Choosing a SIEM model for your Organization (SIEMs-as-a-Service or Self-Managed SIEMs)

Collecting data from logs and using this data to analyze events and incidents within an IT environment has been common since the 1980s. However, the term Security Information and Event Management (SIEM) was coined only about 15 years ago by two Gartner experts.

SIEM structures are comprised of three distinct models, each offering their own advantages depending on the operational capabilities and requirements of your organization. The first model is an on-premise SIEM — this is self-hosted and self-managed. The second is SIEM-as-a-service (SaaS) — or outsourced SIEM (both hosting and management). The third is some variation between the two, known as the hybrid model.

On-premise SIEMs have been evolving everyday in order to better protect the systems in an organization. They have transformed from collectors of logs and data into complex threat-detection services. Just like many companies are taking advantage of the cloud-based platforms to expand, SIEMs are also utilizing the cloud to collect cloud-based data and make better decisions of all the alerts they might have in different IT environments. However, an organization’s considerations on choosing between On-premise SIEMs and SIEM-as-a-service can come down to what type of information the organization is dealing with because of regulations/compliance reasons but also a main consideration would be what their budget is to accommodate this service.

Before going into the cost of SIEMs, there are a few questions to consider for what your solution would need to do. Firstly, an organization needs to determine how much security data is being collected regularly and how long the data would need to be stored. Next, the complexity of the organization’s environment, ranging from an environment/data centers completely on-premise to operations hosted by a cloud provider such as AWS or GCP. Lastly, need to consider the size of the organization and if any employee would be needed to use the SIEM platform directly, which would lead to any extra features needed from a SIEM provider.

With the rapid adoption of moving servers and data centers to the cloud, the SIEM solutions that mainly started on-premise have also incorporated SIEMs-as-a-service hybrid models or new startup companies strictly selling their product as a SIEM-as-a-Service. Asking certain questions why a company would need any type of SIEM could also help in determining which SIEM model an organization would need. If the organization is constantly communicating outside their environments, the amount of information gathered can be overwhelming, but with a SIEM strategy it could provide better visibility of what is happening in the IT environment and react quickly and efficiently to cyber security attacks as they appear. Also, many organizations would need better security expertise to correlate what is a false positive with a true positive. On-Premise SIEMs and SIEMs-as-a-Service both provide these services but with some key differences.

Key Differences and Similarities

With On-premise SIEMs, organizations would need to develop a plan to obtain, configure, and maintain different hardware/servers. In addition to the hardware costs, if the organization doesn’t already have an IT security team in place, they would need to contract highly skilled individuals to analyze the data aggregation that the SIEMs produce in-house.

Estimates of log volumes a company of different sizes can produce (EPS = Events per second):

a small company ~500 employees ~500–1.5k EPS

medium companies ~5000 employees 5k-10k EPS

large companies ~30,000 employees 35k-100k EPS

Parsing through all this data can require a high skillset in order to determine what threat is actually actionable or what is just plainly noise. The salary of these individuals can be costly. However, organizations can also adopt a SIEM model where the SIEM platform jointly reviews and sends reports to security analysts working in-house so they could mitigate/remediate any potential risk quickly.

With SIEMs-as-a-Service, organizations would have the option to contract SIEM platforms to completely monitor, detect, investigate and respond to cyber attacks. The vendors that offer SaaS, would host the SIEM in the cloud, effectively eliminating the need for expensive hardware. This would result in much shorter implementation times.

With the SIEM in the cloud, organizations can choose to have an in-house team to identify, investigate, and respond to cyber attacks making deploying SIEMs much quicker than it would be with hardware. Otherwise, a company may choose to completely outsource the SIEMs operations where the SIEM vendor utilizes their own security team to provide insights to potential threats, instead of spending time providing maintenance for the hardware. This could help the customer organization focus on their business and with company growth, scaling the cloud SIEM features would not be an issue.

The similarity that is changing the pricing model of both On-premise SIEMs and SIEMs-as-a-Service would be charging the customer per byte of data to more of a machine-learning powered by user and entity behavior analytics (UEBA). This provides the SIEMs with valuable insights to better spot anomalies and convey actionable results to a security team, said Darien Kindlund, VP of technology at Insight Engines. This assists the traditional cybersecurity analysts by dramatically decreasing the size of data they would need to sift through.

Some ballpark ranges for cost of SIEM solutions:

100k for small companies ~100–250 employees

250k — 500k, which is the average ~5000 employees companies

1–10 million for fortune 500 companies

Moreover, no matter which SIEMs solution an organization chooses every SIEM adoption should take into account the organization’s particular business context.

Type of SIEM Model for organizations

Comparing their Pros and Cons

Advantages of On-premise

• Organizations keep sensitive data on-site, for regulatory requirements and do not want to transfer sensitive data to a cloud-based SIEM. Complete control over the SIEM platform.
• Customize platform rules for specific context based business operations.
• Control of overall training for specific needs of the organization. Have custom deliverables and easily adopt policies that the organization adheres too.

