Small-and-medium-sized businesses (100 to 999 employees), or SMBs, can generate a lot of log data on a daily basis—and monitoring all that data for threats can feel like searching for a needle in a haystack.

Using a SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) can help businesses make sense of this noise and find threats, but there’s bad news for resource-constrained SMBs: These solutions are expensive and need dedicated staff to properly use and monitor.

Luckily, there are a few ways SMBs can reap the threat monitoring benefits of a SIEM and SOAR without paying an arm and a leg for them or having a full-on Security Operations Center (SOC). Managed Detection and Response (MDR) is one option, as are managed SIEM and SOARs, and we’ll cover both in this post.

First, let’s dive in why SOAR and SIEM are important, the differences between them, and how MDR and other services can help resource-constrained SMBs leverage SOAR and SIEM capabilities for their business.

What are SIEM and SOAR and why are they important for threat monitoring?

Both SIEM and SOAR platforms aggregate log data throughout your business’ infrastructure and monitor it for potential threats, but SOAR takes things a step further through its data enrichment and automated response capabilities.

SIEM and SOAR are both important for one big reason: logs. Many, many logs.

Logs are records of things that have happened on our systems and networks. By looking at the logs of security software such as firewalls, servers, and networking equipment, we can identify potential malicious activity. For example, if you’re looking at firewall logs and find traffic getting sent out that doesn’t look like the rest of your traffic, that could be a sign of an attacker exfiltrating data.

But firewalls alone can generate up to a terabyte of log data on a daily basis. Factor in all the disparate log data being generated by all of your operating systems, endpoints, applications, and so on, and it’s clear why doing manual log analysis isn’t an option.

In a nutshell, both SIEM and SOAR take the logs being generated by your business and present it to you in an easy to understand way. By filtering massive amounts of security data and prioritizing alerts, SIEM and SOAR streamline compliance reporting and improve the efficiency of handling incident activities.

SIEM vs SOAR: What’s the difference?

To better understand the differences between SIEM and SOAR, let’s take the analogy of driving a car. Let’s say you want to know the status of different parts of the vehicle—for example, tire pressure, brake fluid levels, air filter condition, and so on. 

You can think of a SIEM as being the software that takes all this data and presents it to you on your dashboard, notifying you of any potential issues. Just like how our car software can compile information about different parts of the vehicle, a SIEM can aggregate security data from across your business.

Now, let’s say our software also pulled in third-party data to get a better overall picture of our car's health. For example, what if our car referenced an updated database of common issues with our model to help troubleshoot problems?

At a high-level, this is what a SOAR platform does for businesses: enriches data with external sources, such as from threat intelligence feeds and endpoint security software, in order to improve detection accuracy. Not only that, but SOAR can also immediately take action on alerts, which could include automatically isolating compromised endpoints before threats can proliferate. 

SIEMs are not a replacement for SOARs, and SOARs are not a replacement for SIEMs: The two are actually great complements of one another. SIEM platforms identify potentially anomalous activity, and SOAR platforms contextualize those alerts and apply automated remediation measures as necessary.

MDR vs Managed SOAR/SIEM

Since both SIEM and SOAR offer broad security insights with options for automated remediation, it’s clear that most businesses can benefit from using them. The question is one of practicality: how can SMBs afford one or the other, let alone both? 

SIEMs and SOARs are anything but cheap and easy-to-use. SIEM solutions alone cost about $50,000 on average, ranging from a minimum of $20,000 to upwards of $1M. That’s before we even factor in the cost of monitoring them: A fully staffed, 24x7 team could easily cost more than $1 million. 

Resource-constrained SMBs, then, will usually have to turn to a Managed SIEM/SOAR or a MDR provider. In a Managed SIEM/SOAR setup, SIEM/SOAR providers contract with a third-party service provider to host and monitor a SIEM/SOAR application on their servers.

The most basic managed SIEM providers host your SIEM/SOAR tools, manage the collection of security and event logs, and report on the results. Managed Service Providers (MSPs) are a little more pricey, but have greater variety and level of service in addition to offering Managed SIEM/SOAR services.

MDR is also an outsourced service, but is different from a Managed SIEM/SOAR in that MDR is not only focused on collecting and analyzing logs, but on proactive threat hunting, risk investigation, and remediation as well. Driven by a team of seasoned analysts (often also using tools such as SIEM and SOAR), MDR encompasses the advantages of both human expertise and endpoint detection and response (EDR) technology. 

In a nutshell, both MDR and Managed SIEM/SOAR solutions are simpler (and more cost-effective) than spinning up your own SIEM/SOAR solutions yourself, but MDR is arguably the better choice for SMB threat monitoring due to its ability to proactive find and respond to threats in a timely manner.

Streamlining threat monitoring and elimination for SMBs 

When it comes to threat monitoring, there's no doubt that SMBs could benefit from a SIEM/SOAR. Both of these solutions give businesses a wide-look at potential threats across their infrastructure, and a SOAR even automates responses to detected malicious activity.

The unfortunate reality, however, is that the huge amount of cash needed to purchase and operate SIEM/SOAR platforms effectively prices out more resource-constrained businesses. 

Managed SIEM/SOAR services are one great option for SMBs lacking the budget and staff to operate a SOAR/SIEM round-the-clock, but these solutions take a more passive approach to threat monitoring since they only report on what has already happened on a network instead of actively searching for new threats or even remediating them as necessary.

In contrast, MDR services offer a team of professionals using an array of tools, including SIEM, SOAR, and EDR, to monitor your network 24x7 for threats. MDR takes a far more proactive approach to threat monitoring than Managed SIEM/SOAR by actively investigating risk and threats across the full spectrum of attacker activity, not just through looking at logs. By outsourcing your SOC to an MDR provider, you have access to a trained team of specialists that can triage events, remediate incidents, and perform active threat hunting, making it a much more holistic alternative for SMB security than Managed SIEM/SOAR. 

Featured articles 

A cyber threat hunter talks about what he’s learned in his 16+ year cybersecurity career

Cyber threat hunting for SMBs: How MDR can help 

Introducing Malwarebytes Managed Detection and Response (MDR)

EDR vs MDR vs XDR – What’s the Difference?