"The Ten Commandments"
Ten tips for buying managed SIEM-SOC solutionThe Ten Commandments"
Organizational need - check your needs. Do you need SIEM for regulatory compliance monitoring or for strengthening your network security posture and providing an additional, valuable layer of defense to the critical assets against attacks
SIEM Products - Most of the market-leading products are identical in sense of their capabilities. The difference is in the price range. Therefore, what is most important to check is the skilled Analyst in the SOC monitoring the events and deliverables you get from the MSP service
Reports & Dashboards - It is important to check whether the reports you receive are automated by the SIEM or custom-made by Analysts, especially for your requirements. In addition, check if you receive access to the SIEM and which Dashboards you can view? will the MSP create any Dashboard you desire?
Rules and Correlation - Every SIEM system comes with vendor "out of the box" rules. It is important to check if the MSP creates customized rules for your organization based on your corporate policy, traffic flow, architecture and etc.
SIEM Integration - Different products may not be compatible and be able to integrate easily with the SEIM. Does the MSP have the capabilities and knowledge to parse products in the SIEM? Also, can the SIEM integrate with your cloud services?
Weekly Updates\Reports - Does the reports include information about the posture of information security in the organization, or whether the MSP only updates when a high severity security- cyber event is identified
Alerts (false alerts) – Analysts are investigating the alerts and related events to check if the alert is false prior to the SOC contacting you or if the SOC\SIEM sends alerts automatically? in addition what kind of alerts do you want to receive? Do you receive separate alerts on network operations that change regulatory compliance guidelines? Or only high severity alerts?
SIEM environment- are you interested in a separate, private environment or a multi-tenancy environment (shared with additional consumers—on the same server). It is important since the price of the monthly SIEM service will be affected by the chosen environment.
SIEM Location- Is there an influence on the geographic location of the SIEM system? (collected logs database location)
Incident response- It is advisable to check if the MSP has an Incident Response team to provide support and immediate response to cyber security incidents as well as to check the SLA for the response time.