ALCiT

Are you paying too much for your SIEM?

Written by Loïc Calvez | Jan 10, 2023 11:00:00 AM

SIEM can make the difference between stopping an attacker while they get started vs after they've setup their entire plan, but how much should it cost?

 

First let’s establish the full cost of ownership for SIEM (if you need a refresher on what SIEM is, look here).

  • Cost 1: The tool/product/service required to ingest and analyze ALL your security related logs. (If you are not ingesting all your logs because your current tools charges too much per EPS, just skip to the conclusion (you’re paying too much for not enough protection)).
  • Cost 2: The effort to review ALL the alerts that are identified by SIEM. (If you are not reviewing all the alerts because there is too much noise with your current SIEM, just skip to the conclusion (you’re not getting the protection you should have)).
  • Cost 3: The effort to take action on all the alerts that require you to do something (this is not a direct cost of SIEM, but what’s the point of getting alerts if you ignore them?).
  • Cost 4: The cost of at least one Senior Cybersecurity person to prioritize efforts and make decisions.
  • Cost 5: The effort of doing all this 24/7. (Criminals know you like your weekends, and we see spike in attacks on Friday nights, especially before long weekends).

So, if you add the cost of all the above, you now have a picture of your Total Cost of Ownership (TCO) for SIEM. Other assumptions:

  • Your current SIEM tool includes all the features you need (if not, add the cost of those missing tools/features).
  • You have a proper Endpoint Detection and Response (EDR) tool that can perform containment actions to stop the spread if needed  (if not, add the cost of that tool, we like SentinelOne, but there are other good ones out there).
  • You have some Remote Management and Monitoring (RMM) tool you can leverage to rapidly push configs/fixes/patches to respond to a cybersecurity incident (highly recommend since speed of response is a big factor).
  • You have properly configured firewalls that block known attack patterns via Intrusion Detection/Prevention (IDS/IPS) including for encrypted traffic (DPI SSL) and upload all their logs into SIEM for correlation (if not, you are partially blind).

If you are doing all the above and have all the tools suggested, you now calculate you TCO! (if you are not doing all that; is it because you don’t think you need it, or because you think you can’t afford it?)

For a smaller organization (10-50 people) we can usually do all the above (including the cost of tools), for less than the cost of a Senior Cybersecurity person. For medium organization (50-300), usually for less than the cost of two Senior IT resources.


Interested in learning how we can save you money while increasing your overall protection? Book a free 30 minutes consultation with one of our cybersecurity experts.