As MSPs look to strengthen their security and compliance offerings, many EDR and MDR vendors are jumping on the SIEM bandwagon–launching products that claim to be SIEMs and promise comprehensive protection–while quietly limiting what data they collect and store.
These SIEM-ish solutions often tout simplified security logging but quietly drop up to 80% of your data logs after 30 days, making their own, often uninformed decisions about what is necessary to keep. This approach might seem efficient at first glance, but it creates dangerous blind spots that can leave you and your clients exposed when you need that data most.
Maybe worst of all is the fact that it falls short of true SIEM functionality, but is being labeled a SIEM. These vendors are selling SIEM solutions that aren't really SIEMs at all–they're more like selective logging tools with an identity crisis. When your clients need historical data for an investigation or audit, 'we only kept 20% of the logs' isn't an explanation anyone wants to give.
A vendor making assumptions about your needs can severely impact your ability to conduct security investigations, meet compliance requirements, process insurance claims, or perform thorough forensic analysis. This of course could impact not only your own security posture, but your clients' environments as well.
Before trusting a security solution with your clients' data, consider the following scenarios.
What happens when:
The answers to these questions reveal whether your security solution is truly a SIEM or just a selective logging tool. Make sure you understand any limitations on data collection, retention periods, and access before it's too late.
A true SIEM solution provides benefits that SIEM-like products can't match.
Total system visibility and retention gives you:
1. Better Incident InvestigationConnect Cause, an MSP serving non-profit organizations, experienced these limitations firsthand.
"Blackpoint Cyber had no SIEM or aggregation of log data that was immutable that I could go and see what had happened over the last year. It's an MDR product, but it's not collecting log data and keeping it," explains Aaron Cervasio, CISO at Connect Cause.
After switching to Blumira’s SIEM solution, the difference was immediate.
"We got alerts on a customer with plaintext password documents in their environment that [our previous solution] never alerted us to. This led to us upselling a customer on a password management service," Cervasio notes.
Capturing all logs not only improved security but also created new business opportunities.
What's more, Connect Cause found that having access to all system logs helped them prove their cybersecurity expertise.
"Since I can integrate directly with firewalls, I was getting alerted to a hacker from Moldova who was conducting password-spraying attacks on a customer's firewall. I was able to find the IP address and block the attacks completely."
This level of visibility and response simply wasn't possible with their previous limited-logging solution.
A true comprehensive security platform should provide:
Leading cyber insurance providers are now adjusting their premiums based on an organization's logging and retention capabilities. Why? Because they know that comprehensive data collection and retention significantly reduces risk. Complete logging capabilities and longer retention periods often qualify both you and your clients for better rates and coverage.
Don't let vendors decide what data is worth keeping–it's your MSP's reputation and your clients' security on the line. While solutions that limit log retention might seem cost-effective initially, they can prove extremely expensive when you need historical data that wasn't collected or was already deleted. As one MSP discovered during a security investigation, "You can't analyze what you don't have."
Ready to experience true SIEM capabilities? Sign up for Not-For-Resale (NFR) licensing and see firsthand how complete visibility can transform your managed security operations: https://info.blumira.com/nfr