1. The True Cost of Running a SIEM
By GuestBlogger, David Humphrey,Harvard Pilgrim HealthCare
Inthis day and age of; “plug-and-play”,the need forinstant online gratification, andappliances that
encapsulate all ofthe functionality youneed in oneconvenient shiny wrapper,the idea of installing a
SIEM into the corporateenvironment is not metwith that muchtrepidation. After all, how bad can it
be? Everything is made to workwith everything else outthere, and implementing a SIEM should notbe
that muchofa challenge.
The perception that muchofourIT management have is that implementing new ITfunctionality will
not impact the ITservice management model significantly, andshould always be easier than it once
was in the recentpast for other ITprojects. Yet, while a SIEM installation is notrocket science,it is
prudentto recognizejustwhat the true costofrunningand maintaining a SIEM will be. Andthe first
step to take alongthis pathis to set the correctlevel ofexpectations on justwhatthe projectis...
One shouldconsiderit to be onthe level of replacing the piston ringsin the engine of your car.
Now,if you think that clearing the space in yourgarage for suchaproject,acquiringthe tools to
properly address this engineering feat, and mustering the patience to tackle a lot ofunknownissues
with yourvery-familiar vehicle might be daunting - you’re onthe right plane ofwhere yourlevel of
expectations should be forputting a SIEM into the environment. Sure, there are plenty of guysout
there that can replace a head gasket, butformost of us, that task is well over ourheads.
Most ofus are going topay the dealership cost tohave them doit. Andthat costwill be farmore that
we wantto pay formaintaining ourvehicle. But this is because wenever put the maintenance costinto
the evaluation matrix forwhen weoriginally purchasedsaid transportation. When the time came to
select that new VW bugover the HondaAccord,wellthe VW won out onall the cool features. Now
comes the costofmaintenance…
I still remember the vendormeetings at my companywhenI broughtthe “technology”in to meet the IT
staff. Oh, the questionsthey asked! Here is a wonderfulexample: sincelogs are, by default, available
onthe network,whatneeds to be done to this new SIEMto suckthese downandbegin reporting onthe
environment? What will it costfor the vendorto configuretheir new toyto work with application ‘X’?
Does it work withapplication ‘Y’?
The answers weresuccinctlytypical in respective order; it comeswith a lot of reportingfunctionality
right outof the box;‘yes’ and ‘yes’. It will workwith all of yourIT systems.
Andthat wastrue.
What noone realized needed to be asked; wasnot how well the SIEM couldbe used in the
environment, butwhat needed to be done in the environment to use a SIEM.
All ofthe Unixsystems need a centralized logging system to be developed for the SIEM – the logs were
not magically available in the ether to be suckedoffthe network. The domain controllers needed a
GPOupdate todetermine whatwasgoing to be logged, andwhether or notstorage was goingto be
sufficient,locally, towait for the SIEM to querythem. The Oracle databases hadto be configuredto

2. use Auditlogging, and30 or more configurationstatements would need to be tuned to create pertinent
audit logs, includingsecuringaccessto those logs, and anautomatic purgingstored procedureto dump
logs older than several days sothat the database did not wipe out all available disk space. All of those
shiny appliances needed to be administered so that they too wouldlog directly to the SIEM, and each
web-server wouldneed a new processinstalled onthe server to monitor the web logs sothat thoselines
too couldbe sent to the SIEM. In short,the work necessaryfor the environment tolog to the SIEM
involved three separate management teams, hundredsofchange management entries, anda bit of
network/ storage re-engineering to justbegin the processofgetting logs.
Don’t get me started on whatit takes tolog from AWSand O365.
So whatis the first thingto note about the true costofowningand operating a SIEM? It wasthis: when
youdetermine a SIEMis necessaryfor yourenvironment, yourtrue costof integration is directly
proportionate tothe ITSMmanagement costof yourentire ITinfrastructure. It will take a strongIT
wizardat the level ofyourBMW mechanic,to get to all of the silos in your organizationand talk
technical aboutthe needs and methods to extract the logs that the system needs to work. It will take
time and effortto get things set upto log to the SIEM, andthis is goingto be a manpower initiative
proportional tothe complexity ofyourorganization.
