Guest Column | June 6, 2022

How Next-Gen SIEM Technology Can Increase Operational Efficiency For MSP Customers

By Sanjay Raja, Gurucul


Over the past few years, more and more Managed (Security) Service Providers (MSPs or MSSPs) have begun offering threat detection and response services to their customers. In fact, according to recent research, the managed security services provider market grew between 12 percent and 15 percent annually in 2020 and 2021 (which is nearly twice the CAGR of the overall managed IT services market), due in large part to more service providers offering managed detection and response or extended detection and response services. But not all Security Information and Event Management (SIEM), Extended Detection and Response (XDR), and Managed Detection and Response (MDR) solutions are created equally. And not all are a good fit for the MSP use case. MSPs looking to offer these types of services will need to be strategic about which vendors they choose to work with and how they roll out these new offerings.

Because of the nature of their business, MSPs are laser-focused on three primary areas: time to value, rapid monetization, and improving operational efficiency. Security vendors often focus on how their products improve security for users and struggle to clearly articulate how they perform in those areas. For example, one key distinction MSPs should be aware of is the difference between SIEM and next-generation SIEM products. Next-gen SIEM solutions tend to have more advanced automation and threat detection capabilities that make them a better fit for the MSP use case.

In this article, I’d like to explain some of the key features of threat detection products and how they align with the three primary areas of concern for MSPs. This in turn should help them make more informed decisions when selecting a vendor.

The first area is time to value. The faster a SIEM or threat detection solution can be deployed, the more helpful it can be for an MSP. Cloud/SaaS offerings often accelerate deployment when compared with their physical hardware counterparts and tend to be a better fit for the MSP use case. And the more out-of-the-box integrations a SIEM product has, the more quickly it will start to automate threat detection, prioritize and gather necessary context for investigations and support risk-driven response automation, regardless of the skillset of the security analyst on the team. Another important consideration is a product’s ability to ingest any form of asset and application data including known, unknown, proprietary, structured, and unstructured data all out of the box without customization. When selecting SIEM products, MSPs should consider all these factors.

The next area of importance is rapid monetization. This is broken into two parts. First, how quickly can new users be provisioned and up and running? And second, how well does the product’s pricing structure match the MSPs’ pricing structure? Products with strong pre-built libraries of threat detection and machine learning models can immediately begin scanning traffic, detecting threats, and providing value. The smaller the library – and the more customization required – the longer it will take to get a user up and running and monetized. Assessing how well a threat detection product will perform in this regard often requires digging into its threat detection capabilities (opening that black box) and seeing how robust its library of models is. Consider asking the vendor whether their analytics are open, transparent, and customizable. MSPs may be able to add services based on creating custom models for specific customers if the analytical models are open.

There is no doubt MSPs prefer solutions and licensing models that match their billing and recurring revenue goals and measurements. A mismatch in pricing structure forces a lot of unnecessary headaches for the MSP when pricing out solutions and when forecasting future scalability and growth. For example, many MSPs charge based on assets under management. If their SIEM provider also charges based on “managed” assets or assets/applications ingested, then quotes and billing are easy and predictable. If the SIEM charges based on assets and users, then the MSP can choose which way to bill (some might appreciate the extra flexibility). On the other hand, if the SIEM charges are based on data use, the costs could fluctuate widely and escalate rather quickly, even if the number of users and assets stays constant. The MSP might be forced to pass those costs along to the customer who probably won’t appreciate the sudden increase in charges or further squeeze their margins. For this reason, SIEMs that charge based on data use are often not a good fit for MSPs.

Finally, the last key area – improving operational efficiency. Anything a threat detection solution can do to make management more efficient will be attractive not only to the MSP but also to their end customer. For example, high-quality alerting is key as it reduces the number of false positives that the MSP or customer needs to investigate manually. Automating deployment tasks or responses to threats is also beneficial (which requires that the threat detection solution has a very low rate of false positives). Furthermore, having a consolidated view of multiple clouds and data from security sources on a single screen – or as few screens as possible – also can be ideal for MSP and customer management. The more the user needs to switch screens or products during investigations and for setting up response workflows, the less efficient they’ll be. When asking about operational efficiency, MSPs should focus questions on automation capabilities, consolidation, and how the product drives down false-positive rates.

Because MSPs can have hundreds of subscribers (and they service them with a team no larger than a standard enterprise), the ability to scale and maximize margins per customer to fuel growth is crucial. Any efficiency gains per customer that a product can offer, no matter how small, will help. That’s why the improved threat detection and lower rates of false positives in next-gen SIEM products can be such a great fit for MSPs looking to drive more revenue.

The final tip I’ll leave you with is around security features and why they matter. First, improved security (i.e., the addition of new services or capabilities) can help improve “stickiness” within an MSP’s customer base. If a customer likes the better protection or better customized reporting around risk, compliance, remediation guidance, etc. from a certain piece of tech, they’re more likely to stay with that MSP. Since there are few other barriers to prevent a customer from switching to another MSP, every little bit of stickiness helps. Second, unique features that allow MSPs to create a new revenue opportunity (like log monitoring or vulnerability scanning) are attractive if they’re already packaged and MSP/customer ready. If the vendor needs to work with the MSP to create this offering from scratch, it’s been my experience that neither party has the resources to accomplish this quickly (or at all).

As threat detection solutions like SIEM continue to get more advanced, MSPs have an opportunity to fill the skills and resource gap and be a trusted advisor to customers. When done correctly, MSPs can increase revenue for themselves, while driving down the cost for customers. This creates a win-win for the entire security ecosystem as we work together to protect against attackers.

About The Author

Sanjay Raja, VP of Product Marketing at Gurucul, brings over 20 years of experience in building, marketing, and selling cyber security and networking solutions to enterprises, medium-to-small business, and managed service providers. Previously, Sanjay was VP of Marketing at Prevailion, a cyber intelligence startup. Sanjay also has several successful leadership roles in Marketing, Product Strategy, Alliances and Engineering at Digital Defense (acquired by Help Systems), Lumeta (acquired by Firemon), RSA (Netwitness), Cisco Systems, HP Enterprise Security, Crossbeam Systems, Arbor Networks, Top Layer Networks, Caw Networks (acquired by Spirent Communications), Nexsi Systems, 3Com, and Cabletron Systems. Sanjay holds a B.S.EE and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP as well as Pragmatic Marketing certified.