Some enterprises may view a SIEM as a straightforward software solution, aggregating data from different sources, storing and analyzing that data, and determining the risks that a particular sequence of activities may represent a threat. Others eye commercial SIEM solutions. Which is the better approach? While the answer is always “it depends,” it is clear that despite unique requirements, the vast majority of organizations are better off with a commercial SIEM.
We hear from some enterprise customers that they believe they have the resources and talent to build their own SIEM to be able to get exactly what they want and need. So the question becomes, what do you need? What are your goals and what is the gap analysis between what existing SIEMs can offer vs. what you can build yourself?
First, What Are Your Goals for a SIEM?
While every organization’s requirements are unique, there are some fundamental features that anyone in the market for a SIEM should consider.
- Log management. Collecting and aggregating data from a number of different sources is an important function of a SIEM, and enables enterprises to obtain a single view of risk.
- Threat detection. You want to be able to identify the risk of potential threats, and to act based upon those risks.
- Automated threat response. Can we respond in real time without human intervention, with directed responses following?
Each of these goals represents a challenge to building your own SIEM. Let’s look at some of the details of that challenge.
An Analysis of the Positives and Negatives of Build vs. Buy
Let’s take a look at the advantages and disadvantages of each approach. Building your own custom SIEM may be enticing for some organizations who have strong expertise in cybersecurity and data analysis, as well as strong software development teams.
But what seems to be technically simple may be anything other than that. First, while you may have a budget for software development, test, and deployment, that doesn’t mean that it costs less than buying a solution. The combination of staff salaries, opportunity cost, and lifecycle costs could well overwhelm that budget.
Everyone wants to use the most cost-effective solution, and often it seems that building your own can be cost-effective. But it doesn’t take into account costs related to upgrading and supporting software, which can be far more than the initial cost to build. And the budgeted cost of a project may not reflect its actual cost.
Building your own seemingly gives you more control on the outcome, in terms of features and how they work. It’s a one-off, customized for how your organization works. However, while commercial software can have a high upfront cost or a substantial subscription fee, it’s a known expense over time. Custom software projects can define exactly what the organization needs, but often software projects aren’t able to deliver on those features.
Many organizations already have at least several point tools for logging data and assessing cybersecurity. They are looking for ways to integrate this data into a big picture for analyzing their cybersecurity position. Many feel that they are in the best position to develop data connectors, although commercial products such as Gurucul Analytics-Driven SIEM have out-of-the-box connectors for dozens of individual security products.
Few organizations accurately estimate their maintenance needs and costs over the life cycle of an application. Doing this work for a custom application can result in significant long-term costs and effort, making it likely that these enterprises will at some point abandon their custom solution for one that is more manageable over time. A commercial SIEM is maintained by the vendor.
You need skilled software engineers, database architects, and data scientists to build your own SIEM. Few organizations have this skill mix, so it’s likely they would have to hire these skills, which will extend the development time and increase costs of personnel. And if those skills aren’t strategic to the enterprise, they may lose that talent at the time they most need it for upgrades and enhancements.
Both opportunity cost and time to value refer to the ability to deploy and have a solution provide valuable information as fast as possible. A custom build solution can take months or even years to do so, which an organization has to take into account when it looks at its ability to deliver value at a reasonable cost. In many cases, it will likely be possible to deploy essential features faster with a commercial solution than a custom one.
Time to Value
Cloud-native SaaS deployments change everything. Unlike a solution that is installed on-prem, a cloud-native solution brings an almost immediate value to the table, whereas an on-prem solution could take months to deliver useful information.
Custom SIEM Case Study: Two Sigma Investments
Are enterprises actually building their own SIEMs? Evidence says yes, although the results of these efforts are mixed.
For example, at 2021 Black Hat USA, financial company Two Sigma Investments described the process of building its own SIEM. While the description and result are generally positive for their purposes, the company’s custom implementation doesn’t necessarily cover everything an enterprise needs in a SIEM.