Forstarters.
Now we need to fill in the rest of the story foryourTCO onthis functionality!
Why? Becauseyou’re growingand changing. Youclonedyourproductiondatabase to upgradeyour
back-endhardware and switchedover the instance toa new TNS identifier for the database itself. It all
went smoothly. But the SIEM didn’t know this. And now yourOracle logs are gone. When you
upgradedthe NAS mountfor yourlogging host, and turnedoffthe “RSyslogd” daemon to“RSync”the
old filesystem to the new one,you forgotto restart the daemon. The SIEM didn’t know this, and now
yourUNIS logs are gone. Youwentwith the newest cloudservice provider tosupportyour AntiVirus
implementation, and realize that you don’thave logs from the cloudto the SIEM. You’ll need to
provision a loggingrelay in the DMZ to get those logs into the SIEM,and… yes, now youno longer have
endpoint logginganymore.
Andwe haven’t even gottento reporting and analysis yet.
There wasa reason to puta SIEM into the environment, and whetherit wasfor audit compliance,
centralized logging, automatic reportgeneration ofevents, incident alerting toyour SOCmonitor, or
complex useranalytics -once the data is in there, youhave to be able to dosomething with it. And
onceyou start doingthings with the data, youwill need personnel to act andrespond tothe heuristics
comingout ofthat tool. Someone is goingto review your“dial-in” VPNaccesslogs to see if oneUserID
is used to get onthe networkfromBangalore India at the same time that it was used tologin in from
the Eastern Ukraine; someone is goingto figure outif 10 or more passwordattempts onan account
within 1 minute is normal or not. Inshort, the SIEM will deftly be able to producethis outputforyou,
butsomeone hasto know enoughabout yourglobal ITfootprintto act uponit. Andthey should also be
able to actupondata anomaliesinthose report– did the loggingon the IPSget turned offfora reason,
or did some hacker turnit offto coverhis tracks. They need to be fairly IT knowledgeable.

3. The true costof owninga SIEM? Wisdom. Yourmanagement shouldrecognize the high level ofIT
personnel resourcesneeded to maintain this component,and invest in that personnel. The returnis
enormous. Butdirectly proportionalto this personnel investment. Yourenvironment is dynamic witha
lot of movingIT parts. The SIEM has tokeep up,it also has tobe maintained withpatchingand
hardware refresh. Youwill need some part ofpersonnel to maintain and expandthe data flowsas they
changeand grow. Youwill need some part ofpersonnel to analyze the data, and update the reporting.
Andwhile this may nolonger require yourBMW mechanic,it is certainly going to require a goodgarage
mechanic. Inother words,you need to staffaccordingly,provisionthe manpower,andpro-actively
monitor yourdata sourcesdaily. Andofcourse,only you have the resources forthat.
There are multiple waysto accomplish this. Oneoption is to outsourceyourSIEM completely to the
cloud. Inthis model youget what youpay for; a loggingrepository with a helpdesk to turn towhen you
figure outwhat changesyouneed to have made. Anotheroption is to keep the SIEMon yourpremises
buthave high value alerts monitored 7x24by a MSSP; youare still responsible formaking surethe
event information makes it to the MSSP, andwithout business contextand intelligence you will still
with lots offalse positives from yourprovider. The third optionis tokeep the SIEM onpremise, have a
trusted partner,like ThetaPoint,care for the SIEMat yourlocation, allowing youto focusonthe high
value requirements of the SIEM, be it use case/report creation/monitoring,or incident handling. Inthis
scenario, youhave complete controlover the business contextand intelligence, and eliminate the
headaches andburden associated withcare and feeding ofyour SIEM. Regardless ofyourpath, the
most important thing to remember as youlook at the truecost ofyourSIEM is to make sure youhave a
desired state and that everything that you dosupportsthat effort. Ifnot, youwill end upwith a science
projectthat will need to be continuallyjustified and a costmodel that cannever be supported.