Is Your SIEM Deployment Failing? The Hidden Costs of SIEMs

We’ve heard it again and again from many organizations that struggle to set up good defensive security tools:

• They’ve failed or stalled complex and time-consuming SIEM (security information and event management) deployments
• They don’t get any meaningful or actionable security insights
• They find it challenging to deal with the amount of alerts or prioritize real threats

Many organizations that have managed to set up a SIEM aren’t getting a lot of value or visibility into potential security incidents across their environment. A large part of that is due to overall SIEM complexity and the additional effort required on the part of the organization to make up for the lack of SIEM capabilities to detect and respond to common attacks.

Splunk SIEM vs. Blumira Cloud SIEM

As an example, here’s a comparison of a typical Splunk on-premises SIEM deployment vs. Blumira’s cloud SIEM, based on our team’s past experiences and a recently-onboarded customer:

* Based on an account of an enterprise-level deployment of their on-premises SIEM offering.
** Based on a recent customer’s mid-sized deployment of Blumira’s cloud SIEM platform.

Ultimately, Blumira’s customer (like many others) was seeking value in a few different areas – from the consolidation of security reporting and the ability to access all reports in one place to detect and block potential security issues, as well as having access to security expertise to understand what their alerts mean and how to respond.

Unfortunately, not every SIEM vendor actually provides much value in these areas. The time, resources and teams of people it takes to implement, configure, and maintain solutions in order to get any security insights out of a typical SIEM add up to many hidden costs explained in more detail below:

Time

Overall, an on-premises Splunk deployment for a large enterprise took one and a half years total. However, with a good managed security services provider (MSSP), it can range anywhere from three to six months.

For a typical mid-sized Blumira customer, it can take under five hours. That includes creating and setting up a sensor and integrating the platform with:

• Productivity applications (G Suite, Office 365)
• Endpoint security (Crowdstrike, Carbon Black)
• Firewalls (Cisco ASA, Palo Alto)
• Servers (Windows/Linux)
• Cloud Applications (Cisco Umbrella, Okta)

Learn more about Blumira’s integrations >

Team

For the Splunk deployment, the organization required a fair number of resources from their current internal team, including:

• An in-house project manager
• User feedback and SOC requirement sessions (all hands)
• Creating a custom SOC playbook with a consultant
• Creating threat content with a security architect
• Training on how to use Splunk with a team of 15 SOC members
• In-house SOC training for the midnight shift, with a consultant
• Ongoing weekly meetings with Splunk representatives with the CISO, a product manager, and a security architect

It also required two in-house Splunk architects for ongoing maintenance.

The recent Blumira deployment was managed by one network services manager; a common occurrence when it comes to the size of the teams that are often tasked with running both IT and security at mid-sized organizations.

Learn more about configuring Blumira >

Additional Consultants

In addition to the current team, the Splunk deployment required 3.5 months of consultants to help set up and deploy hardware; normalizing and parsing logs; customizing their dashboards; as well as architectural planning. They also had an on-site Splunk consultant to support their security operations center (SOC) during penetration tests.

They also hired consultants to help install and configure the SIEM, and configure the ES (Enterprise Security) module to set up and enable security alerts (around 40 pre-built alerts included in ES). An additional three months of consultancy support was required for the continuous tuning and creation of rules; a process of rolling out rules, reviewing them, then more allowlisting and configuring.

Blumira did not require additional consultants for deployment.

Additional Costs

Aside from the time of internal and external teams to assist with deployment and security configuration, the Splunk SIEM required additional costs for on-premises setup – around $100,000 in virtual compute and flash storage for clusters and fleets (hosting infrastructure).

Blumira did not require any additional costs for deployment.

Pricing Model

Splunk’s pricing model is based on the amount of log data sent to their service; around $100-300,000 for an annual data ingestion license. That means the more systems that are sending more logs to their SIEM, the more a customer is charged.

Blumira’s customers are charged by the amount of users, similar to other software-as-a-service (SaaS) pricing models that provide transparency and fixed costs, based on your organization’s specific needs.

Learn more about the cost of SIEM in our upcoming gameshow:

Switching to Blumira’s Cloud SIEM Platform

“Blumira takes the frustration out of SIEM and SOC – with simple deployment, relevant and accurate detections, and extremely responsive and knowledgeable support.” – Kevin Hayes, CISO, Merit Network

Built for Small Teams to Do More With Less – With daily alerts approaching tens of thousands on average, it can be difficult for teams of one or two people to investigate, prioritize and respond to each of them. Blumira’s cloud SIEM uses pre-built detection rules to inform only the most important alerts, then prioritizes them for your responders by criticality. Then, we provide playbooks to walk through threat response and next steps that are easy for non-security staff to understand.

Learn more about automated threat detection >

Easy Deployment in Hours, Not Months (or Years) – Large SIEM deployments often fail due to the complexity of setup, configuration, hardware and infrastructure support, etc., as well as the resources and outside consultants required. Blumira’s cloud SIEM is easy to deploy by the smallest, non-security IT teams and allows them to start detecting meaningful security events immediately, within hours.

Learn more about cloud SIEMs >

SaaS Model for SIEM: No More Hidden Costs – Priced predictably and transparently, Blumira’s software-as-a-service model allows your organization to plan ahead, budget costs, and limit additional, unforeseen costs that other SIEMs often require to get the most security value out of your tools.

Learn more about Blumira’s pricing >

Additional Resources

Replace Your SIEM: Traditional vs. Modern SIEM – Legacy SIEMs can be complex, noisy and lack remediation. Replace your SIEM with a modern platform for automated threat detection and response, with lower overhead.

How Much is Your SIEM Solution Costing You? – Legacy SIEM costs can add up. See how Blumira automates threat detection & response for better security value at a reduced total cost of ownership.

How to Replace Your SIEM: Free Guide – Our guide gives you a criterion checklist to help you select a modern security platform that can meet your organization’s needs, without significant overhead.