Estimating Total Cost of Ownership of Your SIEM
Gartner has stated the importance of a SIEM deployment concisely: “The need for early targeted attack detection and response is driving the expansion of new and existing SIEM deployments. Advanced users seek SIEM with advanced profiling, analytics and response features.” However, as you are considering implementing a new SIEM solution or renewing your contract for your existing solution, it’s worth exploring the total cost of ownership of a SIEM deployment and measure whether you are getting your money’s worth.
ASSOCIATED COSTS CAN ADD UP
SIEMs are deployed across various industries: financial, insurance, healthcare, retail and manufacturing. Across all these industries, customers simply do not pay enough attention to all the associated costs that factor into SIEM pricing.
So, what are these associated costs? At the highest level, they are:
|Hardware||SIEM appliance costs or server costs for installation of SIEM software|
|Software||Costs of SIEM software or agents for data collection|
|Support||Annual costs of maintenance of software and appliance|
|Professional Services||Professional services for installation and ongoing tuning|
|Intelligence Feeds||Threat intelligence feeds that provide information on adversaries|
|Personnel||Cost of personnel to manage and monitor a SIEM implementation|
|Personnel Annual Training||Cost of training the personnel annually on security certifications or other security-related training courses|
The costs of each of the above categories will vary depending upon the technology of choice. For example, if you decide to purchase Splunk, you are likely going to spend a lot more on the underlying software vs. if you decide to purchase LogRhythm. The purchase of a software solution such as Splunk will require you to invest in additional servers, storage, switches and other associated data center costs. Similarly, if you are investing in a hardware solution (for example, from IBM QRadar or from LogRhythm), you will have to invest heavily in vendor provided SIEM hardware.
SIEM COST BREAKDOWN
While there aren’t many independent sources that compile the cost of a SIEM solution, years of industry experience (and data available via a quick google search) lead us to believe that it’s fair to categorize SIEM deployments to small, medium, and large for businesses ranging from SMB to mid-market/enterprises. The following section estimates the cost associated with SIEM deployments of different sizes and associated costs to operationalize the solution.
The table below outlines the estimated cost of Hardware (e.g. for solutions such as LogRhythm, IBM) and Software/Infrastructure (for technologies such as Splunk) solutions. Keep in mind that you need to include the approximate cost of servers, storage and switches when you consider a virtual or a software solution. Annual support costs are typically 20% of your initial spend.
|Item||Minimum Estimated Costs|
|SIEM Hardware Small||$25,000|
|SIEM Hardware Medium||$60,000|
|SIEM Hardware Large||$100,000|
|Event volume – 5G||$8,000|
|Event volume – 20G||$24,000|
|Event Volume – 100G||$40,000|
|Event Volume – Other||$100,000|
|Annual Support||20% of cost of software + hardware|
Your SIEM is only as good as it is setup. To setup a SIEM correctly you are likely to require professional services from the vendor, and these startup services can run upwards of thousands of dollars. You’ll want to factor in additional budget for tuning the SIEM and setting up rules/filters for detecting various security events that may be unique to your environment. Because SIEMs take days if not weeks to correctly deploy, vendors will typically sell you days’ worth of startup services that average upwards of $8,000, especially if you’re a mid-market/enterprise company.
Threat Intelligence Feeds
The necessity of integrating threat intelligence feeds is well documented. If you are deploying a SIEM, make sure you are adding additional context for monitoring by using threat intelligence feeds early in your deployment phase. There are many intelligence feeds you can find (both open source and paid), and the quality of the feeds isn’t directly related to the price you pay! Vendors typically charge per number of users and you are likely to spend approximately $2,000 per month for a small SIEM deployment. Expect to pay between $5,000 – $10,000 per month if you are considering a medium or large scale SIEM implementation.
Having your own SOC is touted as the holy grail of security maturity by many IT security managers. Not only is this claim inaccurate, but what are you willing to spend to even try that? Let’s look at the numbers.
- 24×7 SOC
If you are considering implementing a 24×7 SOC, expect to hire a minimum of 5 security analysts to cover 3 shifts of 8 hours, each with 1 staff per shift. Even if you can manage to hire junior security analysts to monitor your SOC, be prepared to budget a minimum of $500,000 in salary for security analysts alone. This estimate is excluding the additions costs associated with finding the right individuals and overall management expenses.
- 1 Senior FTE SOC
It’s unlikely you are going to get the maximum value from your SIEM solution if you don’t have a 24×7 SOC. However, some enterprises choose to do more with less personnel by hiring senior experienced engineers and building automated alerting tools. In that scenario, you are likely to spend around $150,000 per experienced security analyst.
Personnel Annual Training
Because the cybersecurity industry is constantly changing as new technology is developed, you need to make sure your security analysts’ skill sets are continuously updated with certifications such as GIAC Certified Intrusion Analyst (GCIA). These programs can be costly, so be prepared to spend upwards $2,500 per employee per year to keep their skills updated.
As it is evident from the analysis above, purchasing and managing your own SIEM solution can be an expensive endeavor. Blumira was developed as a solution to costly SIEM deployment and doesn’t require a SOC and all the associated costs for high-quality threat detection and response. Blumira is backed with decades of expertise working with a variety of customers on SIEM implementations, and goes above and beyond SIEM capabilities while lowering the Total cost of ownership and operation up to 80%.
With Blumira you don’t need to sacrifice high-quality threat detection and disruption for affordability. Contact us today to learn more about our services and how we can help you.