Log information and alert information management is a central part of any corporate cybersecurity program. Organizations rely on analyzing event data from various devices, applications, users, services, and security tools to identify anomalies and potential security threats.
Security information and event management (SIEM) solutions enable companies to centrally store, analyze, and query security data from across their digital infrastructures. SIEMs provide the context that enables organizations to identify threats that might otherwise be missed; threats that could lead to data breaches or ransomware incidents.
However, operating a SIEM in-house is challenging for many organizations, plus it can be equally challenging to build a compelling case for outsourcing SIEM. Today we present a detailed approach for building a cost/benefit analysis for SIEM – a set of seven key issues to consider when deciding whether to work with a partner, or attempt to implement a DIY SIEM.
1. Hard Dollar Costs
The most straightforward criterion to consider is the raw cost of deploying a SIEM solution. Implementing your own SIEM in-house will involve costs for hardware and associated infrastructure, software licenses and maintenance programs, and staffing (including training, administration, and 24/7 monitoring). For an outsourced solution, the model is different. Instead of a capital expenditure, your costs are operating expenses. This will cover initial set-up and integration costs, along with recurring monthly service charges, data transfer and storage fees, and (in some cases) additional charges for reporting.
To construct a simple head-to-head cost breakdown, estimate your in-house costs, then contrast them with quotes from managed security service providers (MSSPs). But remember that there are other less tangible comparisons to be made as well…
2. Deployment and Integration
A SIEM solution is only as good as the data that it has access to, and providing access to that data can be difficult and time-consuming. In some cases, an organization may be able to take advantage of functionalities like SYSLOG or REST APIs to enable data collection. In others, they may need to build their own collection software to accomplish data retrieval for the SIEM platform. Consider the number and complexity of systems and services that you will need to monitor when estimating your costs.
Managed SIEM providers have extensive experience in deploying their solutions and have processes and solutions in place to connect to any useful source of security data. Often, these processes will be automated, thereby offering a faster and more cost-effective path to a full SIEM-as-a-service solution – and a better ROI for the business. For smaller organizations, this may be less of a cost factor; for larger enterprises, the onboarding process will be much more complex, time-consuming, and costly without expert assistance.
3. Operational Efficiency
Deploying and configuring a SIEM solution is just the beginning. To get the most out of a SIEM, the alerts must be fine-tuned to reduce false positives, filter out “informational” alerts, and focus analyst attention on alerts that require response and remediation. It’s an essential, ongoing process that will consume a significant amount of time for any team. Without optimizing system alerts, your analysts will either burn out from an overwhelming number of tickets, or miss actionable alarms amidst a sea of noise. Or worse yet: both.
Outsourcing SIEM to a managed service provider gets you access to their extensive experience sorting through security alerts and separating true threats from false alarms. They also have access to more specialized tools and efficient processes for doing so. As a result, it is often more cost-effective to get the assistance of an expert to reduce “grey noise” than to do so in-house. Compare the costs of using internal resources vs. getting external assistance or input.
In particular, consider your reporting and storage needs. It is important to understand how long you need to retain your data for audit and reporting purposes, as outsourcing costs will increase if you need long-term storage or frequent or ad hoc database enquiries. Some outsourced services will may limitations on data access, whereas an in-house solution allows you to access your data however and whenever you please. The frequency and complexity of your operational requirements will dictate whether in-house or outsourced makes the most financial sense: price it out.
4. Improved Focus
Alert triage and management are essential tasks for threat detection. However, they are also very time-consuming and one duty among many for a security analyst.
Outsourcing alert management to a managed SIEM provider enables in-house security analysts to focus only on true threats and free up time to address their other responsibilities. This can provide significant benefits for the organization, especially if additional time spent on vulnerability management or improving defenses prevents future security incidents. Consider the balance between opportunity cost of using internal staff to handle tickets vs. having a partner handle “level one” tickets, only engaging your team in the event of an incident that requires escalation.
Outsourced SIEM management also allows the security team to reduce its headcount. Eliminating a time-consuming duty such as alert management removes the need to allocate headcount to that task. This is especially useful when organizations commonly struggle to find, afford, and retain the security expertise that they need. Reducing the headcount on the security team might simply mean reallocating personnel internally and decreasing the number of open positions that the company needs to fill. When comparing costs, consider staffing requirements for monitoring and responding to tickets 24×7.
5. Reduced Security Incidents
Ideally, an organization will be able to investigate and address every security alert that it receives. However, the reality is that most corporate SOCs simply do not have the capacity to look into every alarm.
The ignored alerts may contain information critical to identifying and addressing an emerging security incident. Delayed detection and response can increase the likelihood and impact of a security incident. For example, a data breach identified within 200 days costs $1 million less on average than one that took longer than 200 days to identify ($3.93M vs. $4.95M USD), according to a recent report.
With a managed SIEM service, an organization can ensure that all security alerts are inspected for signs of a potential incident. This not only reduces the risk of an overlooked incident but can also speed up remediation and reduce the overall costs and impact to the business in the event of an actual security breach.
6. Improved Security Analytics
Like any security tool, an out-of-the-box SIEM is a “one-size-fits-all” solution. Organizations that have the skills and resources to tune configuration settings and create their own custom analytics can better tailor the SIEM to their environment and threat profile. However, this requires time and deep security expertise.
Managed SIEM providers already have libraries of custom analytics, AI/ML solutions, and other tools to improve their threat detection capabilities. Additionally, they have access to a greater volume of threat intelligence than the average business, enabling them to identify potential threats more accurately. This combination means that they can often do a better job of detecting threats without the complexity of building custom analytics and processes for a particular customer. In comparing costs, consider whether you have the in-house expertise, the investment required to build and maintain that knowledge, vs. the costs of getting external expertise.
7. Compliance
Compliance requirements can be a forgotten aspect of choosing between an in-house vs. a managed SIEM solution. Building out a SIEM infrastructure internally may require network configuration changes to safeguard and isolate data and systems. Outsourcing the service will help contain these costs and complexity. However, if your compliance requirements insist on local data sovereignty, the picture may change. Explore whether additional outsourcing costs will apply for local data storage (if local facilities are available from your service provider at all), as this could be a significant factor in your cost structure – and decision-making process.
We Can Help You do the Math
A SIEM is a crucial component of an organization’s security architecture. It is essential to understand both the hard and soft costs involved in operating the technology in your environment. This thoughtful cost/benefit analysis will help you determine the lowest total cost of ownership (TCO) for your organization – whether you choose to build your own system or seek the experience of a trusted security partner. The security experts at ISA Cybersecurity can help you work through this analysis. Professional and vendor-agnostic, we can help you find the right solution to address your security needs. To learn more about in-house, hosted, and managed SIEM solutions, contact us today.