"The Ten Commandments"
Ten tips for buying managed SIEM-SOC solution
Organizational need - check your needs. Do you need SIEM for regulatory compliance monitoring or for strengthening your network security posture and provide additional, valuable layer of defense to the critical assets against attacks
SIEM Products - Most of the market leading products are identical in sense of their capabilities. The difference is in the price range. Therefore, what is most important to check is the skilled Analyst in the SOC monitoring the events and deliverables you get from the MSP service
Reports & Dashboards - It is important to check whether the reports you receive are automated by the SIEM or custom made by Analysts specially for your requirements. In addition, check if you receive access the SIEM and which Dashboards you can view? will the MSP create any Dashboard you desire?
Rules and Correlation - Every SIEM system comes with vendor "out of the box" rules. It is important to check if the MSP creates customized rules for your organization based on your corporate policy, traffic flow, architecture and etc.
SIEM Integration - Different products may not be compatible and be able to integrate easily with the SEIM. Does the MSP have the capabilities and knowledge to parse products in the SIEM?
Also, can the SIEM integrate with your cloud services?
Weekly Updates\Reports - Does the reports include information about the posture of information security in the organization, or whether the MSP only updates when a high severity security- cyber event is identified
Alerts (false alerts) – Analysts are investigating the alerts and corresponding events to check if the alert is false prior the SOC contacts you or the SOC\SIEM sends alerts automatically? in addition what kind of alerts you want to receive? Do you receive separate alerts on network operations that change regulatory compliance guidelines? Or only high severity alerts?
SIEM environment- are you interested in a separate, private environment or a multi-tenancy environment (shared with additional consumers—on the same server). It is important since the price of the monthly SIEM service will be affected by the chosen environment.
SIEM Location- Is there an influence on the geographic location of the SIEM system? (collected logs database location)
Incident response- It is advisable to check if the MSP has Incident Response team to provides support and immediate response to cyber security incidents as well as to check the SLA for the response time.