In evaluating a commercial solution, Two Sigma found deficiencies in several areas, including performance and data security and decided it was better served by building its own. While it did so successfully, it likely represents an outlier in terms of the ability of an organization to do so.
Two Sigma’s Custom SIEM
Starting with data, Two Sigma’s new SIEM is more agile than its predecessor, with a greater capacity for ingestion and data feeds. By adding external threat intelligence feeds, internal security appliance logs, and specific network telemetry, administrators only improve their ability to analyze and remediate anomalies and threats.
Telemetry is a key differentiator for a commercial solution. If you are using a number of point tools for collecting data, you have to build and maintain a large number of data connectors. If you limit the telemetry, you can make a custom solution more feasible, at the expense of not using some of your data.
Among the benefits cited that Two Sigma Investments’ effort include:
- Ingestion Capacity: an increase from 1TB to 5TB with no slowdown
- Cost Savings: $3.5 million in upfront licensing, and $600k in annual maintenance
- Query Speed: pertinent alerts in seconds versus minutes
- Ingestion Overhead: offloaded data pipeline management to reduce security overhead
If you truly have unique requirements, it may make sense to build your own. However, it’s a high-risk endeavor that is likely to cost more than you get in benefits. It can be difficult to build your own unless you are motivated and staffed to do so. And by far many enterprises, even technology enterprises, are not well equipped in this regard. It requires dedicated skills, commitment to a long term project, and the ability to continue an active maintenance program.
Commercial SIEM Case Study
Alternatively, we can postulate what a commercial solution might do in a similar environment. A commercial solution may have a slight mismatch between features and requirements, but there should be a comprehensive review over the tradeoff of not having some unique features over the convenience of immediately having a full feature set.
For example, some of the customer SOC challenges a SIEM can address include:
- Too many alerts, no prioritization. How can the team identify the highest risks?
- SaaS/Cloud Transformation. How does the team manage risks from the cloud?
- No unified view of enterprise and poly-cloud activity. Can the team view a complete picture from one screen?
- Need for faster detection & response. Can the team aggregate data in real time to determine threats as quickly as possible?
- Missing identity as a threat vector. How can the team determine whether a user identity is missing?
Specifically, there are too many alerts which are very hard to prioritize for SOC teams. They end up spending too much time chasing false positives when they really need to prioritize real risks.
There is no single unified view for SOC teams, which is compounded by more complex deployments consisting of hybrid and multi-cloud environments. It can be difficult to correlate data across several different clouds and on-prem.
Threat hunting and investigations is still a manually intensive activity due to decentralized data and multiple consoles. Automation can make it far easier to seek out real threats. That said, one of the most significant challenges is missing the identity component as a key threat vector during detection & investigation of a break-in.
Commercial SIEM Value Proposition
Here’s what a commercial SIEM can do for your enterprise.
- It delivers a robust and scalable architecture to seamlessly handle massive data and changing demands within the organization.
- It supports real-time threat detection & response automation, giving you a leg up on remediating an attack.
- It generates high efficacy, risk-prioritized alerts that gives your SOC team the ability to respond quickly and accurately.
- It is simple and affordable, with all-inclusive licensing structure that meets your needs without breaking the bank.
So why do we need analytics? What’s the differences between analytics and basic rule-based Alerts? In short, analytics can provide insight about what may happen in the future. Basic rule-based alerts simply report on known threats or what has happened in the past.
Additionally, as we talk with our customers, most are reporting that writing SIEM rules is getting more difficult each day. They are either running out of qualified people to write those rules, or the rule writers cannot keep up with today’s rapidly changing threat landscape.
Last, as your organization becomes more mature and starts to want to automate security operations, rules alone will not work any longer. Rules cannot be used to predict what may happen and they cannot be used to recommend what action might need to be taken.
What happens when a company changes from historical reporting on malware infections to new reports that integrate predictive analytics? It means that you can identify a threat and respond in real time, rather than simply review what has happened in the past.
