Hi all,

We're a small company, one site, around 120 users.

We're looking at a managed SOC/SIEM. I'm just wondering about a managed MDR instead. Something like Crowdstrike Falcon Complete or similar?

I understand it's not a SOC/SIEM but what are the main differences or downsides. Every vendor is promising the moon.

It's a bit of vague question and I probably mean managed XDR service. But any comments would be useful.

We currently have Managed XDR in place but lacking a SIEM and Managed SOC. I'm evaluating the need for a managed SOC/SIEM in our environment. Given that we already have XDR and MDR, is adding a managed SOC/SIEM truly necessary?

Can anyone explain what a SIEM SOC analyst does that an MDR doesn't cover? What are the key differences between the two?

Additionally, I'm trying to gain a deeper understanding. Any insights or experiences you can share would be greatly appreciated!

We currently have both XDR and MDR solutions in place but lack a SIEM and Managed SOC. I'm evaluating the need for a managed SOC/SIEM in our environment. Given that we already have XDR and MDR, is adding a managed SOC/SIEM truly necessary?

Can anyone explain what a SIEM SOC analyst does that an MDR doesn't cover? What are the key differences between the two?

Additionally, I'm trying to gain a deeper understanding. Any insights or experiences you can share would be greatly appreciated!

Hey everyone, just trying to work out how to configure the next iteration/upper tier of my stack, thought I’d tap r/MSP.

Right now, we’re running Huntress on our Windows endpoints, but we’re looking at a client that might need a year’s worth of logs to meet compliance requirements. Naturally, I started considering a SIEM. I’ve already enrolled in Blumira’s NFR and am running it in the lab. Looks like a solid product. Then I wondered if Huntress was not the right tool, but more something like Blackpoint’s MDR would be a better fit. That said, it doesn’t seem like Blackpoint does AV, so I would either need to switch the AV on my endpoints, or run Blackpoint and Huntress in tandem.

I also understand that Huntress has an MDR for MS365. I haven’t tried it, but how does it compare to Blackpoint? Or does it compare?

This is what I’m wondering, are all of these solutions a little redundant? I’d like to find the right balance between log retention, labor reducing AV/EDR/MDR, cost efficiency and this new potential client.
Any insight would be appreciated.

We currently have both XDR and MDR solutions in place but lack a SIEM and Managed SOC. I'm evaluating the need for a managed SOC/SIEM in our environment. Given that we already have XDR and MDR, is adding a managed SOC/SIEM truly necessary?

Can anyone explain what a SIEM SOC analyst does that an MDR doesn't cover? What are the key differences between the two?

Additionally, I'm trying to gain a deeper understanding. Any insights or experiences you can share would be greatly appreciated!

We are currently evaluating our security stack and exploring significant changes to products that haven’t met our expectations. Our goal is to enhance our capabilities while finding a cost-effective solution for 24/7 monitoring/management by the vendor. The two vendors we are focusing on are Huntress and Adlumin, specifically for their MDR (leveraging Defender) and SIEM/SOC offerings. Additionally, Huntress includes ITDR, which we believe Adlumin integrates into their SIEM/SOC functionality.

Thus far, we’ve completed demos of Huntress’s products and have been overall impressed. While their SIEM offering felt a bit underwhelming, we realize it’s a new release and expect ongoing improvements. On the plus side, Huntress includes security awareness training, which aligns with our plans to reevaluate that area of our stack. Consolidating vendors in this way could be a significant advantage. Overall, I'm a huge Huntress fan as I've followed them for years and love how they give back to the community.

Regarding Adlumin, we are scheduled to begin demos soon. As an N-Able partner, we are exploring the option of acquiring their solutions through that channel. Adlumin was recently acquired by N-Able and whether this is an advantage or drawback I'm not sure. Based on what I've seen others say Huntress has the superior MDR, while Adlumin's SIEM is more traditional and mature.

I'm hoping to get some people's thoughts on what they've experienced and which they prefer and why. We only want to ever do this switch once so we want to make sure we make the right choice.

One sidenote that we noticed and raises a little concern for us which is Huntress's use of LastPass. With their history and how they've handled things it doesn't give me a warm fuzzy feeling.

Hi Folks

Implementing a managed SOC / SIEM is a high priority for us this year.

End goal would be to send logs from all of our systems to the vendor's SIEM. They monitor, alert, and do response We already have an EDR and MDR from Sophos.

My question do we still need to continue managed EDR because it will only cover the endpoints and won't include other logs, we want to import into the SIEM?

We know that it's best to have both XDR and SIEM simultaneously in an org. However, many of our customers find SIEM (Splunk/Sentinel) unaffordable, so we think to offer them XDR (i.e. Defender 365 stack) deployed first, then upsell to SIEM.

Traditionally, SIEM goes first, then XDR on top, but XDR is independant from SIEM which means it doesn't really need SIEM to work. So, In your opinion, would it be ok to deploy XDR first, then SIEM?

I’m looking to upgrade or SIEM solution. We currently use Defender XDR and Sentinel. I’m looking into Huntress and Ninja One. Anyone have other recs? Ideally needs to be able to interface with Kaseya products.

