Editor’s Note: The article below is an excerpt from Choosing the Right SIEM for Managed Detection & Response Service – a White Paper recently released by information security experts at Deepwatch and Splunk. Click here to learn more and download the full white paper.
A security program in 2021 comes with a set of table stake technologies that are foundational to the functionality of the program. Investing in those security technologies comes with some due diligence and research to ensure you are selecting the right technology for your unique security needs and that compliance and technical requirements are met prior to making a decision.
The most critical cornerstone to a successful security program is the Security Information and Event Management system – also known as the SIEM. The SIEM often acts as a focal point for many security analysts and, when tuned correctly, can even act as the brain of the security operations program. But the SIEM doesn’t run itself. And while most know this, the day-to-day rigor of managing a SIEM is challenging for an emerging security program for any number of reasons.
What Is the Total Cost of Ownership of a SIEM
Ultimately, many “less expensive” SIEM implementations end up costing businesses more in the long term, because initial costs do not reflect the addition of critical features and do not account for updates, management, and maintenance.
When comparing SIEM solutions and reviewing the total cost of ownership (TCO), consider these six attributes to evaluate:
- Existing Products and Platforms
- SIEM Solution/Provider Skill sets and Experience
- Data Insight
- SIEM Staffing & Training Costs
- SIEM Fine Tuning
An initial lower price can make some SIEM solutions more attractive to businesses. However, there are critical differences between initial acquisition costs and the total cost of ownership. Often SIEM deployment costs seem low because they only reflect the actual initial implementation. Unfortunately, once deployment is complete, the SIEM may only offer the most basic features and will not include critical components, like DevOps support. SIEM solutions also require ongoing maintenance and updates, which increase the TCO.
The following questions should be asked while evaluating your existing or future Managed Security Services Providers and SIEM solutions.
1. Does the SIEM solution support the products and platforms you already have in place?
If not, you may find yourself paying more for customization, as well as covering high software development costs for custom technology integrations.
2. Can the SIEM scale as your organization—and your data—grows?
Very few organizations anticipate zero or negative growth in the future. More employees, devices, and customers, new software or infrastructure, and changing risk models can all impact your SIEM solution and its ability to integrate and analyze data. Therefore, it is critical that a SIEM solution be scalable. A company that opts for a basic SIEM in year one often finds itself spending significant amounts of money to upgrade or customize the solution just a few years later to support growth.
3. Does the MSSP or MDR service provider require your security team to involve themselves with the minutiae of maintaining a complex SIEM platform? Or, do they have deep SIEM expertise?
If you’re working with a managed security service provider (MSSP) to outsource SIEM management and monitoring, make sure you understand roles, expectations, and the value you are getting from your investment. Ideally, you will have a strong partner that will let your in-house security team focus on their job.
4. Do you know how to prioritize the data sources to integrate into the SIEM?
Not all data is equal and if you don’t prioritize which data sources should get ingested, you’ll waste time and money using your SIEM to evaluate and analyze data that isn’t telling you the right story. A good example of data prioritization is logs. Many companies do not need to bring in Dynamic Host Configuration Protocol (DHCP) logs on day one. Instead, the focus should be on authentication logs, domain name system (DNS) logs, and firewall logs. Logs that are “chattier” or more complex can be stored in the syslog server for later forensics and analysis. An analytics-driven, managed SIEM solution/provider will have best practices and proven methodologies to help you prioritize data sources so you can get the most value out of your SIEM.
5. Do you have staff who can manage the SIEM? And have you factored in the cost to manage it?
While many open-source SIEM solutions are considerably less expensive, you’re still going to pay for the DIY costs associated with adding the needed capabilities—and herein lies the rub. The cybersecurity skills gap is very real and presents a tremendous challenge to many organizations trying to hire talented professionals with the necessary skills and experience. Often, when companies do find the right person, salary and training costs may be considerable. And, unfortunately, even then there are still going to be costs associated with training on processes, networks, operations, and risks. Partnering with an MSSP or MDR provider can help with this problem and provide dedicated resources to extend a security team at a fraction of the cost of hiring additional in-house staff.
6. Do you have in-house security analysts who can tune and maintain the SIEM?
Another component of SIEM costs that are often overlooked are the costs associated with ongoing management and maintenance. Excessive and inappropriate data sources can lead to alert overload and alert fatigue. But it takes time and staff power to constantly monitor SIEM inputs and evaluate and fine-tune alerts to the point that your SOC is getting what it needs to ensure the right level of protection and security.
A SIEM is a critical component that can elevate visibility for a security leader immediately. As a leader in the Managed Security Services space with dedicated expertise and integrated technology, Deepwatch empowers your in-house security team to oversee and respond to threats without having to constantly manage and monitor the SIEM. This allows more time for your staff to concentrate on other facets of the organization’s security and risk program. Contact Deepwatch today to learn how you can mature your security operations and realize a more efficient and effective level of security.