SIEM Cost Breakdown and Tips


A Security Incident and Event Management (SIEM) solution typically represents a significant investment, even for a large enterprise. With the average price coming in at $50,000, ranging from a minimum of $20,000 and getting to be upwards of $1M, SIEM solutions carry a hefty price tag. However, the value of the top SIEM tools, for general security health and compliance, probably makes the technology worth the cost, but it’s a big check to write.

The benefits of SIEM are obvious and a crucial part to a security strategy, helping SOCs organize and respond to security threats. The benefits of mitigating threats, keeping inline with compliance and audit standards, and avoiding costly data loss and business delays can easily outweigh SIEM TCO.

Additionally, you could add a Security Orchestration, Automation, and Retention (SOAR) tool to accompany your SIEM solution, which would be an additional cost that enables you to handle security issues more efficiently. Commonly confused with one another, there are differences between SOAR and SIEM.

SIEM cost summary

Item

Cost Range

Explanation

SIEM software cost

$20,000 - $1M

Average cost is $50,000

Deployment consulting support

$50,000

One-time fee. Varies based on complexity of implementation, but can easily reach six figures for large enterprises or highly integrated, customized solutions.

Training

$0 - $10,000

Some training can be included with the product. Cost of additional training not included varies by requirements and number of people to be trained.

Database administrator (DBA)

$74,000

DBA average US salary

Admin personnel

$74,000 to $500,000

Varies by staffing needs. Three admins can cover a full 24-hour shift. Includes additional product tuning that will be necessary.

Hardware

$25,000 - $75,000

Varies by size of configuration, but will generally cost more than plain off-the-shelf hardware due to performance requirements.

Intelligence Feeds

$1,500 to $10,000

Some feeds are free, but others need to be purchased and vary by quantity and level of feeds.

Infrastructure

$10,000

Includes servers, storage, and switches.



SIEM Cost Breakdown

One helpful way to think about SIEM costs is to take a basic enterprise technology project and add on a couple of extras. In particular:

  • Consulting support for the deployment process. SIEM implementation, traditionally, is not as simple as standing up a traditional enterprise solution. It has to connect with a wide variety of other systems and must be configured to handle a high volume of data. With advancements, SIEM can now be set up without much, if any, consultation. This tends to mean hiring external consultants. Not all departments have the skills in-house to do the work. Consultants can provide customizations, which include threat identification, alerting, and remediation rules, to fine tune your SIEM product to handle threats you’re facing.
  • Hiring a database administrator (DBA). This may not be a full time hire, but setting up a SIEM involves some pretty complicated data architecture and integration processes. In addition, most SIEMs lack self-managing databases. Someone has to take care of all this. A DBA gets paid $74,000 per year on average.
  • Hardware that can handle the load. SIEMs ingest and process enormous amounts of data, with huge real-time insertion and retrieval rates. As a result, the SIEM cannot run on any old piece of hardware. Someone, usually an external consultant, needs to spec out the hardware based on the SIEM’s connectivity and expected data loads.
  • Personnel. SIEMs need to be staffed, often around the clock. Labor costs vary, of course, but in North America and Europe, hiring experienced SIEM admins for three shifts will cost something in the neighborhood of $500,000 a year.
  • Intelligence feeds. The threat intel feeds going into the SIEM can come with their own price tags. Some are free, but many cost between $1,500 and $10,000 per year.
  • Training. SIEMs are a distinct technology that almost always requires specialized training for the people who operate them. Initial training, along with recurring annual retraining, should be part of the SIEM budget.
  • Ongoing tuning. SIEMs tend to be a bit fussy, creating a lot of distracting “noise” that can defeat their entire purpose if not corrected. As a result, SIEMs usually need ongoing tuning, which may require external consultants.

Considering these cost elements, it’s easy to see how a SIEM can cost a million dollars to acquire and launch in its first year. It could then require a budget of half a million dollars to keep it up and running. Plus, some SIEMs price on a per-second or per-event basis. It’s essential to understand exactly what the costs will be based on expected usage patterns.


Tips For Keeping SIEM Costs Low

It’s possible to keep SIEM costs relatively low.

  • Buy a solution that fits your needs today. One approach is to limit the scope of the solution at launch. This keeps hardware and DBA costs down and speeds the deployment process, which in turn cuts down on consultant costs. The trick here is to design for scaling up later on, if that’s required.
  • Outsource SIEM monitoring. Another option is to outsource SIEM monitoring and event management. This may not work for everyone, but a Managed Security Service Provider (MSSP) can take over some of the more difficult SIEM operations. This will likely cost less than staffing people around the clock.
  • Use a log collection strategy. Use your SIEM software to log only critical items while leaving non-critical events to be handled by a log management server. You can then more easily discard lower value events at shorter retention periods to reduce storage and maintenance costs.

SIEMs tend to be expensive and time-consuming solutions to run, even as they deliver much-needed security incident and event detection and response capabilities. The investment is probably worth it, but it’s a pretty big investment, especially for a smaller company or government agency.

0 Comments
Guest