There is a lot of confusion between MDR (Managed Detection and Response), and SIEM (Security Information and Event Management) You may be wondering about the difference and if you can replace your SIEM with an MDR. It becomes even more confusing when a vendor throws in the term MSS (Managed Security Service). Rightly so as technically a managed SIEM and an MDR are both Managed Security Services.
So let’s start with a basic understanding of each. A SIEM collects logs from all sorts of devices on your network and uses a computer program to correlate these logs and attempt to identify attacks. A SIEM has the added benefit of detecting misconfigurations and operational deficiencies because it casts a wide net and if the human monitoring the SIEM spots anomalies (assuming they are trained to do so) they discover issues such as routing loops or sinkholes, etc. A managed SIEM is a SIEM that a 3rd party monitors for you, often referred to as an MSSP (Managed Security Service Provider).
MDR is a threat detection tool, utilizing an array of tools (sometimes even a SIEM). The MDR will attempt to find the needle in the haystack, typically using machine learning and behavioral analytics as well as a human with the goal being to proactively disrupt an attack.
Both MSSP and MDR are Managed Security Services and have some crossover, especially where MSSP utilizes machine learning and incorporates behavior analytics to attempt to filter out false positives.
You can think of it as a SIEM is spraying a mass area for mosquitoes and hoping to get everything, whereas an MDR is swatting them individually after isolating which ones were the most likely to bite. An advanced and modern MSSP is trying to know about all of the mosquitoes, report on them all and swat the ones most likely to bite.
If you are an organization that falls under a regulatory compliance it’s likely that MDRs may not measure up to the compliance requirements. This would have to be evaluated individually to be sure, but most compliances have not caught up to MDR as a service. Another area in compliance that can be an issue for MDR is log availability and retention. Most SIEMs will be able to collect and retain all logs, where MDR is trying to pinpoint meaningful logs.
So the answer to can I replace my SIEM with MDR is still a difficult question to answer but probably not, and you probably shouldn’t. Ideally, you would use both, but if it comes down to one or the other the managed SIEM will likely give you more bang for your buck. As time goes on it’s highly likely that MSSPs and SIEM tools will incorporate MDR and MDR will start to evolve to include SIEM elements.