May 29, 2009

Last Updated on January 19, 2024

I’m a big fan of all things SIEM – except the cost.  The cost for a full blown SIEM implementation in a F100 company  with multiple compliance requirements can easily reach mid six figures if you’re not careful.  A lot of the cost often relates to data storage and licensing – two cost centers that can potentially be reduced significantly without impacting functionality all that much.

  • STORAGE: SIEM’s require a lot of storage when you are reaching 500,000,000 events/day.  The raw data, indexes to speed searching, summary data to facilitate reporting and related meta data can easily drive a requirement for 50 Terra Bytes of storage or more if you need to keep the data around for a year to meet compliance standards (e.g. PCI Data Security Standard).  You also need fast, easily manageable storage, which often means SAN – which definitely means expensive.
  • LICENSES: SIEM’s also require a number of servers running potentially expensive OS’s, databases, and BI/Reporting Tools.

During a recent engagement the cost to implement the SIEM per the original design got a bit too pricey so we looked for ways to reduce the cost.

  1. We limited the online (SAN based) storage from one year to 90 days.  The other 275 days of data will sit on a highly compressed text indexed server that will provide them the ability to run searches on older data the handful of times that it may be necessary.
  2. We moved from a Solaris to Linux (which also allowed us to move from Sun to x86 servers).
  3. We moved from Oracle to MySQL (with 4  CPU’s the cost and maintenance savings were notable).
  4. We moved from Crystal Reports to Jasper Reports.

The net was the cost was reduced by several hundred thousand dollars with minimal impact to functionality …. Not too bad for an afternoon’s work !