How SIEM Creates a Bottleneck

There’s a question on everyone’s mind in cybersecurity — how can we keep up with the evolving AI threats and rates of attacks while managing cost?

George Moser, Chief Growth Officer and former CISO, sat down with Francis Odum, founder and security analyst at Software Analyst Cyber Research, for a recent webinar to unpack that question and discuss how practitioners can modernize their cybersecurity practices.

The financial strain and rates of attack can’t be changed, but teams can combat these disadvantages with the right systems and protocols in place.

What CISOs Are up Against

The cyber threats of the modern day are growing increasingly sophisticated at the time when finance teams are tightening the purse strings. How can security teams keep up on a constrained budget?

“I’ve been in the CISO seat, so I know first-hand the pressures of balancing security needs with the realities of running a business,” says Moser.

He outlined the four key obstacles CISOs are up against across varying industries:

• Increasing data volumes
• Unpredictable licensing from SIEM vendors
• Heightened scrutiny on budgets, particularly in security
• More involvement from finance teams in day-to-day management of IT and security

These struggles aren’t temporary. They’re the new reality every cybersecurity team is facing across industries — from manufacturing, to finance, to transportation. Where can security leaders turn while being squeezed?

Unprecedented Data Volumes

AI attacks are on the rise. With the increase in threat doesn’t just come the advanced sophistication and attack methods that AI enables — it also surges the rate beyond what security teams have ever seen before.

With automated systems and targeting, AI attacks are flooding systems at rates unseen in the past. They have far outpaced what lone human attackers could produce, and are leaving systems overwhelmed with data and signals.

On top of this, the number of systems, internal data, products, platforms, and user logs are leading to an explosion in data volumes — all of which has to be protected and managed.

Navigating Unpredictable Licensing Costs

While data is increasing, SIEM vendors still employ dynamic pricing models, which are constantly in flux and may charge users by data volume. When data volumes are exponentially increasing, this creates an unpredictable and unsustainable cost to companies.

In a tumultuous economic ecosystem, companies need to know their operating costs. But vendor licensing models are rarely static. These growing costs are squeezing finance and security teams alike.

Combating Tightening Budgets and Heightened Scrutiny

Over the last five years, cybersecurity budgets were increased to meet the growing threats of the time. Leaders began to recognize and understand the need to shore up vulnerabilities, ward off threats, and protect sensitive data. Meeting regulatory needs and increasing defenses came with big budgets.  

But now that growth has stagnated.

Once ballooning budgets are now under a microscope. Spends have to be justified and maximized to executives asking, “Are we getting the most value for dollar out of our cyber spend?”

Growing Involvement From Finance

Many cybersecurity leaders are finding the days of “take my word for it” to be over. Finance teams are taking a hard look at what’s going on under the hood.

The CFOs want to see value propositions, cost-benefit analysis, and usage summaries on major spends. CISOs are hearing that they need to be ready to “do more with less.”

And one system that is a high cost to any corporation is their SIEM.

The Pitfalls of SIEM

Budgets aren’t just constrained. They’re final. So how can CISOs have a system they don’t know the cost of?

SIEM vendor infrastructure is becoming too costly for modern datasets. With no predictability for pricing, security leaders can’t effectively manage their budget if they don’t know what it is.  

That complexity is creating a challenge for security teams to effectively manage the rest of their products and vendors.

But it’s not just the cost that’s growing. Those increased datasets are building pressure on old systems, and most SIEMs can’t manage all that data efficiently.

The Cost Hiding in Plain Sight

If vendors are charging by the gigabyte or terabyte, that creates an extra need for internal management.  

"If we aren't effectively correlating or dehydrating the data that we put into the data lake and the data stores, and that is increasing the amount of data that has to be or is being retained," says Moser.

That inefficient data storage can be a lack of tools or team maturity, but sometimes it’s a requirement teams can’t navigate around.

When you look granularly, Francis Odum adds, there also might be required storage logs that are contributing to data storage without being high-value. Those retention requirements, sometimes by legal or regulation, mean companies are stuck holding data they weren’t planning for and aren’t using.

To Stay or Go? The Great SIEM Debate

The only thing more overwhelming than the growing cost of SIEM, is the thought of migrating that data to a new system. When your SIEM is more of a bottleneck than an enabler, SOC performance may rely on forging a new path.

Managing a migration for a team already facing budget constraints and alert-fatigue can seem impossible. But shedding the system slowing you down, could be the spark the team needs.

An organization having trouble meeting requirements who can’t keep pace with threats has to make a change. Running queries to find the first sign of an indicator of compromise (IoC) needs to happen quickly for effective risk management. But some find themselves beholden to the limitations of the SIEM technology they’re tied to.

Stopping a query to make sure that licensing covers the cost of running through the data or paying a large sum out of pocket to bring back the data needed from archive is holding up security teams that need rapid-fire reactions.

Improving Cyber Resilience Depends on Capabilities

A security leader's job is to improve the company’s cyber resilience. That resilience is directly tied to the capabilities of the systems on hand.

To improve security by predicting where attacks will be coming from and understanding where the attempted attacks are targeting — security teams need modern technology.

When all the data is held in a single data lake, companies get comprehensive visibility. This allows them to see the whole environment and where vulnerabilities can sneak through.

For George Moser, when he was at S&P Global, it meant predicting and preventing rather than responding and reacting.

Moving to a forward-looking company can flip the script on incident response and risk management. Learn more about how to make an agile change today.

Find more webinars on the growing pressure on security teams here.  

‍