You’ve taken the steps to invest in a SIEM — now it’s time to make sure you’re reaping the rewards.
Many SIEMs are notoriously difficult to properly deploy and tune, requiring months of fine-tuning before the platform can generate alerts that are relevant and actionable. Vendors that charge based on log ingestion and tack on extra fees exacerbate the issue, making it difficult to discern the true ROI of your SIEM.
Even worse is a SIEM that sits in your environment collecting proverbial dust — that won’t generate the value that you need. Not only is it an annoyance to security and IT teams, but it’s a waste of valuable budget and resources for the organization.
With the average cost of a data breach reaching $4.24 million in 2021 (IBM), it’s clear that SIEMs can be an extremely worthwhile investment. Here are some best practices for getting the most out of your SIEM investment.
Why Your SIEM Isn’t Generating ROI
Getting the most ROI from your SIEM means taking a look at some potential roadblocks.
Your SIEM needs a team of experts to run it.
Depending on the size of the organization, a traditional SIEM can require anywhere from four to eight full-time security analysts to deploy and run it, according to RedLegg. These security analysts must be highly skilled in a variety of areas, including query languages, parsing and threat hunting.
Expect to pay at least $150,000 annually per experienced security analyst — and consider that the cybersecurity job market is competitive with high turnover rates. When a new security analyst takes over a SIEM project, it can take months for them to get back up to where your previous analyst left off — during which, your ROI takes a nosedive as the SIEM is underutilized and under optimized.
Deployment can take months or even years.
The average SIEM deployment time is 6 months, with 18% of deployments stretching over a year, according to a Panther report. Oftentimes organizations will need consultants to help set up and deploy hardware, normalize and parse logs, customize dashboards, and more. For many vendors, these consultants come at an additional cost.
Initial setup is just half the battle; configuration and fine-tuning is a long, tedious process. The same goes for triaging alerts, investigating alerts, creating workflows…the list goes on and on. Deploying and maintaining a SIEM can be a herculean task — especially for smaller teams — that won’t yield a high ROI simply because of the time required to get value from it.
Alert fatigue adds up.
Security teams receive an average of 174,000 alerts per week — a number that is rising year over year, according to a Demisto study. Triaging and investigating hundreds of alerts takes valuable resources away from high-value tasks. On average, analysts spend 24-30 minutes investigating each incident that comes through, according to an Enterprise Management Associates (EMA) study. Considering that the average salary of a SOC analyst is $109,156 per year (that’s roughly $1 per minute, and $30 per incident investigation), false positives and alert fatigue can result in a major cost to business.
Maximizing ROI From Your SIEM
Whether you purchased a SIEM to meet compliance requirements, detect ransomware, secure coverage for cyber insurance, or achieve another security goal, it’s important that you get the best bang for your buck. (Hint: You bought a SIEM for one of those reasons, but you should be using it for all of them.)
Here are some best practices to prevent common obstacles associated with a SIEM deployment and ensure your SIEM investment goes far.
Perform An Inventory
It’s difficult to get started with a SIEM when you don’t have a full understanding of your existing security posture. Taking stock of your current infrastructure before you purchase a SIEM will help align key stakeholders across the organization about the goals of a project, which will streamline and cut down on deployment time.
An asset inventory will help you identify any gaps in security that need to be addressed so you can determine the most important use cases of a SIEM. During the process, you may even identify underutilized software and hardware that you no longer need — saving you money even before you deploy your SIEM.
If you don’t know how to get started with an asset inventory, public cloud services offer a good starting point. Public cloud services are often higher risk, because you can’t just unplug them like a server. Gather every service that users need to log into, such as Windows accounts, Microsoft 365, Paypal, etc. Recording that information can be as simple as an Excel spreadsheet, but paid asset management platforms offer more robust features.
Tune For Usefulness, Not Noise
Fine-tuning and configuring rules on a SIEM is often one of the most time-consuming tasks involved in a SIEM deployment that can quickly drain internal resources and reduce ROI. A common mistake that IT teams make is to configure alerts for too many events — for example, port scanning. While the intention may be to cast a wide net so that threats don’t get through, this approach creates the opposite effect, instead resulting in noisy detections that inundate IT teams with alert fatigue. Ask yourself: “Which behaviors are noisy and not actionable?” Instead, focus on tuning for usefulness — alerts that you can take action on immediately, rather than noise.
To do this, you can look for easy security wins. Many popular attacks are fairly easy to catch; think about some of the most common security events that occur on high-value targets, such as password spraying, new account creation, and brute force attacks. High-value targets to prioritize as you tune your SIEM include DMZ, domain controllers and Sysmon.
Automate Whenever Possible
Most SIEM deployments involve a lot of repeatable tasks, such as ranking and responding to alerts and weeding out false positives. Automation can help reduce time spent on these tasks, giving time back to your IT team to focus on more high-value priorities.
One way to do this is through the use of dynamic blocklists, which automates threat response by blocking malicious source IPs and domains through a next-generation firewall. This reduces time spent on responding to threats, improving ROI for your SIEM.
Prioritize Fast Deployment, Ease of Use
A seemingly never-ending SIEM deployment can drain internal resources and expose your organization to security threats in the meantime. Even when you’ve finished setting up your SIEM, ongoing maintenance often continues to drain resources.
To maximize ROI, evaluate vendors based on their setup time and ease of use. G2, for example, publishes an Implementation Index each quarter that ranks SIEM vendors based on the time it took customers to deploy it.
Ease of use is equally important; more complex SIEM platforms require steep learning curves even with experienced analysts. A SIEM that’s easy to use is more likely to be embraced by your IT and security teams, which will maximize its overall value.
Good support is another crucial factor, especially for smaller teams. A responsive and helpful customer support team can help ease and shorten deployment and maintenance, as well as encourage internal teams to use the SIEM to its fullest.
How Blumira Maximizes ROI
On average, Blumira has a 25-40% lower cost of ownership than other SIEM providers, making it easy to justify budget and ROI (return on investment) to your executive board.
Blumira was also awarded G2’s Best Estimated ROI for the mid-market SIEM category, which ranks products based on factors such as customer satisfaction, likelihood to recommend, and reported ease of doing business. Out of 12 vendors in the category, Blumira received the highest estimated return on investment (ROI) score. Blumira was also ranked #1 for price in the SIEM category
- Deploy fast. Blumira’s deployment time is over 5x faster than the average SIEM provider — that’s the fastest in the industry. Customers can set up integrations with cloud services in minutes using Cloud Connectors, which ingests log data directly from third-party APIs.
- Offload security tasks. Blumira’s security team does the heavy lifting for you, saving you time on SIEM maintenance tasks such as parsing, configuration, rule creation and rule deployment.
- Prevent alert fatigue. Blumira’s findings are categorized by priority, enabling IT teams to know how and when to respond to alerts. Every finding is meaningful and high-value, since Blumira comes pre-tuned to reduce false positives.
Register for our on-demand webinar, “How To Maximize Your SIEM Investment” to learn more from our security experts, such as:
- Actually achieving the SIEM deployment dream — one that’s fast and easy
- Tuning your detections to be useful, not noisy
- Getting valuable data from your SIEM
Sign Up For Your Free Account Today
To see the value for yourself, sign up for a free account where you’ll quickly realize the security value of Blumira. No need for a credit card or a sales conversation — simply connect to your Microsoft 365 account and get security insights in minutes.