SIEM 101

An Introduction

Organisations globally now recognise that perimeter-based defences by themselves cannot adequately protect your confidential data. Age-old solutions such as firewalls, anti-virus and web filtering will always remain vital – yet even when combined they struggle to fully safeguard a company’s most sensitive assets and intellectual property.

Attacks are inevitable, and organisations therefore need to detect as early as possible the indicators of attack or compromise, to limit the damage and losses. Once alerted, organisations must quickly understand what the intruders have accomplished, which systems they have compromised and what action to take to halt them in their tracks before they can impart any further damage.

That’s where security information and event management (SIEM) solutions come in.

By monitoring, correlating and contextualising the logs across an organisation’s systems, SIEM solutions alert you when risky activity has occurred in your environment.

Sounds easy, right? Not quite.

The Challenges


SIEM systems have come a long way, but purchasing the technology in itself will not solve your business problem. SIEM systems are complex and the effectiveness and sophistication of SIEM systems bring a special requirement: the need for dedicated and highly skilled professionals.

To get the best out of a SIEM system, you must continuously tune and interpret the output to ensure you are getting actionable alerts, reports and dashboards. On top of regular system administration skills, SIEMs require more specialised skillsets, including the ability to examine big data, knowledge of systems across the entire IT infrastructure, experience with nearly all security point solutions, and the ability to identify, analyse and prioritise threat correlations. Most companies simply lack this talent – both from a skillset and capacity perspective – and as a result, a disproportionate number of SIEM deployments have failed to meet their goals.

The inefficiency of ownership

The traditional approach of purchasing a SIEM solution and running it in-house means that you must invest significant capital expenditure up front. Normally this means a 3 year commitment, with annual maintenance in years 2 and 3 at 20% of the purchase price.

Many SIEM solutions impose constraints on processing, whether through limits in licensing or appliance configuration. And if you should exceed your purchased capacity, you are likely to incur further significant capital expenditure in costly upgrades. To future-proof your investment, you may be tempted to purchase large blocks of capacity, which will be initially under-utilised. This is expensive, inefficient and wasteful.

Then factor in that SIEM systems are resource hungry; they require large amounts of compute, memory and storage to gather, analyse and retain the logs and alerts. You therefore need to rack and stack, power, cool, secure, backup and patch yet another appliance. Or alternatively, you can dedicate significant resources from your existing virtual hypervisor platform. Then there are the costs of designing and deploying the infrastructure in your test and production environments, and all the change management overhead that comes with it.

These costs are often overlooked in the business case, which can lead to a false understanding of the total cost of ownership (TCO) of running your own SIEM system.

And even after all this investment, you still haven’t solved your business problem – because who in your organisation has the skills and time required to deploy, configure, tune and continually monitor the output of the SIEM system? After all, this is where the magic happens and all the value is extracted.

The Options


On top of the significant up front capital expenditure of purchasing and deploying the platform, the in-house option requires you to either recruit additional specialised skills, or invest heavily in training of existing staff in the use of the software and how to interpret the output, whilst also finding a way of reassigning their existing duties. Both options are time consuming and costly, not to mention the significant opportunity cost i.e. what other business problems could have been addressed with the time and money invested in running the SIEM system.

And remember, cyber threats don’t take holidays. They don’t stop because they’re sick, busy with other work, or on a training course. This means you need multiple skilled staff in order to manage your SIEM system.

Even after all that investment, you still haven’t begun to remediate the issues in your environment that your SIEM has alerted you to. And if you can’t find sufficient time to act on the issues found, why invest in a SIEM in the first place?

Hybrid model

The traditional alternative option is the “hybrid model” whereby you purchase a SIEM system and engage a managed security services provider (MSSP) to manage it on your behalf. However, this option has multiple drawbacks:

  • you still have the costs, risks and complexity of running the system in-house on your infrastructure (as outlined above);
  • you still have to purchase spare capacity on day 1;
  • you must find and evaluate MSSPs with the required product knowledge to get the best out of the system you select, which is time consuming and comes with more opportunity cost; and
  • you are likely to incur significant professional services fees to perform the initial setup with the MSSP.

The KZN Way: Insight

KZN build, host and manage Insight – a multi-tenanted SIEM platform that is tightly integrated with other off-the-shelf solutions to provide a holistic flexible as-a-service offering. For a monthly subscription, KZN tune and manage the SIEM on your behalf, allowing you to focus on what matters the most: acting on the information Insight provides.

Insight saves you the capital expenditure, time, recruitment, training and opportunity cost of implementing and managing a SIEM in-house. Insight also removes the risks and complexity of owning the platform yourself. We guide you through the deployment in your organisation and then we provide the specialised skills and knowledge required to configure, continuously monitor and fine tune the output to ensure you, the customer, get the actionable intelligent alerts to allow you to take the appropriate actions to protect your information. We can even advise you on what actions you should take.

The Insight model is similar to mobile phone contracts: on our pay-as-you-go (PAYG) plan, you pay a little more per device per month for the flexibility to walk away at short notice with no penalties. If you like the security and predictability of a contract, we can do that too. There are significant discounts on offer for 2 and 3 years’ contracts. You pay for what you need, but only when you need it. No booking and paying for future capacity up-front.

The process begins with a free trial. You can be up and running in literally minutes – not days or weeks. There are no up-front fees; no professional services costs for standard deployments; and no long contract lock-ins. And if you like what you see, with the flick of a switch your trial can be converted into a paid subscription.

Simple, flexible, frugal, efficient and great value. The KZN Way.