Short answer - 10x Cost Reduction and more effective Detection and Response

Why do you need to rethink how you collect, store and analyze your log data? It’s not because SIEM has stopped being valuable, or in the case of compliance, necessary. It’s because most of the traditional approaches to platform-based SIEM deployments are still running on 20 year old technology at their core. Even most cloud-based solutions are already limited by outdated and inefficient architectures. And this means you end up paying a ridiculous premium for backend storage and the related required infrastructure that should cost a fraction of what a typical SIEM vendor charges.

The high cost of storage isn’t the only thing that drives SIEM overhead through the roof. While they may be a central and necessary tool for any security operations, SIEMs are notorious (like many other solutions) for generating massive volumes of false positives, leading to slow response times, missed threats, alert fatigue and analyst burnout.

Why we need a new SIEM architecture

While no two SIEMs are exactly the same, they do employ similar data architectures. The older, more common approach is to use a centralized data repository, while some of the newer solutions have adopted a federated approach that distributes data among multiple instances. Both methods have advantages but also have considerable disadvantages. The primary disadvantage to both is the false tradeoff between fast query performance, and cost effective data resiliency, as well as the fact that these approaches are still overly dependent on people performing the queries and analysis.

Centralized Data Repositories offer high performance search capabilities, delivering fast data queries and is the primary approach by legacy SIEMs. The query speed is optimal, but it comes at a high cost. Although the scalability limitations of the past may have largely disappeared, centralized data repositories are the most expensive way to store your SIEM data, particularly when you account for the need for high availability. As your storage requirements grow, your licensing and infrastructure costs become prohibitively expensive, despite the fact that the majority of your data will rarely need to be accessed beyond compliance reporting. This puts traditional SIEMs out of reach for a significant percentage of the market.

Federated Data Repositories attempt to lower the cost of secure, reliable long term storage by distributing the data across multiple servers/containers. But the more distributed instances that are required, the greater the likelihood that one poorly performing server will result in slow or incomplete query results. And this still doesn’t differentiate between the different access requirements for near term and long term data, so your costs grow at a fairly linear rate for storing data that you rarely need to access immediately.

Traditional and cloud-based SIEMs are overly expensive due to these inefficient architectures. At LogicHub, we believe that increasing your storage capacity shouldn’t increase your costs by 5X. The difference between growing your capacity from 30 days to 1 year should be at most a 20% increase in storage costs, but in order to do that, you need to have a storage layer that is both cheap and accessible for analytics. That’s best accomplished by building a data lake that has been optimized for machine-based analysis.

How LogicHub does it differently

Let’s start with the storage side of things. LogicHub is able to deliver lower cost SIEM without sacrificing analytics, compliance or detection capabilities by embracing newer technologies like Spark and S3. By optimizing the long term data stores in our SIEM for machine-based analysis, we significantly reduce your long term storage costs, but retain the ability to perform high-speed deep threat analytics. And you still have access to rapid search capabilities for more immediate data, as well as the ability to easily pull any historical data forward when you do need to search it.

We’ve built our managed SIEM on a two tiered architecture that gives our customers the rapid search capabilities for near term data, while also providing long term storage that is both significantly cheaper and performance optimized for use by our automation-driven MDR service. The use of Spark+S3 for the data lake tier gives us the flexibility of a deployment that is super optimized for detection and response at ⅕ the price of a legacy SIEM architecture.

The costs associated with our managed SIEM when compared with other similar solutions (as outlined below) are significantly less--even for search optimized storage.

siem-pricing

But lowering your operating costs without sacrificing quality is the real goal. A subpar SIEM solution may check a compliance box, but won’t deliver the security outcomes that you need. We not only save our customers a significant amount of money, we do it while making SIEM capabilities accessible to security teams that lack the time or resources to do it on their own.

Detection quality still matters

Saving money is great, but checking the compliance-related log management box stopped being adequate years ago. You still need to be able to analyze your log data to find advanced threats quickly. But that’s the other high cost part of running on an older platform. Tuning your SIEM to where your team is no longer buried with false positives that results in slow detection and response times. Or worse, missing threats altogether.

24x7 threat detection without the false positives
LogicHub’s SOC uses our SOAR+ platform to automatically triage SIEM alerts with >95% accuracy. That means our SOC analysts are spending their time investigating real threats quickly, only forwarded confirmed threat cases to our Managed SIEM customers. And that means no more time wasted investigating false positives or threats being missed due to alert overload.

Fast, accurate, automated threat hunting
We’ve optimized our long term storage for machine-based analysis. Rather relying on human analysts to hunt through historical data, our SOC employs automated playbooks that can analyze your historical log data on a continuous basis, identifying and alerting on threats with a speed and accuracy that can’t be matched by manual processes or human-centric analysis.

High performance search on relevant data
We haven’t gotten rid of your ability to query data quickly and easily, we’ve simply stopped charging you a premium for the data you don’t need to regularly access. You have full control over how much data is retained in a search optimized data store, and can pull any historical data back into it with minimal effort. And that means that no matter what you want to search for, you can do it with the performance you’ve come to expect, without the massive licensing fees or operating overhead.

Obviously there’s a lot more to SIEM, and security as a whole, than cost. But there’s a huge amount of value in finding a way to get what you need at a reasonable price, and whether it’s managed SIEM, MDR or SOAR, we’re committed to doing that for you. If you'd like to discuss how we can deliver the detection and response that you need while significantly lowering your costs, please let us know here.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More