Security Information and Event Management, also known as SIEM technology, is a crucial part of any organization’s cybersecurity strategy. But should you install your SIEM tools on-prem? Or should you rely on a managed SIEM service?
While the answer largely depends on your organization, and the SIEM as a-Service provider in question, there are some pros and cons to each of these approaches.
On-prem SIEM Installation: Pros
There are a few different reasons why your organization might consider installing a SIEM system on premise.
Your data stays on-site
Here’s the thing about sensitive data: it’s risky to store and risky to move. While many ways to safely transmit data to a cloud-based SIEM do exist, some organizations feel safer by keeping the SIEM software on-prem.
You maintain control over the platform
Organizations that run their own SIEM have control over everything. In order to run a SIEM effectively though, the management team must understand the context of your business. Where do you do business? Who logs in to your system? How do customers, vendors, and internal employees interact with the elements of your system? Without these answers, the SIEM will never be fully effective.
Having full control over your SIEM means you can tailor it to the context of your business’ unique fingerprint, but only if you know how.
You maintain control over your team
This element means that any team that runs your SIEM must have a close relationship with your organization, whether they are internal or 3rd party.
If you are in charge of hiring and managing your own security team, you can train that security team to understand your business’ context.
Having control over your team means that you set the expectations and deliverables for your security team, and you always know where you stand.
On-prem SIEM Installation: Cons
With all that being said, installing your own SIEM on-prem does come with a serious set of drawbacks.
Running your own SIEM on-prem is expensive. Really expensive.
Not only do you have to buy the SIEM tools, but you also have to assemble and monitor logs from every single data collection point on your system. This requires storage, servers, and hardware.
And that’s not even the most expensive part. You still have to hire, train, and manage a cybersecurity team. This is not a small investment. Qualified people can come with a very high price tag.
If you want to run your SIEM on-prem, make sure you’ve got the budget for it.
Learning curve and delays
Learning how to manage a SIEM is a complex process. In general, it can take an entire security team up to 12 months to become proficient with the new tools. And learning the SIEM technology is the easy part.
As we mentioned before, effectively running a SIEM means tailoring it to the context of your business’ unique fingerprint. That requires understanding your business model and learning how to tweak the SIEM system to fit your system.
Taking time to become proficient with the platform translates to delays in actual threat detection. That means the $250k investment you just put into your security solution might not actually produce any results for the first year.
One element of an effective SIEM deployment is its ability to integrate with every part of your system. However, these integrations are complicated. Installing SIEM technology on-prem requires a working knowledge of the software and how to keep integrations updated. When you don’t update your integrations, the connected become more compromised and less effective. If your team has to wait for your SIEM software provider to release integration updates, those connection updates are delayed. These integrations must get updated consistently and proactively because delays can equate to data correlation errors and omissions.
Unless you spend the “big bucks” on a highly-trained internal team, you will likely experience delays in proper integration.
Managed SIEM: Pros
On-prem installs offer a high level of control, but they also cost a lot and take a long time to learn. Relying on a SIEM-as-a-Service provider has another set of benefits:
When you hire a managed SIEM, you gain a security team that is already proficient in the technology. The SIEM software comes pre-configured and the team comes pre-trained. A configuration and onboarding process that could take months with an internal team is reduced to days or weeks with a professional SIEMaaS provider.
Relying on a managed SIEM service also brings significant cost savings to the table. If your SIEMaaS provider is cloud-based, you don’t need to worry about investing in infrastructure. Your provider already owns the servers and storage to run the SIEM effectively without having to install any costly hardware on your system.
You also get a knowledgeable staff without the need to spend time and money in training.
Finally, you get maintenance, support, and updates all worked into your contract. This creates huge cost savings because you don’t have to add an entire cybersecurity team to your payroll.
When you run an on-prem SIEM you can customize every aspect of your system. However, your team will spend a lot of time and energy to implement these changes.
By contrast, a good SIEMaaS provider will work with your business to learn your fingerprint and provide tailored SIEM tools as a part of their solution. That means custom alarm building and reporting will be relevant to your business’ needs, and can be understood by all the stakeholders in your company. It also means the custom dashboards provided to you will provide metrics relevant to your business and give you access to your data when you need it.
Managed SIEM: Cons
There’s no such thing as a perfect SIEM solution. Managed SIEM services also come with their own set of possible limitations. Here are a few you should be aware of:
Data is moved off-site
As mentioned before, data management is always risky.
It’s risky to keep data at rest, but it’s also risky to move data offsite.
While the risk is small if managed correctly, “in flight” data can be vulnerable if the right precautions aren’t taken.
If you use a managed SIEM service, you should know how often the SIEMaaS provider updates their systems and integrations. You should also know what kind of encryption practices they use for your logs.
If your antivirus software sends you a notification every 5 minutes, you will eventually start to ignore those alerts if most of them aren’t credible.
This phenomenon is known as alarm fatigue and it's one of the reasons for burnout among so many security teams. This effect leads to missing the real threats that could actually damage your system.
If your SIEM provider focuses solely on monitoring and reporting threats, and does not manage them on your behalf, you may just end up paying for a sequence notifications that you will eventually ignore.
In that case, why bother paying for security at all?
That’s is why vetting your potential SIEM provider is so important. You need to make sure they are as dedicated to threat mitigation and threat remediation as you are.
Here’s a tip: If your SIEMaaS provider thinks the letter ‘M’ in SIEM stands for “Monitoring” and not “Management,” you may not be as protected as you think!
Limited data access
Not all managed SIEM services will give you access to your data.
They may just collect logs from your data collection points, compile them on their own servers, and send you a report or summary. But you have no access to the raw data itself. Even if it is your data.
Your SIEMaaS provider should be reliable. And you should be able to access your data at any time, for any reason.
If your SIEMaaS provider does not give you access to your data, preferably through a customized dashboard, it’s probably time to reconsider your service.
On-prem or managed service: protect your system
Regardless of which solution you choose, an effective SIEM tool can be the most effective way to keep your organization’s data safe and secure.
Ready to talk about your options for SIEM tools? We would love to hear from you.