Security information and event management, or SIEM, has become part of the vocabulary of every organization. SIEM solutions gather events from multiple systems and analyze them—both in real time and through historical data. SIEM cost management—given high cyber security costs in general—can be difficult. But there is a tradeoff if you opt for the FOSS route (free and open source solutions).
This blog post will provide you with an understanding of the tradeoffs between building your own SIEM from open source tools on the one hand. On the other, there is adopting a commercial solution. As always, we will start by describing the key characteristics to expect from a modern SIEM.
By correlating info from multiple sources, SIEMs detect threats, manage security incidents, and open cross-platform visibility. The term SIEM isn’t new, and these security solutions have existed since the early 2000’s. However, cloud technologies and the SaaS business model have forced SIEMs to change. Today’s SIEMs must cope with vast amounts of data, take advantage of cloud elasticity, and expand security intelligence capabilities using AI and machine learning.
Building Your Own SIEM
Building your own SIEM solution has always been a popular option. In available commercial SIEM solutions were originally incredibly expensive with designs to serve big enterprise organizations. In contrast, there were some open source projects that, when combined, let engineers assemble their own DIY SIEM solutions to perform security analytics. While these solutions weren’t as qualitative as commercial ones, they were economical and more effective.
Things are different today. Commercial SIEM solutions are much more affordable and often follow a pay-as-you-go model—or, better yet, a pay-as-you-grow model—with prices varying according to the amount of data they’d ingest or store . At the same time, there has been significant progress with open source tools for SIEM and security analysis. This can contribute mightily to your cost efficiency. Their maturity, together with a growing Open Source Social Network Intelligence (OSSINT) community and the frequent sharing of security information among organizations make using open-source tools a viable alternative.
A popular choice for organizations taking their first steps towards SIEM solutions is adopting the ELK stack (Elastic, Logstash and Kibana) as a baseline for building their own solutions. This is an interesting and valid approach, since the ELK stack includes the ability to ingest a large volume of event data and offers a great way to visualize and explore that data.
Unfortunately, however, operating your own ELK stack doesn’t provide you with much-needed security intelligence. Despite being an open source technology, this option also comes with a cost—the prerequisite maintenance efforts to operate such a cluster. In fact, adoption of any of the available open-source SIEM solutions comes with inherent operational costs. That refers to human resources and infrastructural resources.
Understanding a SIEM Cost Management
It’s critical to understand the costs in adopting and operating a SIEM solution before making a decision about whether or not to implement one. The following two questions will help you assess your potential expenditures.
CAPEX or OPEX?
CAPEX, or capital expenditure, is an up-front investment made by an organization. This includes things like purchasing hardware servers to run a SIEM solution and paying for storage of the company data. This often large investment depreciates over time and needs to be taken into consideration when doing annual accounting.
In contrast, OPEX (operational expenditure), is an ongoing cost that a company incurs: personnel, software licenses, monthly cloud bills, etc. These don’t create the accounting complexity oft intertwining with capital expenditures.
FOSS/DIY or Managed SIEM Solutions?
When weighing different commercial managed SIEM solutions against FOSS options, it is important to assess the each’s real costs.
If you go the do-it-yourself route, you need to take into account required time to 1) install, 2) integrate, and 3) continuously operate the underlying corequisite infrastructure. If you do this in your own data center, you will also need to include the necessary hardware investment (i.e., the CAPEX). Purchasing an on-premises commercial product and having that in your data center will have the same up-front investment requirement. As a result, you’ll want to select a good SIEM solution that can work in the cloud and reap its benefits.
Managed Cloud SIEM?
Using a cloud provider for the infrastructure is a great way to keep your SIEM cost management and cost structure lean and to deploy a SIEM solution without making an infrastructure investment. You can treat this cost as a regular operational expenditure (OPEX).
Both scenarios require you to operate the infrastructure on a daily basis, which can become challenging as your data size grows and the amount of data you process increases. Fully-managed SaaS solutions run infrastructure operations for you with flexible pay-as-you-go models. They often get their prices according to the amount of data they store or ingest, and the number of connected devices. Anywhere that many systems connect into the company’s SIEM and process a huge volume of data, then removing infrastructure maintenance will be both stress relief and a cost-saving tactic.
Additionally, the personnel that use the SIEM solution, that monitor events, and that react to alerts create another expense you need to account for. Security teams often handle these processes in a security operations center (SOC). This is something that you may either establish yourself in your own organization or purchase as a service from some commercial SIEM solution provider.
There is no one-size-fits-all SIEM solution, making it vital to know the benefits and tradeoffs of the available options, then decide which is the right fit for your organization.
What Can You Expect from a Modern SIEM Solution?
While the costs of a SIEM solution and the nature of its operational model are key elements in your decision, the technical capabilities of the solution you choose are just as important. At a bare minimum, your modern SIEM solution should meet the security and compliance requirements your organization works with, and it should have the capacity to handle your potential data growth over time. A cloud-based solution is ideal because it is capable of offering the necessary elasticity and availability out of the box.
Having great security capabilities can really set a solution apart from the competition. The next generation of SIEM solutions will embrace concepts such as User and Entity Behaviour Analytics (UEBA) and integrate third-party cyber security event feeds. This combination can provide threat analysts and other security personnel with key advantages in both threat hunting and incident response by allowing them to correlate their organization’s data with real-world security intelligence.
With the number of systems and devices in an organization constantly increasing, an effective SIEM solution must offer good visibility into current operations and make recommendations that don’t get lost in false positive notifications. Similarly, the vast amount of data the SIEM collects makes it necessary to have good data exploration and analysis tooling.
There are many factors that you should consider when deciding which SIEM solution your organization should adopt. While modern technical functionalities can typically be found in both commercial products and open-source projects, there are multiple costs—some of them hidden—in doing SIEM and security analytics on your own. Building your own solution often involves combining one or more open source projects and deploying an entirely separate infrastructure to support current and future growth. At the end of the day, you need to ask yourself if “free and open source” is really all that “free.” If not, a cloud-based SIEM solution can quickly add value and save you a lot of time.