What Goes Into the Cost of a SIEM?

As we’ve covered before, SIEMs are an expensive tool. The average enterprise-level SIEM deployment costs over £15 million a year, and operating a small, 100 to 1000-seat SIEM will still run up bills of over £10k monthly. 

SIEMs create spiralling costs that eat security budgets. Without a skilled team operating them, they can also make organisations less secure despite receiving more information about their digital estates. 

But where do these SIEM costs come from? 

In summary, the cost of SIEM deployment and operation is a mixture of data processing and storage, licensing, hardware, and management. 

→ SIEM cost = Data + licensing + hardware + management.

In this blog, we break down these costs, explain what makes them higher than they should be and explore what you can do to bring your SIEM costs down.

The 4 (Core) SIEM Cost Centres

Depending on whether you are a 50-person law firm or a 10,000-employee global enterprise, your inputs into any of the costs below will be hugely different. Whoever you are, though, you will still have some variation of these four SIEM costs.

1. Data

We cannot say this enough – security has a data problem. As networks become more complex, more data must be stored, normalised and analysed. Not all of the data created within your estate will make you any safer, but when you run a SIEM, more of it than you think will end up being collected.

A 1000-person company might ingest around 155 GB/day into their SIEM, and as they turn this raw log data into event data, the volume of data will expand further. A company of this size might expect to spend around £10k/month processing this data through a cloud service like Azure. 

To reduce data costs, you need to manage log volume. 

The most manually intensive way to do this is to remove any unnecessary or duplicate log collections, i.e., only logging what you need for compliance. The danger here is logging too little and missing important information. 

You could also split your logging processes using a log management server for lower-value events like operation logs and only send audit logs to your SIEM. 

Alternatively, you could use a solution like SenseOn to reduce your intake of volumetric logs by 61% without compromising security. Read this blog to find out how

2. Licensing

SIEM solutions come with licensing plans that range from free to (much) more than £100k/year. Depending on the vendor and tier offered, this pricing may or may not include logging costs.

You can find SIEMs without a licensing fee. Typically, however, the less a licence costs, the more likely you are to incur more charges on the backend due to reduced usability and support. 

Read more about why low-cost SIEMs can end up being costly investments here.

A typical SIEM software-only package from a vendor like IBM or Microsoft might cost in the region of £1500/month for a 1000-user environment with pricing based on events per second. A SIEM also needs a threat intelligence feed, which can cost upwards of £10k per year if it is not included in the SIEM cost.

It’s not easy to bring these costs down unless you are in a position to negotiate with the vendor.

3. Hardware

SIEMs need computational resources for logging and data analysis, whether on-prem or in the cloud. 

Ideally, a SIEM should only consume 1% to 5% of the compute capacity on any device, but poorly configured SIEMs will consume more resources. 

Any SIEM application will be performance-heavy due to the real-time insertion rates and simultaneous analysis and retrieval of data that SIEMs do. The more users your SIEM serves, the more hardware you need. 

However, another factor influencing your SIEM’s hardware costs is how many features it uses.

To reduce your SIEM hardware costs, ensure your SIEM is not running non-essential features for your security use case. 

Again, this comes down to knowing what purpose a SIEM serves in your environment. For example, if compliance is your number one concern, you might not need advanced threat hunting features that take up compute. 

4. Management and configuration

A SIEM is not a set-and-forget solution. Even deploying a SIEM might require you to bring in external consultants.

To deliver value, you need someone to manage, configure and respond to the alerts a SIEM generates. 

It’s good practice to plan on hiring at least one full-time cybersecurity analyst to manage an in-house SIEM solution. The alternative is to use a managed SOC service that includes SIEM management. 

To bring down SIEM operational and deployment costs, you can use AI solutions like SenseOn that can automate threat investigation and response and be deployed a lot faster than a SIEM.

What’s a SIEM Worth?

A traditional SIEM may not be the best solution for threat detection and response within your organisation.

SenseOn is a powerful SIEM alternative for organisations that want a more focused solution for threat detection and response while they use their SIEM for logging purposes only.

Unlike a traditional SIEM, SenseOn natively links users, processes, and network activity at source through a software agent called a “Universal Sensor.” This means that SenseOn is able to unify network telemetry with endpoint data natively for faster and more accurate detection and response.

With endpoint and network data collected from a single software agent, alert information can be presented to analysts in context. Instead of having to piece together SIEM data with NDR or EDR information, the humans tasked with investigating threat alerts can see the complete attack chain for any event in context. 

Combined with UEBA-powered automation that filters our false positive alerts, the result is a mean time to response (MTTR) that can be as much as 10 times faster than a SIEM.

You can use SenseOn either as a standalone threat detection and response solution or to augment your existing SIEM solution with advanced UEBA and NDR capabilities. 

Try a demo to see how you can get a more cost-effective SIEM in your environment.