First of all, sorry for the lack of a better title. What I want to discuss in this post is where the Threat Detection and Response (TDR) market is headed.

I use TDR to describe the ability to detect and respond to a breach, wether that's through the use of SIEM, EDR, NDR, XDR, SOAR, internal SOC, MDR service etc.

I am also aware that there is not a single right solution and it will be depend on the environment.

Before the golden era of EDR began, Detection and Response capabilities were centralized on a traditional SIEM solution like Splunk, ingesting and normalizing system event logs like windows event log, sysmon, firewall logs etc. and then building detection rules on these.

With the evolution of EDR, it has become a central part of TDR for some organisations while for some, the SIEM is still the central part. Before you comment that it doesn't have to be one or the other, read the whole post.

You always have to consider what is enough and what is the ROI.

Using an EDR tool like Crowdstrike, Sentinelone or Defender for Endpoint is almost plug and play (compared to SIEM) and creates relatively few, high value alerts to investigate. Using a SIEM requires a lot of work (to be done right) configuring and tuning detection rules. It also very expensive, both license cost and time spent managing it. You will probably produce a lot more alerts than an EDR to investigate as well.

If you are an inhouse SOC and you have very good control of what's going on in your network and spend a lot of time developing anomaly detections in the SIEM you can get a lot of value there. What I'm interested in is a MSSP that creates "general" detections that are applicable to all your customers.

Based on incidents you've had and purple team exercises, do you have a touch idea of how much is detected by EDR vs by SIEM detection? Supose you're running Crowdstrike+Splunk, Defender+Sentinel or similar. My experience is that the majority of attacks are detected by the EDR. Considering the investment in the SIEM platform is much bigger than the EDR, this makes it hard to justify the ROI on SIEM. Maybe we can say that EDR is "enough" for TDR and spend the SIEM budget on a different area of cybersecurity than TDR and getting a better ROI with the return being how secure we are in total.

What I haven't factured in here is investigation and threat hunting capabilities. Here we have lots of value in the SIEM but still, with EDRs like CS, S1 and MDE (especially S1) you have a lot of endpoint activity logs to use for investigation at a substantially lower price than SIEM logs. And the amount of information and visualisation of alerts in the EDR platforms can not be compared to the endpoint visibility you get with windows event logs or even sysmon in a SIEM. Despite that, if you still think the main value of a SIEM is the visibility for investigation and threat hunting since you can ingest all types of logs, EDR vendors are looking to solve this with both S1, CS and other vendors releasing "next-gen SIEM" solutions that have cheaper log storage, giving us a much simpler SIEM but fully capable of fast log search for investigation and threat hunting.

The evolution of these EDR vendors to XDR vendors, adding capabilities for a larger attack surface like email, identity and network. SOAR capability, third party alert and response action integrations etc. is further taking away the selling points for traditional SIEMs like Splunk and Sentinel. These functionalities are developed by the vendors and are easy to set up compared to configuring it in SIEMs or developing it in SOARs like Swimlane or Google secops.

With that said, can you justify the spend on traditional SIEMs like Splunk and MS Sentinel compared to XDR solutions like Crowdstrike and Sentinelone?

Microsoft is a bit special since they are coming from both SIEM Sentinel and EDR->XDR with Defender.

Looking for a clear cut comparison between three but google inundates me with unhelpful marketing nonsense.

Also what’s a practical reason a business would switch from one *DR to another *DR?

Hey everyone,

I work as a junior security engineer at a sports clinic with a headcount of about 1,600 people in Midwest. Currently, I'm the only security person on the team along with our deputy CISO, and I’ve been tasked with bringing in a SIEM (as well as MDR) solution for our org. We do work with an MSP for SOC but we want to build out our own space as well.

We’ve been looking at the usual big names in the space like Crowdstrike, Rapid7, ArcticWolf, and Splunk. However, as someone with limited experience in rolling out security products for an organization, I'm not entirely sure what I should be focusing on or what questions I should be asking these vendors during scoping calls.

It’d be super helpful if anyone here can share what kind of questions you asked or what things I should absolutely be looking for in a SIEM and MDR solution.

Also, if any of you have worked with these vendors (or others), it’d be great to hear about your experiences and what you would recommend. If you’ve worked with a similar-sized company or had to wear multiple hats like I am, any advice would be much appreciated!

Thanks in advance, I’m excited to learn from all your experiences.

TLDR: Junior security engineer tasked with selecting a SIEM and MDR solution for a 1,600-person clinic. Looking for vendor recommendations (Crowdstrike, Rapid7, ArcticWolf, Splunk) and key questions to ask during scoping calls. Any advice or experience would be greatly appreciated!

Using alert logic right now which alerts us 3 days after an incident has occurred. Can anyone recommend any alternatives? Our company is small and I’m the only sec engineer so I don’t think a siem is feasible for us.

Should EDR/MDR/XDR solutions be a separate entity from a SIEM service? Are there solutions that integrate both?