Is SIEM Punishing You for Your Security Best Practices?By: Justin Davis, Senior Systems Engineer
If you’re using SIEM, you may see it as a necessary component of your overall security strategy. If you’re not, you may be considering it.
But given how important it is that you get maximum value out of your limited budget for software and staff, you may want to opt out of the SIEM money-drain—because SIEM may actually punish you financially for embracing best practices in cybersecurity.
High, Unpredictable Costs
Let’s be clear about one thing first. When SIEM solutions first came onto the market, they served an important purpose. Security teams needed a single, aggregated repository for their security-related event data. That repository provided everyone with a single version of the truth — and was invaluable for threat investigations, as well as compliance reporting.
The primary problem with SIEM, however, is its licensing structure. Because SIEMs are primarily data repositories, their licensing costs are based on how much data you store — which, in turn, is based on a combination of how much data you collect and how long you retain that data for.
The problem is that it’s good to collect more data. Effective threat detection depends on it. So SIEM punishes you for doing exactly what you’re supposed to do.
It’s also good to retain your data for at least several months. After all, it’s a proven fact that stealthy threat actors can dwell in large, complex environments for quite a long time. So if you start dumping data prematurely to save money, you could be missing out on some very important forensic “breadcrumbs” that will help you root out a dangerous APT.
Plus, as your environment grows, so does the amount of security-related data you need to capture and retain. SIEMs essentially levy a sort of “tax” on your organization’s growth.
Just as problematically, increases in your SIEM licensing costs are virtually impossible to predict. That unpredictability can wreak havoc with your budget allocation over the course of the coming quarters.
And those are just licensing costs. SIEMs also cost you a lot of person-hours. They are not a low-TCO technology — especially if you host them on premise. You have to troubleshoot uptime and performance issues, execute periodic software upgrades, continually integrate new data sources, and write new reporting rules.
So you have to ask yourself: Is SIEM really where I want to allocate my limited budget? Is that high, unpredictable expenditure actually going to help me keep my organization as safe as some of the other investments available to me?
The MDR alternative
A smarter decision in terms of both finances and security effectiveness may be to retire your SIEM — or avoid a SIEM acquisition altogether — in favor of managed detection and response (MDR).
- Better value. MDR provides data aggregation capabilities on top of and bundled with the functionality you need most to keep your organization safe: endpoint detection, network and cloud detection, alerting and escalation, response automation, etc. It’s much more useful in resisting and repelling threat actors.
- Lower TCO. MDR is much easier to implement and requires far less ongoing labor than SIEM. In fact, as a managed service, MDR enables you to reduce/re-allocate your budget for both technology and staff.
- Greater predictability. Because MDR is typically priced on a per-device basis, its costs are far more predictable than SIEM’s. Plus, you can have a fixed period of data retention written right into your MDR contract.
- Bundled access to expertise. Unlike SIEM, MDR (or, perhaps more accurately, MDR from the right MDR partner) gives you on-demand access to security expertise. That expertise can be absolutely critical when dealing with an active, sophisticated attack.
- Continuous improvement. Built into your engagement with an MDR partner (again, assuming it’s the right one) is ongoing delivery of new detectors and fine-tuning of alert thresholds based on the latest threat data. Over time, what that means for you is increasingly more reliable detection, fewer false positives, and the ability to stay current with evolving threat actor TTPs.
You can, of course, also opt for XDR (extended detection and response that you deploy and manage yourself) if you so choose. But given the current combination of intensifying threat activity, expanding threat surfaces, and cybersecurity budgets that are not growing in proportion to either, we strongly recommend going the MDR route. You’ll get better value, a more predictable cost structure, and faster access to the expertise you need, when you need it.
More important of all, you won’t get financially penalized for doing your job correctly!