Skip to content
    July 14, 2020

    Is Your SIEM Deployment Failing? The Hidden Costs of SIEMs

    We’ve heard it again and again from many organizations that struggle to set up good defensive security tools:

    • They’ve failed or stalled complex and time-consuming SIEM (security information and event management) deployments
    • They don’t get any meaningful or actionable security insights
    • They find it challenging to deal with the amount of alerts or prioritize real threats

    Many organizations that have managed to set up a SIEM aren’t getting a lot of value or visibility into potential security incidents across their environment. A large part of that is due to overall SIEM complexity and the additional effort required on the part of the organization to make up for the lack of SIEM capabilities to detect and respond to common attacks.

    Splunk SIEM vs. Blumira Cloud SIEM

    As an example, here’s a comparison of a typical Splunk on-premises SIEM deployment vs. Blumira’s cloud SIEM, based on our team’s past experiences and a recently-onboarded customer:

      Splunk* Blumira**
    Overall From 3-6 months with security expertise to 1.5 years for larger companies Under 5 hours
    Current Team Varying amounts of time for project management, user feedback, custom playbooks, security architecture and SOC team training (15+ ppl) 1-2 IT/security resources with access to configure existing systems w/Blumira.
    Additional Consultants 14+ weeks for setup, pen testing support, architectural planning, and continuous tuning None
    Additional Costs $100k+ virtual compute and flash storage; additional licensing for an alerting module None
    Pricing Model Difficult to predict - priced by amount of log data consumed - $100-300k/Year Priced per user starting at $14,400/year for up to 100 users

    * Based on an account of an enterprise-level deployment of their on-premises SIEM offering.
    ** Based on a recent customer’s mid-sized deployment of Blumira’s cloud SIEM platform.

    Ultimately, Blumira’s customer (like many others) was seeking value in a few different areas – from the consolidation of security reporting and the ability to access all reports in one place to detect and block potential security issues, as well as having access to security expertise to understand what their alerts mean and how to respond.

    Unfortunately, not every SIEM vendor actually provides much value in these areas. The time, resources and teams of people it takes to implement, configure, and maintain solutions in order to get any security insights out of a typical SIEM add up to many hidden costs explained in more detail below:

    Time

    Overall, an on-premises Splunk deployment for a large enterprise took one and a half years total. However, with a good managed security services provider (MSSP), it can range anywhere from three to six months.

    For a typical mid-sized Blumira customer, it can take under five hours. That includes creating and setting up a sensor and integrating the platform with:

    Learn more about Blumira’s integrations >

    Team

    For the Splunk deployment, the organization required a fair number of resources from their current internal team, including:

    • An in-house project manager
    • User feedback and SOC requirement sessions (all hands)
    • Creating a custom SOC playbook with a consultant
    • Creating threat content with a security architect
    • Training on how to use Splunk with a team of 15 SOC members
    • In-house SOC training for the midnight shift, with a consultant
    • Ongoing weekly meetings with Splunk representatives with the CISO, a product manager, and a security architect

    It also required two in-house Splunk architects for ongoing maintenance.

    The recent Blumira deployment was managed by one network services manager; a common occurrence when it comes to the size of the teams that are often tasked with running both IT and security at mid-sized organizations.

    Learn more about configuring Blumira >

    Additional Consultants

    In addition to the current team, the Splunk deployment required 3.5 months of consultants to help set up and deploy hardware; normalizing and parsing logs; customizing their dashboards; as well as architectural planning. They also had an on-site Splunk consultant to support their security operations center (SOC) during penetration tests.

    They also hired consultants to help install and configure the SIEM, and configure the ES (Enterprise Security) module to set up and enable security alerts (around 40 pre-built alerts included in ES). An additional three months of consultancy support was required for the continuous tuning and creation of rules; a process of rolling out rules, reviewing them, then more allowlisting and configuring.

    Blumira did not require additional consultants for deployment.

    Additional Costs

    Aside from the time of internal and external teams to assist with deployment and security configuration, the Splunk SIEM required additional costs for on-premises setup – around $100,000 in virtual compute and flash storage for clusters and fleets (hosting infrastructure).

    Blumira did not require any additional costs for deployment.

    Pricing Model

    Splunk’s pricing model is based on the amount of log data sent to their service; around $100-300,000 for an annual data ingestion license. That means the more systems that are sending more logs to their SIEM, the more a customer is charged.

    Blumira’s customers are charged by the amount of users, similar to other software-as-a-service (SaaS) pricing models that provide transparency and fixed costs, based on your organization’s specific needs.

    Learn more about the cost of SIEM in our upcoming gameshow:

    Switching to Blumira’s Cloud SIEM Platform

    “Blumira takes the frustration out of SIEM and SOC – with simple deployment, relevant and accurate detections, and extremely responsive and knowledgeable support.” – Kevin Hayes, CISO, Merit Network

    Built for Small Teams to Do More With Less – With daily alerts approaching tens of thousands on average, it can be difficult for teams of one or two people to investigate, prioritize and respond to each of them. Blumira’s cloud SIEM uses pre-built detection rules to inform only the most important alerts, then prioritizes them for your responders by criticality. Then, we provide playbooks to walk through threat response and next steps that are easy for non-security staff to understand.

    Learn more about automated threat detection >

    Easy Deployment in Hours, Not Months (or Years) – Large SIEM deployments often fail due to the complexity of setup, configuration, hardware and infrastructure support, etc., as well as the resources and outside consultants required. Blumira’s cloud SIEM is easy to deploy by the smallest, non-security IT teams and allows them to start detecting meaningful security events immediately, within hours.

    Learn more about cloud SIEMs >

    SaaS Model for SIEM: No More Hidden Costs – Priced predictably and transparently, Blumira’s software-as-a-service model allows your organization to plan ahead, budget costs, and limit additional, unforeseen costs that other SIEMs often require to get the most security value out of your tools.

    Learn more about Blumira’s pricing >

    Additional Resources

    Replace Your SIEM: Traditional vs. Modern SIEM – Legacy SIEMs can be complex, noisy and lack remediation. Replace your SIEM with a modern platform for automated threat detection and response, with lower overhead.

    How Much is Your SIEM Solution Costing You? – Legacy SIEM costs can add up. See how Blumira automates threat detection & response for better security value at a reduced total cost of ownership.

    How to Replace Your SIEM: Free Guide – Our guide gives you a criterion checklist to help you select a modern security platform that can meet your organization’s needs, without significant overhead.

    Thu Pham

    Thu has over 15 years of experience in the information security and technology industries. Prior to joining Blumira, she held both content and product marketing roles at Duo Security, leading go-to-market (GTM) and messaging for the portfolio solution Cisco Zero Trust. She holds a bachelor of science degree in...

    More from the blog

    View All Posts