Staff time, log processing, and legacy issues can turn free, open-source or low-cost SIEMs into one of your organisation’s most expensive investments.
You’re not alone if you’re baulking at the idea of paying upwards of tens of thousands of pounds for a new or renewed SIEM licence. Many security decision-makers feel the same way.
One survey showed that almost half (40%) of existing SIEM users feel like they are overpaying for their SIEM. The cost per seat for a paid or managed SIEM solution is significant, especially for security teams in smaller organisations or anyone in a sector like education, where security budgets tend to be smaller.
Yet even for less complex IT environments, having a centralised system for logging and producing event-driven alerts is essential for threat response. Depending on your industry, it can also be mandated for compliance.
Watch out, though. Any solution that positions itself as a free or low-cost method of achieving these goals is just changing where you feel the costs. Here’s why.
A SIEM’s licence might be free, but your time isn’t.
Any SIEM is only as good as the team operating it, and no SIEM will provide you with value simply because it’s “installed” in your environment.
If you use a SIEM solution to collect logs and send you alerts, you need a security analyst to monitor it and continually configure and maintain it.
Depending on the complexity of your environment, this task can easily be someone’s full-time job (you will need at least one FTE for a SIEM solution in a medium-sized company) if it’s not outsourced to a managed SOC service.
As Brad Freeman, SenseOn’s Director of Technology, covered in a previous blog about why he stopped using a SIEM, gaining actionable insight from the data collected by a SIEM can turn into a circular problem of tuning rules only to have to retune again when they break.
A poorly configured SIEM can send thousands of alerts daily for innocuous behaviour.
While this problem is shared among all SIEMs, it can be more pronounced with free or open-source SIEMs, which tend, as a rule, to be less user-friendly and have fewer out-of-the-box (OTB) configurations built in.
Free SIEM solutions will not come with use cases and rules to match their environment, and they will not triage any of the alerts they create either.
If you reduce your spending on licensing and management, you will likely need to allow for more extensive configuration and staff training to make it work in your environment. If you deploy a SIEM, you also need to have the capacity for incident response (IR), typically on a 24/7 basis.
SIEM augmentation tools like SOAR and UEBA can mitigate this workload but are unlikely to be integrated into a low-cost SIEM.
The financial cost of a SIEM is not limited to a licence but also the cost of storing and normalising logs into events.
Most of the low-cost and free SIEM solutions on the market are only low-cost or free up to a low volume of data ingestion, if any amount at all. This can be okay for a limited, simple IT environment, but once you go above a few dozen users and endpoints, you will need to start paying for data processing.
Of course, this is the same with paid SIEMs, but depending on how they store logs, some free SIEMs can exacerbate this cost. For example, due to their software architecture, certain open-source SIEMs can require more storage space and compute for the same security logs than alternatives.
It’s critical to ask yourself what exactly you are looking to do with a SIEM.
Do you need to store event logs for compliance purposes for long periods? If so, it might be more cost-effective to use a solution like Azure Data Explorer (ADX) to store archive logs long-term.
If your goal is to alert on and investigate suspicious activity across your on-prem and cloud environments, you are likely better off using a comprehensive security platform like SenseOn.
SenseOn can be a great low-cost SIEM alternative for organisations that want to collect native endpoint and network telemetry from physical, virtual, and cloud-hosted assets while also automating alerting and event triage.
Unlike a SIEM solution, SenseOn can actually reduce your security workload while collecting extremely rich data on events within your environment.
Contact us to learn more.