So, what is the best approach? In a lot of cases, it may be best to fuse the two approaches together, using a scoring engine. Look at threats in real time, and also review historical data. Then based on a single risk score, a decision is made to block an activity (possibly in real-time), investigate, or continue monitoring.
This allows both approaches to work together, which may be better than just using one or the other.
Applying rules and analytics together will help ensure that false-positives will be much lower. Perhaps even more importantly, security analytics can eliminate false negatives. Enterprises will be able to focus on high-risk activities that can pay off almost immediately.
This is borne out by real customer experience. By implementing advanced security analytics in their SOC, one customer was able to expand anomaly detection by 33 percent right out of the box. They also reduced open investigations by 56 percent. This result was attributed to a combination of radically reduced false positive rates and automation of repeated manual tasks. The SOC team had an increased visibility into threats, identifying 31 true positive cases in first month a traditional SIEM did not detect.
The Bottom Line: Buying a SIEM Delivers Continuous Time to Value
While there may be circumstances when building, deploying, and maintaining a custom SIEM solution may seem to make sense, the risk involved is high. Many internal software projects don’t achieve their objectives, and can take significantly more time than choosing a vendor and deploying a commercial alternative. In some cases, it may be impossible to replicate the features of a commercial solution.
Every enterprise makes its own choice; however, for a specialized software solution, the choice should rarely be a build one. If you do your research and choose your solution wisely, you will likely find that a commercial solution can offer cost, flexibility, time to value, and other advantages.
Most of the time, you’re going to find buying wins over building a commercial SIEM every time. Even if the up-front cost may seem more expensive, subscription services can spread out costs, and enterprises can deploy a commercial solution more quickly, with more features.
As threats are identified, commercial SIEM solutions will be updated and made available to enterprises on a real-time basis, especially with a cloud-native solution.
A custom-built SIEM solution cannot keep up-to-date with the current environment. Do you know when there is a zero-day threat and what are you prepared to do about it? Most development teams can’t drop existing projects in order to address zero-day threats without a significant lag time, making it almost impossible to keep a custom SIEM up to date.
Custom software maintenance, upgrades, and bug fixes are a challenge for even the largest organizations. It also requires close coordination between the SOC and the development team in order to get features right. This is a high-risk endeavor that has the potential to expose holes in a custom SIEM.
The Gurucul Analytics-Driven SIEM Value Proposition
Gurucul Analytics-Driven SIEM delivers a single unified interface for end-to-end security operations. No more swivel chair analytics! And Gurucul’s cloud-native deployments make it possible to upgrade features and fix bugs in real time, rather than when a development team is able to schedule it. And our out-of-the-box security content (over 2,500 machine learning models) for the most common use cases makes it much easier to deal with new and existing security scenarios.
Gurucul’s SIEM integrates into existing data collection tools and delivers a single unified view of risk. It ties together disparate information into a readily understandable and actionable platform for assessing cybersecurity risk, incorporating:
- MITRE ATT&CK Mapping
- Open analytics – you can customize machine learning models to tailor the solution to specific use cases
- AI-based threat hunting
- SOAR (security orchestration, automation, and response) – enabling an organization to have automated and orchestrated response to threats right out-of-the-box
The value of commercial SIEMs vary on your unique situation. However, looking at commercial SIEM solutions can give enterprises an appreciation of the flexibility that they offer. While there may be a cultural belief that a custom solution provides the most flexibility, enterprises will almost always be working with a subset of features available commercially.
Opportunity cost and time to value are critical factors to consider in this choice. In all likelihood, a commercial solution can be deployed and successfully operating before a custom solution is even defined. And in the case of a SIEM, most enterprises want value as quickly as possible.
Commercial SIEMs can more readily keep up with changes in the cybersecurity landscape. Including out-of-the-box security features, MITRE ATT&CK mapping is something that many custom solutions don’t have the time, resources, or experience to implement and maintain on a continuous basis. The best option is to purchase a SIEM that addresses your needs – now and into the future. Consider Gurucul. We are extremely proud of our platform capabilities.