As the saying goes, ‘there is no such thing as a free lunch.' In life, including the technology sector, many things are more expensive than they appear. A free game app encourages in-app purchases to enhance the playing experience, while a new phone requires a monthly plan for data, calling, and texting capabilities. In the security industry, one technology that stands out for its hidden costs is Security Information and Event Management (SIEM) tools. During initial deployment, use, and maintenance, SIEMs typically have three costs that will surprise your organization's security team: growing hardware costs, unpredictable data costs, and data management expenses.
Nearly all SIEM deployments start with the purchase of hardware. It seems as though it is a one-time purchase, but unfortunately it doesn't stop there.Your log data expands as new employees are hired and more systems are brought online, and so too does the data storage needed for those logs. While more users increase the need for hardware, additional SIEM features also significantly impact the hardware load, resulting in surprise cost increases. A ‘keeping the lights on' cost comes into play, as more budget is required to manage the growing hardware deployment. While your company is ideally growing and expanding, with this comes an increasing need for more and more hardware for your mountains of security data.
The second hidden cost is the expense associated with processing and indexing your data. As your machine data grows exponentially, so will your vendor bill. Most SIEM vendors charge by data volume (measured in either events per second, data indexed, or average data volume processed) which Gartner estimates are doubling annually, resulting in expanding license costs. As mentioned previously, the goal of most organizations is growth and development, which means that this expansion also requires growth in data and data costs, costs that can become difficult to afford.
Finally, the most challenging cost will come when looking for the expertise required to get the most out of your SIEM deployment. SIEM products are difficult. Writing and tuning detection rules, performing incident investigations, and understanding proprietary search languages means that operators need both security knowledge and specialized SIEM tool expertise. Simply adding ‘manage SIEM' to an existing employee's workload isn't a feasible option for a successful deployment. A survey from elQnetworks reports that 52% of respondents require two or more full-time employees to manage their current SIEM deployment. This means that the deployment of a SIEM requires not just one person, but a dedicated team of people to set up and maintain it. This new addition of team members can end up costing a company much more than they initially intended. Dr. Anton Chuvakin, Research Vice President at Gartner, mentions in his blog that this cost, as well as other unexpected ‘hard' and ‘soft' costs, can make the total hidden costs of a SIEM project range anywhere from 10% of the SIEM license cost to as much as twenty times that of the license cost.
Knowing that SIEMs can come with a much larger price tag than they initially appear to might cause someone to ask if there are any alternatives - ones that won't break the bank. At Rapid7, we understand that security teams are strained, security data management is a pain, and you're already facing a mountain of stale, prioritized alerts. From working hand-in-hand with security teams and incident responders, we've built the SIEM you've always wanted - InsightIDR. It's your fully integrated detection and investigation solution that also tackles these hidden costs head-on. For the challenge of ever-expanding hardware, InsightIDR has been designed to run on our cloud-based Insight platform. You don't have to worry about growing and watering a hardware farm to make your logs fully searchable and safe from modification by attackers. In order to eliminate surprise data costs, our pricing is based on monitored assets, not data volume processed. Finally, to help solve the challenges of needing a wide range of talent for a successful deployment, InsightIDR comes with prebuilt detections from our penetration testing team, Rapid7 research, and customer collaborations. You can finally get visibility and detection throughout your organization without it becoming a second full-time job.
For more information about InsightIDR watch our 20-minute demo here.