{"id":683,"date":"2020-02-17T10:50:45","date_gmt":"2020-02-17T10:50:45","guid":{"rendered":"https:\/\/partnernews.sophos.com\/en-us\/?p=683"},"modified":"2021-03-11T15:15:49","modified_gmt":"2021-03-11T15:15:49","slug":"mtr-or-siem","status":"publish","type":"post","link":"https:\/\/partnernews.sophos.com\/en-us\/2020\/02\/products\/mtr-or-siem\/","title":{"rendered":"MTR or SIEM \u2013 Tell me what you want, what you really, really, want\u2026"},"content":{"rendered":"

Most of the time when a customer is asking for a SIEM, really they just want a way to detect threats across their environment, and they think SIEM is the only way to achieve this. It\u2019s not, and for many customers, Sophos MTR makes much more sense.<\/p>\n

A few customers I\u2019ve spoken with recently are considering buying a SIEM or an SIEM service. With a bit of probing about what they\u2019re trying to achieve, we\u2019ve got them interested in Sophos MTR as an alternative.<\/p>\n

Security Incident and Event Management systems, or SIEM, have been around for a long time. Many IT managers are under the misconception that SIEM is the only way to get a complete view of what\u2019s happening on their network.<\/p>\n

An SIEM takes alert data from firewalls, endpoints, switches and other sources and tries to make sense of these alerts to detect attacks. However, this alerts-based approach is slow, unreliable, and prone to \u201calert fatigue.\u201d A lot of time and effort is required to manage, configure, and tune an SIEM. Even if the SIEM detects an attack, someone still needs to respond to the threat. And don\u2019t forget, an SIEM doesn\u2019t replace endpoint protection. Our customers will still need Intercept X on their servers and PCs.<\/p>\n

Sophos Managed Threat Response (MTR) offers a better option for your customer to respond to threats across their network. If your customer is already using Sophos Intercept X and Endpoint Detection and Response (EDR) there\u2019s no additional software to install, configure, or tune. MTR augments Sophos\u2019 Intercept X and EDR with osquery to build a searchable SQL database of every computer OS in your environment.<\/p>\n

The Sophos MTR team regularly executes scheduled queries on every endpoint to capture useful data to detect and investigate threats. Live queries can also be executed to return information immediately from the endpoint for threat hunting, incident response, and investigations.<\/p>\n

The MTR team reviews details on detections, endpoint-related information, and checks to see if the detection was seen on other endpoints. They can see detailed information about what was executed, allowing for further investigation into the pid, parent process, and relevant hashes.<\/p>\n

\"\"
Above \u2013 a sample Sophos Managed Threat Response Report<\/figcaption><\/figure>\n

 <\/p>\n

Furthermore, unlike with SIEM, the MTR team will respond, 24 hours a day, 7 days a week. They can:<\/p>\n