Security information and event management, or SIEM, has become part of the vocabulary of every organization. SIEM solutions gather events from multiple systems and analyze them—both in real time and through historical data. SIEM costs—as cyber security costs in general—can be high, but there is a tradeoff if you opt for the FOSS route (free and open source solutions).
This blog post will provide you with an understanding of the tradeoffs between building your own SIEM from open source tools on the one hand, and on the other adopting a commercial solution. As always, we will start by describing the key characteristics that can be expected from a modern SIEM.
By correlating information from multiple data sources, a SIEM solution enables threat detection, security incident management, and visibility across multiple systems. The term SIEM is not new, and these security solutions have existed since the early 2000’s. However, cloud technologies and the SaaS business model have forced SIEMs to change. Today’s SIEMs must cope with vast amounts of data, take advantage of cloud elasticity, and expand security intelligence capabilities using AI and machine learning.
Building Your Own SIEM
Building your own SIEM solution has always been a popular option. In available commercial SIEM solutions were originally incredibly expensive and designed to serve big enterprise organizations. In contrast, there were some open source projects that, when combined, let engineers to assemble their own DIY SIEM solutions to perform security analytics. While these solutions were not as high quality as the commercial ones, they were economical and mostly effective ways to get the job done.
Things are different today. Commercial SIEM solutions are much more affordable and often follow a pay-as-you-go model—or, better yet, a pay-as-you-grow model—with prices varying based on the amount of data ingested and stored. At the same time, there has been significant progress with open source tools for SIEM and security analysis. This can contribute mightily to your cost efficiency. Their maturity, combined with a growing Open Source Social Network Intelligence (OSSINT) community and the frequent sharing of security information among organizations make using open-source tools a viable alternative.
A popular choice for organizations taking their first steps towards SIEM solutions is adopting the ELK stack (Elastic, Logstash and Kibana) as a baseline for building their own solutions. This is an interesting and valid approach, since the ELK stack is designed to ingest a large volume of event data and offers a great way to visualize and explore that data.
Unfortunately, however, operating your own ELK stack doesn’t provide you with much-needed security intelligence. Despite being an open source technology, this option also comes with a cost—the maintenance efforts required to operate such a cluster. In fact, adoption of any of the available open-source SIEM solutions comes with inherent operational costs, both from human resources and infrastructural standpoints, since you obviously won’t have the option of a pay-as-you-go or subscription model.
Understanding a SIEM’s Total Cost Of Ownership
It’s critical to understand the costs involved in adopting and operating a SIEM solution before making a decision about whether or not to implement one. The following two questions will help you assess your potential expenditures.
CAPEX or OPEX?
CAPEX, or capital expenditure, is an up-front investment made by an organization. This includes things like purchasing hardware servers to run a SIEM solution and paying for storage of the company data. This often large investment depreciates over time and needs to be taken into consideration when doing annual accounting.
In contrast, OPEX, or operational expenditure, is an ongoing cost that a company incurs: personnel, software licenses, monthly cloud bills, etc.. These do not create the accounting complexity associated with capital expenditures.
FOSS/DIY or Managed SIEM Solutions?
When weighing different commercial managed SIEM solutions against FOSS options, it is important to assess the real costs associated with each.
If you go the do-it-yourself route, you need to take into account the time required to 1) install, 2) integrate, and 3) continuously operate the underlying required infrastructure. If you do this in your own data center, you will also need to include the necessary hardware investment (i.e., the CAPEX). Purchasing an on-premises commercial product and having that in your data center will have the same up-front investment requirement. As a result, you’ll want to select a good SIEM solution that can work in the cloud and reap its benefits
Using a cloud provider for the infrastructure is a great way to keep your cost structure lean and to deploy a SIEM solution without making an infrastructure investment. This cost can be treated as a regular operational expenditure (OPEX).
Both scenarios require you to operate the infrastructure on a daily basis, which can become challenging as your data size grows and the amount of data you process increases. Fully managed SaaS solutions run infrastructure operations for you with flexible pay-as-you-go models that are often priced based on the amount of data 1) stored, 2) ingested and/or 3) the number of devices connected. In a corporation where a lot of systems are connected to the SIEM solution and a huge volume of data is processed, removing infrastructure maintenance from your plate is both an an enormous relief and a cost-saving strategy.
Additionally, the personnel that use the SIEM solution, that monitor events, and that react to alerts create another expense that needs to be accounted for. These processes are often handled by a security team in a security operations center (SOC). This is something that you may either establish yourself in your own organization or purchase as a service from some commercial SIEM solution provider.
There is no one-size-fits-all SIEM solution, making it vital to know the benefits and tradeoffs of the available options, then decide which is the right fit for your organization.
What Can You Expect from a Modern SIEM Solution?
While the costs of a SIEM solution and the nature of its operational model are key elements in your decision, the technical capabilities of the solution you choose are just as important. At a bare minimum, your modern SIEM solution should meet the security and compliance requirements your organization works with, and it should have the capacity to handle your potential data growth over time. A cloud-based solution is ideal because it is capable of offering the necessary elasticity and availability out of the box.
Having great security capabilities can really set a solution apart from the competition. The next generation of SIEM solutions will embrace concepts such as User and Entity Behaviour Analytics (UEBA) and integrate third-party cyber security event feeds. This combination can provide threat analysts and other security personnel with key advantages in both threat hunting and incident response by allowing them to correlate their organization’s data with real-world security intelligence.
With the number of systems and devices in an organization constantly increasing, an effective SIEM solution must offer good visibility into current operations and make recommendations that don’t get lost in false positive notifications. Similarly, the vast amount of data being collected in the SIEM makes it necessary to have a solution that includes good data exploration and analysis tooling that leverages the potential of your existing available data.
There are many factors that should be considered when deciding which SIEM solution your organization should adopt. While modern technical functionalities can typically be found in both commercial products and open-source projects, there are multiple costs—some of them hidden—involved in doing SIEM and security analytics on your own. Building your own solution often involves combining one or more open source projects and deploying an entirely separate infrastructure to support current and future growth. At the end of the day, you need to ask yourself if “free and open source” is really all that “free.” If not, a cloud-based SIEM solution can quickly add value and save you a lot of time.