Are you in the market exploring options for security log monitoring and management? If so, I’m sure you are inundated with requests for a meeting from various SIEM (Security Information and Event Management) vendors.
Gartner has stated the importance of a SIEM deployment concisely: “The need for early targeted attack detection and response is driving the expansion of new and existing SIEM deployments. Advanced users seek SIEM with advanced profiling, analytics and response features.” However, as you are considering implementing a new SIEM deployment or renewing your contract for your existing deployment, it is worth exploring the total cost of ownership of a SIEM deployment and measure whether you are getting your money’s worth.
In my 12+ years of working with a variety of customers in industries ranging from financial, insurance, healthcare, retail and manufacturing on SIEM implementations, I’ve seen customers not paying enough attention to all the associated costs they need to factor in as they make a purchasing decision.
So, what are these associated costs? At the highest level, they are
|
Hardware |
SIEM appliance costs or server costs for installation of SIEM software |
|
Software |
Costs of SIEM software or agents for data collection |
|
Support |
Annual costs of maintenance of software and appliance |
|
Professional Services |
Professional services for installation and ongoing tuning |
|
Intelligence Feeds |
Threat intelligence feeds that provide information on adversaries |
|
Personnel |
Cost of personnel to manage and monitor a SIEM implementation |
|
Personnel Annual Training |
Cost of training the personnel annually on security certifications or other security related training courses |
The costs of each of the above categories will vary depending upon the technology of choice. For example, if you decide to purchase Splunk, you are likely going to spend a lot more on the underlying software vs. if you decide to purchase LogRhythm. Purchase of a software solution such as Splunk will require you to invest in servers, storage, switches and other associated data center costs. Similarly, if you are investing in a hardware solution (for example, from IBM QRadar or from LogRhythm), you will have to invest heavily in vendor provided SIEM hardware.
There aren’t many independent sources that compile the cost of a SIEM solution. However, from my experience and from the generally available data you can obtain via a quick google search, I believe it is fair to categorize SIEM deployments to small, medium, and large for businesses ranging from SMB to mid-market/enterprises. Following section estimates the cost associated with SIEM deployments of different sizes and associated costs to operationalize the solution.
Hardware/Software/Support
The table below outline the estimated cost of Hardware (e.g. for solutions such as LogRhythm, IBM) and Software/Infrastructure (for technologies such as Splunk) solutions. Keep in mind that you need to include approximate cost of servers, storage and switches when you consider a virtual or a software solution. Annual support costs are typically 20% of your initial spend.
|
Item |
Minimum Estimated Costs |
|
Hardware |
|
|
SIEM Hardware Small |
$25,000 |
|
SIEM Hardware Medium |
$60,000 |
|
SIEM Hardware Large |
$100,000 |
|
Infrastructure |
|
|
Servers |
$8,000 |
|
Storage |
$1,500 |
|
Switches |
$3,000 |
|
Software |
|
|
Event volume - 5G |
$8,000 |
|
Event volume - 20G |
$24,000 |
|
Event Volume - 100G |
$40,000 |
|
Event Volume - Other |
$100,000 |
|
Support |
|
|
Annual Support |
20% of cost of software + hardware |
Professional Services
Your SIEM is only as good as it is setup. To setup SIEM correctly from scratch, you are likely to engage professional services from the vendor and these startup services could run into thousands of dollars. Factor in additional money for tuning the SIEM and setting up rules/filters for detecting various security events that may be unique to your environment. Typically, vendors will sell you days’ worth of startup services and you must expect to spend north of $8000 irrespective of the vendor you are considering especially if you are a mid-market/enterprise company.
Threat Intelligence Feeds
The necessity of integrating threat intelligence feeds is well documented. Indeed, if you are deploying a SIEM, make sure you are adding additional context for monitoring by using threat intelligence feeds early in your deployment phase. There are many intelligence feeds you can find (both open source and paid), and the quality of the feeds isn’t directly related to the price you pay! Vendors typically charge per number of users and you are likely to spend approximately $2000 per month for a small SIEM deployment. Expect to pay between $5000 - $10,000 per month if you are considering a medium or large scale SIEM implementation.
Personnel
Having your own SOC is touted as the holy grail of security maturity by many IT security managers. Not only do I disagree with that claim, but what are you willing to spend to even try that? Let us do some numbers.
If you are considering implementing a 24x7 SOC, expect to hire a minimum of 5 security analysts to cover 3 shifts of 8 hours each with 1 staff per shift. Even if you can manage to hire junior security analysts to man your SOC, make sure you are ready to budget a minimum of $500,000 in salary for security analysts alone. I’m not even venturing into the costs associated with finding the right individuals and associated management expenses.
It is unlikely you are going to get the maximum value from your SIEM solution if you don’t have a 24x7 SOC. However, sometimes enterprises choose to do more with less personnel by hiring senior experienced engineers and building automated alerting tools. In that scenario, you are likely to spend around $150,000 per experienced security analyst.
Personnel Annual Training
As cyber security is a fast-moving industry, you need to make sure your security analysts’ skill sets are continuously updated with certifications such as GIAC Certified Intrusion Analyst (GCIA). These programs are not inexpensive and expect to spend north of $2,500 per employee per year to keep their skills updated.
As it is evident from the analysis above, purchasing and managing your own SIEM solution is costly.
As an exercise, click this link to access compare total cost of ownership of Splunk vs NetWorks Group. The comparison allows you to estimate the cost savings when using NetWorks Group services.
Contact us today to learn more about our services and how we can help you.