Why it’s time to for a new approach to SIEM
Short answer – 10x Cost Reduction and more effective Detection and Response
Why do you need to rethink how you collect, store and analyze your log data? It’s not because SIEM has stopped being valuable, or in the case of compliance, necessary. It’s because most of the traditional approaches to platform-based SIEM deployments are still running on 20 year old technology at their core. Even most cloud-based solutions are already limited by outdated and inefficient architectures. And this means you end up paying a ridiculous premium for backend storage and the related required infrastructure that should cost a fraction of what a typical SIEM vendor charges.
The high cost of storage isn’t the only thing that drives SIEM overhead through the roof. While they may be a central and necessary tool for any security operations, SIEMs are notorious (like many other solutions) for generating massive volumes of false positives, leading to slow response times, missed threats, alert fatigue and analyst burnout.
Why we need a new SIEM architecture
While no two SIEMs are exactly the same, they do employ similar data architectures. The older, more common approach is to use a centralized data repository, while some of the newer solutions have adopted a federated approach that distributes data among multiple instances. Both methods have advantages but also have considerable disadvantages. The primary disadvantage to both is the false tradeoff between fast query performance, and cost effective data resiliency, as well as the fact that these approaches are still overly dependent on people performing the queries and analysis.
Centralized Data Repositories offer high performance search capabilities, delivering fast data queries and is the primary approach by legacy SIEMs. The query speed is optimal, but it comes at a high cost. Although the scalability limitations of the past may have largely disappeared, centralized data repositories are the most expensive way to store your SIEM data, particularly when you account for the need for high availability. As your storage requirements grow, your licensing and infrastructure costs become prohibitively expensive, despite the fact that the majority of your data will rarely need to be accessed beyond compliance reporting. This puts traditional SIEMs out of reach for a significant percentage of the market.
Federated Data Repositories attempt to lower the cost of secure, reliable long term storage by distributing the data across multiple servers/containers. But the more distributed instances that are required, the greater the likelihood that one poorly performing server will result in slow or incomplete query results. And this still doesn’t differentiate between the different access requirements for near term and long term data, so your costs grow at a fairly linear rate for storing data that you rarely need to access immediately.
Traditional and cloud-based SIEMs are overly expensive due to these inefficient architectures. At LogicHub, we believe that increasing your storage capacity shouldn’t increase your costs by 5X. The difference between growing your capacity from 30 days to 1 year should be at most a 20% increase in storage costs, but in order to do that, you need to have a storage layer that is both cheap and accessible for analytics. That’s best accomplished by building a data lake that has been optimized for machine-based analysis.
How LogicHub does it differently
Let’s start with the storage side of things. LogicHub is able to deliver lower cost SIEM without sacrificing analytics, compliance or detection capabilities by embracing newer technologies like Spark and S3. By optimizing the long term data stores in our SIEM for machine-based analysis, we significantly reduce your long term storage costs, but retain the ability to perform high-speed deep threat analytics. And you still have access to rapid search capabilities for more immediate data, as well as the ability to easily pull any historical data forward when you do need to search it.
We’ve built our managed SIEM on a two tiered architecture that gives our customers the rapid search capabilities for near term data, while also providing long term storage that is both significantly cheaper and performance optimized for use by our automation-driven MDR service. The use of Spark+S3 for the data lake tier gives us the flexibility of a deployment that is super optimized for detection and response at ⅕ the price of a legacy SIEM architecture.
The costs associated with our managed SIEM when compared with other similar solutions (as outlined below) are significantly less–even for search optimized storage.
But lowering your operating costs without sacrificing quality is the real goal. A subpar SIEM solution may check a compliance box, but won’t deliver the security outcomes that you need. We not only save our customers a significant amount of money, we do it while making SIEM capabilities accessible to security teams that lack the time or resources to do it on their own.
Detection quality still matters
Saving money is great, but checking the compliance-related log management box stopped being adequate years ago. You still need to be able to analyze your log data to find advanced threats quickly. But that’s the other high cost part of running on an older platform. Tuning your SIEM to where your team is no longer buried with false positives that results in slow detection and response times. Or worse, missing threats altogether.
24×7 threat detection without the false positives
LogicHub’s SOC uses our SOAR+ platform to automatically triage SIEM alerts with >95% accuracy. That means our SOC analysts are spending their time investigating real threats quickly, only forwarded confirmed threat cases to our Managed SIEM customers. And that means no more time wasted investigating false positives or threats being missed due to alert overload.
Fast, accurate, automated threat hunting
We’ve optimized our long term storage for machine-based analysis. Rather relying on human analysts to hunt through historical data, our SOC employs automated playbooks that can analyze your historical log data on a continuous basis, identifying and alerting on threats with a speed and accuracy that can’t be matched by manual processes or human-centric analysis.
High performance search on relevant data
We haven’t gotten rid of your ability to query data quickly and easily, we’ve simply stopped charging you a premium for the data you don’t need to regularly access. You have full control over how much data is retained in a search optimized data store, and can pull any historical data back into it with minimal effort. And that means that no matter what you want to search for, you can do it with the performance you’ve come to expect, without the massive licensing fees or operating overhead.
Obviously there’s a lot more to SIEM, and security as a whole, than cost. But there’s a huge amount of value in finding a way to get what you need at a reasonable price, and whether it’s managed SIEM, MDR or SOAR, we’re committed to doing that for you. If you’d like to discuss how we can deliver the detection and response that you need while significantly lowering your costs, please let us know here.
*** This is a Security Bloggers Network syndicated blog from Blog | LogicHub® authored by Kevin Broughton. Read the original post at: https://www.logichub.com/blog/why-its-time-to-for-a-new-approach-to-siem
