39.1 Understanding MSSP Models

Tenants host the Sentinel infrastructure in their own datacenter, but the MSSP monitors that implementation from their own SOC. This model provides greater flexibility for tenants by letting them control their own Sentinel instance, but get the benefit of expert monitoring from the MSSP.

Figure 39-1 SOC Outsourcing Model

Tenants host data collection nodes (typically Collector Managers) in their environment, but all the data is forwarded to the MSSP's SOC. The MSSP SOC hosts the Sentinel implementation. The benefit in this model is that tenants can collect data more thoughtfully and securely while leveraging compression and encryption facilities offered by Sentinel while transmitting events over the network to the MSSP SOC.

Figure 39-2 Hybrid Model

In the Sentinel as a Service (SaaS) or Cloud model, tenants forward the event data to the MSSP. The MSSP hosts all Sentinel components, including the Collector Managers. The key benefit is that there is less impact on the tenant environment and the tenant does not need to host any hardware or software. However, tenants should take special measures to ensure that events are transmitted securely to the MSSP.

In an MSSP environment, multiple tenants can deliver data to a single Sentinel instance. Alternatively, the MSSP can also dedicate a Sentinel instance to each tenant.

Figure 39-3 Full SaaS or Cloud Model