating 24/7 monitoring for multiple clients, it is fundamentally flawed.
Why you may ask?
The vast majority of SIEMs were never designed to manage the needs of more than one company at a time. This means a service provider either has to co-mingle data from multiple clients into one SIEM, which is not ideal and prevents giving the client access, or use a SIEM per client, which makes optimizing analysts challenging. The SOC-as-a-Service provider or MSSP are also beholden to the SIEM provider’s feature roadmap, methods of data science, and gaps in tooling.
The reality is having a custom next-gen SIEM platform, like what we’ve built at Cysiv, provides a tremendous opportunity to delight customers and optimize a team’s ability to monitor, detect, analyze, and contain security threats.
Cysiv’s Core Tenants for a Next-Gen SIEM Platform
We started building our own unique approach to the security operations center (SOC) back in 2017. The core tenants we were looking for included:
- Simplicity – Building the platform cloud-native would allow us to provide rapid deployments free of installing software and the complexities of licensing and managing an on-prem SIEM.
- Transparency – We wanted to ensure the service provider experience wasn’t a “black box.” We wanted our clients to be able to log-in and see the exact same data, and perform the exact same tasks, as our analysts. This isn’t just good for visibility and reporting; it delivers on the vision of being an extension of our client’s security team.
- Convergence – Let’s face it, first-gen SIEM failed. That’s why new product categories like User/Entity Behavioural Analytics (UEBA), Threat Intelligence Platforms (TIP), Security Orchestration Automation, and Response (SOAR) were born. If done right, these are features of the SIEM, not tools analysts have to jump around in.
- Getting data science correct (for a change) – False positives waste time, both for providers and for clients! Why settle for the old Logs/Alerts model when data science can be done correctly? We believe in full ETL (transform BEFORE you load), enrich everything at line-rate, drop logs of no value, and have your engine capable of using many techniques and correlating together patterns of activity.
Truth be told, there wasn’t a platform we could use that would provide these tenants.
But by building our own platform, we could achieve each of these and so much more.
Because we built the Cysiv platform cloud-native and multi-tenant from the get-go, we solved two major problems other providers experience when using off-the-shelf platforms:
- Feedback/Requests – If providers use off-the-shelf, there is an extremely slow innovation cycle. New requests that would improve analyst experience take months or years or never get delivered by the vendor. We own our own fate, so we can make improvements in real-time.
- Multi-tenancy – Most SIEMs are single organization. That means service providers need to provision one SIEM per client (and staff it) or risk rolling many organizations’ data into one SIEM. Since we designed our client to analyst relationship as a social graph, it offers extreme flexibility on design for ourselves and partners and optimizes analyst time. This, in turn, allows us to pass on an optimized cost model to our clients. This wouldn’t happen without a platform to allow analysts to spend time on the next most valuable activity seamlessly.
Yes, going with a commercial SIEM would have allowed Cysiv to provide services to customers FASTER, but taking the time to develop our own platform allows us to do it BETTER.
If you want to learn more about the Cysiv platform and strategies for launching a modern managed detection and response (MDR) offering, this blog provides a closer look.