After so many years working on SIEM projects, we at A3Sec have identified four key concerns that our clients often wish to resolve in order to make the best decision regarding the acquisition of a SIEM system for their organizations: problems, solution, project risks and costs.
Although the implementation risks of a project depend a lot on the organization's own characteristics, the costs can be relatively similar.
In order to have clarity and be able to compare different SIEM proposals, I will list a series of elements that must be taken into account to understand the total cost of this solution.
Architecture: this aspect is important to dimension in three key elements. The first is the licensing of the solution, which is synthesized in events per second and in the number of users.
To define the events per second or amount of data processed or indexed, it is necessary to identify all the sources of information that will be integrated into the SIEM system. There are tools that help to define this depending on the type of source. By calculating average log sizes and other variables, it is possible to arrive at the exact amount.
The second element depends on the data processing centers. It is important to be clear about how we collect information from the source, geographic location of data centers, cloud infrastructure, external services and particular platforms (iSeries and Transactional Switch, among others).
And finally, the third key point refers to the fact that many manufacturers have a hardware-oriented value proposition, which is designed to be used at the customer's premises.
Some have a virtual image ready to be implemented and other organizations initiate a cloud-native solution, easy to deploy and scalable for the company.
Software and Hardware Costs: by having a clear architecture we face several elements in establishing the costing, for example, costs of licenses, hardware, maintenance and support.
Although SIEM licenses have been marketed as CapEx (perpetual license), most of them have migrated to an OpEx subscription model.
The licensing model is not simple in many vendors, it has a base service and many functionalities are activated by increasing the cost of licensing.
Finally, additional elements that may require the inclusion of a piece of third-party software, for example, agents to extract information from systems such as iSeries and Transactional Switches, among others, must be taken into account.
Regarding the hardware in the SIEM solution architecture, most manufacturers' proposals are supported by three components: Probe (Log Collector), Logger (Log Repository) and Intelligence (Log Exploitation).
Each of these components can be physical, virtual or cloud-native. When installed internally in the organization, this cost becomes CapEx, while the OpEx model is applied when we identify solutions that are provided as a service.
When purchasing the solution with the CapEx model, the costs of the space in the data center and the services to keep the infrastructure operating in our facilities must also be included.
Finally, professional services include installation and configuration, support and maintenance in case of possible failures, in-house development, configuration of new integrations or detection models, tool administration, monitoring, threat hunting and response.
¿Would you like to know the approximate cost of implementing a SIEM system, according to the company and its needs? Schedule a meet with our experts.