SIEMingly ineffective?
As a follow-up to our eBook, ‘The Future of SIEMs: do they have one?’, in this blog we expand on some work that Senseon has been doing with customers around optimising their existing SIEM deployment.
In our recent eBook, we explored some of the core concepts around Security Information Event Management (SIEM) systems, specifically around the development and evolution of these technologies since the very conception of the term in 2005, the limitations of this approach to security event management and the place they will have in the SOCs of the future, if at all. SIEMs have been a core component of enterprise security stacks pretty much since their inception, but there appears to be considerable debate within the wider community as to exactly what the future could look like for SIEM tools.
One of the biggest resistors to change in this space will be the organisations themselves. For the vast majority of organisations who have already implemented a SIEM and/or SOAR capabilities, the idea of a complete rip and replace simply is not an option, irrespective of any concerns about the operational efficiency or cost-effectiveness of their chosen (and implemented) solution. Any technology that is as deeply embedded in an organisation as a SIEM will be hard to replace owing to the sheer number of systems it touches and the potential for major disruption.
Within this blog, I wanted to expand on some work we have done with organisations who have already implemented a SIEM solution and who found themselves exploring SOAR capabilities as the next layer to their information security strategy as a result of both the resource intensive nature of SIEM products and how difficult it becomes to connect the dots, both of which we explored in more detail in our eBook.
Traditional SIEM costs
As you might imagine, this analysis begins by exploring the costs associated with a traditional SIEM and SOAR implementation. In this example, the data provided is for a tech-heavy 500-person organisation, with on-premise security tooling.
Analysis of this organisation’s total events per second and total GB per day by log type provides us with the following:
Total events per second per day: 3081
(Peak) total GB/day: 117
Pricing modelled on a peak ingestion of 117GB per day for the organisation in question puts the annual cost of their SIEM platform at £70,332.
Over a three-year contract this amounts to £210,996.
Associated SOAR costs
| Events per day | Annual $ | Annual £ | TCV over 3 years |
|---|---|---|---|
| 25 events per day | 69,521 | 55,617 | £166,851 |
| 150 events per day |
139,043 |
111,234 |
£333,703 |
| 1500 events per day | 556,171 | 444,937 | £1,334,811 |
Of course, you also need staff to run your Security Operations Centre, monitor logs, conduct regular reviews and pull out relevant reports. The average salary of a Security Engineer in the UK is £68,000. Allowing for additional overheads, it’s a realistic assumption that the annual fully loaded cost to the business of employing the three security engineers required to operate the tooling in this worked example will be £225,000. The cost to the business over three years (a fairly standard software contract length), therefore, is £675,000.
I’ve summarised the total costs of this ‘traditional’ operating model in the table below:
| SIEM costs | £210,996 |
| SOAR costs |
£337,703 |
| Staffing costs | £675,000 |
| Grand total | £1,219,699 |
An alternative approach?
It is almost a cliché to repeatedly press the point that a SIEM is only as good as the data you plug into it, but it remains entirely true. Whilst I said at the outset that the idea of a complete rip and replace is, for some, simply not viable, that doesn’t mean that the role and significance of SIEMs at the heart of traditional security architectures and as a single authoritative source of information is not being significantly re-evaluated.
A common interim and quickly implemented step that the industry is witnessing, is the positioning of Senseon before the SIEM, driving an immediate increase in detection effectiveness and reducing the time to value of implementing a traditional security architecture from the expected 28-36 months, to just the two weeks it takes our UEBA models to baseline.
This also presents significant opportunities for rationalisation of the data you process, and with it cost reduction, as Senseon is not priced on Events Per Second. As we did above, I have broken down the associated costs of deploying Senseon alongside your SIEM and in place of SOAR capabilities.
The nature of a Senseon deployment provides significant opportunities for rationalisation of the data you feed into your SIEM to avoid duplication.
In this instance, the security team were able to reduce the total events per second per day from 3081 to 1911 and a peak ingestion of 57GB per day.
This enabled them to reduce the annual cost of their SIEM from over £70,000 to £34,197, or £102,582 over three years.
A workload reduction of up to 99.4%
Fixing some of the most fundamental flaws in the design and implementation of traditional security architectures, Senseon’s customers can benefit from a workload reduction of up to 99.4%, thanks to our automated investigation engine, which we call AI Triangulation. Designed to emulate the way a human analyst thinks and acts, Senseon is able to conduct the same kind of thorough and nuanced analysis as a team of human analysts.
This provides significant cost saving opportunities: requiring only one Security Engineer instead of three, the fully loaded cost to the business over three years is reduced by nearly half a million pounds, to £225,000.
I’ve summarised the total costs of this alternative approach in the final table below:
| SIEM costs | £102,582 |
| Senseon platform |
£150,000 |
| Staffing costs | £225,000 |
| Grand total | £477,582 |
The bottom line
As businesses and organisations continue to strive to adapt to the ‘new-normal’ world, the way of working it brings with it and the challenges associated with it, one thing that is becoming increasingly apparent, is that whilst cyber security budgets will likely remain resilient, consolidation and rationalisation of security stacks will be a core component of security strategies in 2021.
In this worked example, we were able to demonstrate that deploying Senseon alongside an existing SIEM capability can provide a cost saving of 61%, or nearly three-quarters of a million pounds.
If you would like to talk through your own use cases and strategy for 2021, and discuss how Senseon can help you to achieve these, use the calendar below to take advantage of one of our free, no obligation Use Case Workshops.
The Future of SIEMs
Do they have one?
This must have guide provides IT and security leaders with:
Insight into the history, evolution and shortcomings of SIEM tools.
A proposal for an alternative future that fixes fundamental problems of the past.
Practical considerations to bear in mind when considering your next SIEM project.
About the author
David Atkinson, Founder and CEO, Senseon
Before moving into the cyber security industry, David spent over 15 years working within the UK’s specialist military units where he was the first cyber operative. His combined experience and technical abilities gained from his background in military, government and the private sector has led him to challenge the current approaches to cyber security and to create Senseon.