Disadvantages of On-premise

• Costly, on top of purchasing the SIEM, there are costs to collect, maintain, analyze data.
• Hiring and training cyber-security specialist in-house is expensive
• These teams need to fully understand the organizations business model and context to produce actionable results. This could take a year or more depending on the size of organization.
• Integrating a SIEM system within a complex business ecosystem is time consuming. Complex business IT infrastructure = dozens of business applications.

Advantages of Cloud-based SIEM (aka: a managed SIEM, SIEM-as-a-Service)

• Your organization immediately has access to experts that know the ins and outs of the managing platform.
• No need to train employees, SIEM as a service (cloud) doesn’t require you to have your own expertise
• Cost savings, in a SIEM-as-a-service scenario there’s no need to purchase expensive hardware to run the SIEM platform.
• A managed service provider can take care of software maintenance, support, and updates which eliminates costs associated with having an internal IT support team.
• Faster deployment and if changes are needed, quick custom implementations from a team of experts.

Disadvantages of Cloud-based SIEM (aka: a managed SIEM, SIEM-as-a-Service)

• Moving sensitive data off-site to the cloud. Always a greater risk with data in transit than with data at rest.
• Some SIEM vendors focus on monitoring and reporting features of their system, which in turn lacks the responsiveness of threats.
• When selecting a cloud-based SIEM, an issue that is encountered is they could limit the access to raw log data.
• Need to properly vet the SIEM provider. Make sure they are dedicated to mitigating and remediating threats as you are.
• If a SIEM-as-a-Service thinks the ‘M’ stands for “Monitoring” and not “Management” this is an issue.

SIEM Architecture

To better understand the workflow of the SIEM the figure shows the start of data collection from many log data sources and how the users would use that data to take action.

All applications, endpoints, network and security devices within the network collect data and store this data to be analyzed. Organizations may need to have retention policies in place for certain regulatory requirements, so these organizations would need to be aware what requirements they would need to follow according to regulations and compliance.

After this data management layer, the data and logs are aggregated from all different devices and using a SIEM platform, organizations will be able to utilize any prebuilt threat intelligence tools or rules to dictate what logs to bring more attention too.

Once the data has been run through the threat intelligence analytics much of the noise in the logs would be narrowed down to potential/actual cyber threats. In the workflow/automation layer, cyber security analysts would analyze these threats and determine if they are actionable or not.

Lastly, depending on your SIEM strategy, cyber security analysts would be able to see real time dashboards, charts, and reports to better protect the organization’s information and IT environment.

Considerations for choosing a SIEM (cloud or on-premise)

SIEMs For On-premise environments

• Operational Requirements —How the SIEM platform would fit within the management process and ease of implementation. Prioritize and evaluate security policies, compliance regulations.
• Technical Requirements — Document a technical infrastructure with enough depth in order for the SIEM vendor to understand the environment. This can range from security controls in the network topology to all the physical servers and the data sources that produce logs.
• Business Requirements — A physical server from a vendor can cost anywhere between 25k and 100k possibly more for high powered machines. Local SIEM requires upfront investment for licenses, training specialists, high price tag for qualified people.
• Hardware cost — local SIEM requires upfront investment, training specialists, high price tag for qualified people.

Hardware

SIEM Hardware Small $25,000

SIEM Hardware Medium $60,000

SIEM Hardware Large $100,000

Infrastructure

Servers $8,000

Storage $1,500

Switches $3,000

Software

Event volume — 5G $8,000

Event volume — 20G $24,000

Event Volume — 100G $40,000

Event Volume — Other $100,000

Support

Annual Support 20% of cost of software + hardware

SIEMs For Cloud/Hybrid Environments

• Operational Requirements — Determine how workflows would change involving a SIEM platform. Prioritize and evaluate security policies, compliance regulations.
• Technical Requirements — Take into consideration the which part of the environment in the cloud and which are on premise. Are there any automated cloud monitoring to consolidate with in a SIEM platform.
• Business Requirements — Cost of training employees and hiring them if choosing to have a team in house, jointly monitoring the SIEM platform, or completely outsource the security management.

Overview of a SIEM Platform Architecture in the Cloud/self-managed (Securonix Example)

To summarize

There are several SIEM model strategies when choosing a SIEM vendor and knowing your organizations limits will help in choosing which SIEM model works best. Currently, the trend of the IT community is not wanting to deal with physical servers anymore and adopting new cloud strategies. This leads to having more companies spending additional money to have the vendors host the solution than have to hire an army of IT professionals to manage it. However, moving servers into the cloud can make users have their precautions, especially if companies are dealing with regulations and compliance laws that require data to be specifically on premise. Also, the pricing model is also changing from usage per byte to UEBA, user / entity behavior analytics, which tracks what’s normal for users, timeline that activity, and track anomalies (you’ve never touched this PC before, you’ve never VPN in from this IP address). This helps in collecting as much data as possible, making it easier to correlate what’s going on in an environment, without charging per byte. Considering some of these suggestions will hopefully help in deciding which SIEM model strategy to approach to make it cost efficient with also keeping the organization secure from any potential cyber attacks.