SIEM as a standalone service is not as good as a MDR with some form of data lake, where you can ship logs. It's essentially still a SIEM, but with the ability to take actions on the endpoint. A SIEM alone is only "detection" and useful in "response". But there's no "protection". MDR covers all 3. More on reddit.com

It's a great question as there is a fair bit of overlap in the segment at the moment. Depending on what MDR provider you talk to, their definition of MDR could be very different. A managed SIEM typically means you are ingesting log sources to a SIEM tool and then there are SOC analysts that are on the other end reviewing the logs and making alerts as per your requirements. An MDR typically takes it a step further and has an agent on the network or on the endpoint and can alert and proactively begin the response action. Depending on the company you go with it could have the EDR piece included (SentinelOne, CrowdStrike) or it could integrate with your existing AV / EDR tools (Arctic Wolf). Arctic Wolf also has small network monitoring appliances that they recommend installing at all locations with an outbound internet connection, and in the data center. Whereas CrowdStrike's basic service is just the software agent on the Endpoint, they do however have the ability to ingest that data. The part that starts to close the gap, is some MDR's include the ability to run searches inside the tool. CrowdStrike includes a Splunk-like search interface with a query language built-in if you want to continue having the ability to search, Arctic Wolf has similar but it's an added module. If you aren't interested in seeing the backend, reports and alerting that you would get from a SIEM, you can look into Blackpoint or Huntress, they will integrate with your existing tools and respond if they find something, but don't expect anything fancy if you security operations team begins to grow. I don't have experience with all of these products, I've just recently been doing similar research. (moving from Splunk cloud to an MDR for cost purposes) So take the above with a small grain of salt. More on reddit.com

What tools are you currently using? More on reddit.com

MDR- Managed Detection and Response. Typically involves a SOC + Endpoint protection. Great for companies with a lower budget, as the SOC piece provides security expertise and (usually) assistance during a security incident. Basically, you get a place to call if you have a cyber problem. Some companies will water down the definition so be sure to get that clear before signing up. There should be some form of human involvement and the level and skill of that involvement will dictate price. It is evolving to XDR, which is like MDR but can include other security protections outside of the endpoint, like email protection, SIEM, authentication, etc. The market is shifting to XDR because of this versatility. MSSP- Managed Security Service Provider. Historically this has meant managed SIEM + SOC. The identity of an MSSP has certainly changed over the years. The traditional SIEM + SOC MSSP model is typically out of price range for most SMBs. MSPs working in Banking and DoD Contracting have been using these services for years, although the market has changed and there are companies like us ( SKOUT ) and others built specifically for MSPs. There is a dramatic price reduction due to the channel benefits of co-management, co-delivery, etc. MSSP means so many different things right now, especially to the SMB and MSP market. MSPs could identify as an MSSP or see their security partnership as an MSSP partnership. Now the market has shifted and many SMBs are ready for MSSP typer services, although it is more likely they will get them through an MSP. One note here- sometimes MSSP will refer to a SOC + SIEM service. So an MSSP could offer two different services, MDR or "MSSP". In this case, MSSP refers to the product/service, not the business. I think that is how you were describing it above. SIEM- Security Incident and Event Management. This is a type of technology. It is great for companies that need to check a box for anything related to 24x7 monitoring, log correlation, log review, etc. MSPs can build this themselves, partner with an MSSP, or obtain it as part of an XDR package (you might even be able to get it through an XDR package from an MSSP :P). The technology will require some security expertise to configure and likely a team to monitoring and respond to alerts 24x7. In simplest terms, SIEM (or monitoring in general) watches over the data and systems you care about (through log collection and correlation) to let you know IF you have a problem. Hope this helps. I know it's super confusing and nuanced! Feel free to PM me if you have any questions. More on reddit.com