The right SIEM solution varies based on your goals, use cases, budget, compliance requirements, and available staff. SIEM solutions are optimized for different use cases, and one size never fits all. The wrong selection can have a long-lasting impact, be costly to maintain and support, and time-consuming to tune, which is why many SIEM deployments end up abandoned.

Understanding the Terminology and Solution Differences

Now that you have some insight into the foundational use cases for SIEM, it’s helpful to have a common understanding of the terminology and unique differences between the approaches to security information and event management. Distill down the solutions and tradeoffs as you evaluate the optimal architecture and options for you, as well as your entire team. Advanced threats require more advanced people resources, technology, and incident management than in years past. While definitions vary, and there are always hybrid scenarios, there are four primary options for a managed SIEM solution:


DIY SIEM Software: This do-it-yourself option involves organizations implementing the SIEM technology themselves or leveraging open-source tools in combination to add analytics, compliance, and log storage, for example. Do-it-yourself options typically require a larger team and higher level of expertise to not only implement but also manage, maintain, and tune over time. SIEM is not   a “set it and forget it” technology.


SIEM-as-a-Service (SIEMaaS): Also called “cloud SIEM”, is basicallySoftware-as-a-Service licensed on a monthly basis and hosted, maintained, tuned, and patched to work optimally so that you don’t have to worry about the infrastructure, log storage, or system administration. But you still have the responsibility to drive it to get value out of SIEM-as-a-Service.


SOC-as-a-Service (SOCaaS): In this case, you receive the SOC “function” as a service. Not just the software, but also the people, the processes, and the SIEM platform/tool necessary to perform the network and endpoint threat monitoring, detection, and response for your organization.


Co-Managed SIEM: This is a version of SOC-as-a-Service in which you play a more active role in the shared responsibility of determining and carrying out the security operations strategy. A runbook with incident response (IR) and an operating playbook typically outline the shared responsibility tailored to your organization.


Document your “must-have” criteria from “nice-to-have” considerations so that you don’t solve for corner cases that can add complexity and cost. Congratulations if you determine that a DIY approach is optimal for you and your organization. If you quickly realize that you need to augment your skills and staff with a managed SIEM, this guide can help you make sense of the alternatives.