Open Site Navigation

To SIEM or Not to SIEM?

Security Information Event Management (SIEM) is a common component within Information Security and relates to the collection of events and logs from IT and network systems for data contextual analysis. SIEMs provide security analysts methods for analyzing extended data across your IT or Critical National Infrastructure (CNI) into a single plane of glass to hunt for malicious activity or detect for unusual or suspicious behavior.



A lady reviewing data from a computer
A Security Analyst Reviewing Data

So, the question most people might be asking is:

  1. Do I need a SIEM?

  2. Is a SIEM expensive?

  3. What value of return do I get if I have a SIEM in my organization?

  4. Does it cost much to run?

The above are four good questions to ask yourself in the choice and selection of a SIEM and the required investment and resourced needed to support such functionality. So, the question is whether you should invest in a SIEM and this is a double-edge sword question given it depends on many factors, these being:

  1. How large is my organization (1-5 employees, 10-20 employees, etc.)

  2. How many Assets do I own?

  3. Do I have resource capability for providing full-time security analysis

The above questions are equally important to the first selection, since the maturity of your security program is largely dependent on whether you need to ask the above. So, if you are a small company/organization, the chances are a SIEM will be an over-burden if you don't have the capital to invest in such a platform since there are additional operational and licensing costs in using either third-party or open-source products.


An alternative is to ensure that you have sufficient hardening practices within your organization, such as a method to identify and track vulnerabilities using a vulnerability scanner or manager. Other recommendations would be to have a risk register and undertake desktop scenarios to evaluate your assets and determine where your risks lie.


The above works for small to medium-sized business that can count the number of assets the are deemed manageable. However, even for medium-sized business, this may become unmanageable if the length of IT, network and CNI based assets are not known, or the numbers start to tally in the ten's to a hundred or more assets. This is where it becomes crucial to understand the impact of the risk and whether having basic measures is sufficient for protecting your IT or CNI infrastructure. The best approach is to determine based on the factors mentioned above the cost of an incident, e.g. a business case to justify whether the cost of a Cyber incident may, in fact, lead to a data breach or ransomware attack. Knowing the downgrade in operational delivery of services is the beginning point in starting a SIEM business case.

To illustrate how to perform a business case for security investment, the following is an example that can be followed:


Company XYZ is an e-Commerce platform and hosts their website on a Public Cloud provider and have an internal development and engineering team to design, code and deploy updates to the e-Commerce website. Company XYZ manages the website and part of the infrastructure and turnover of approx. £950,000 per month.


Company XYZ has an outgoing of circa. £500,000 in staff resources and a combined £250,000 in shipping costs. Infrastructure running costs for the website and third-party payment systems costs Company XYZ exceeding £20,000.


Based on the above, the forecast graph is shown below ("a tasty revenue growth for Company XYZ as they grow their online presence and online sales"):


Financial Forecast of a made up company
Company XYZ Financial Forecast Cost

Now let's simulate a company Cyberattack by assuming Company XYZ has not invested in Cybersecurity aspects such as implementing security-based software development lifecycle or doesn't invest in software and host-based protection. Now Company XYZ have certain vulnerabilities and hundreds of exposed endpoints for their e-Commerce platform hosted on a Cloud provider. A malicious adversary identifies a weakness in the e-Commerce web platform and manages to gain local access (e.g. hacks the web application) and deploys a host-based ransomware, which spreads across the Cloud estate rendering all systems to become unusable. This event occurs early in the months of January-to-March when the adversary strikes action with deploying ransomware to impact directly Company XYZ.


Customers can no longer access the website and orders can no longer be processed. Furthermore, ongoing resource costs are needed to help remediate the actions from ransomware attacking the Cloud estate and the ransomware is increasing the infrastructure costs due to increased compute activity. Let's examine the hypothetical costs in such an incident, with the chart below showing the potential financial impact to Company XYZ:


Financial Forecast once a Cyber Incident occurs
Company XYZ Financial Forecast after being hit by a Cyber Attack

Now, based on the above Cyberattack scenario, we can examine what the costs involved and lost may be. Typically, a company that has little security protection and management in place can expect an incident to take 1-3 months to resume some normal production activity, e.g. reach targets on orders and profit from before the attack, however, due to systems still being offline and the backlog in processing orders before the attack happened, production activity will not hit the capacity you had before the incident. Likewise, your Customers would have likely received a bad experience by not being able to access your e-Commerce platform and might be concerned if their data or information was released, e.g. Company XYZ has not only suffered financially from the incident but also from a brand perspective, an increasing factor for Digital-based companies.


The above example outlines a simple but effective measure to determine potential financial implications from a Cyberattack and can be more detailed based on different use-cases, e.g. standard web-application attacks, ransomware or compromised supply chain attacks. Whilst implementing a SIEM is not a Gold stamp of approval for protecting and identifying all security events, in this case it would have certainly provided visibility of an attack occurring, and therefore would warrant justification in a budget allocated for a SIEM.


So, Tell Me! How Much Do I Need To Spend?


When working out your business case for investing in a SIEM or Managed Service Provider (MSP) SIEM, you must review the impact of your organizations finances and look at the scenario-based impact of a Cyber incident and take your worst-case evaluation. Working back will give you an idea as to what element you are willing to allocate to a Cybersecurity budget and from this, you can break this down further to evaluate elements to different protection and detection methods such as investing in a SIEM.


Whilst investing in a SIEM is a long-term commitment, the benefits in having visibility and being able to predict when an attack is potentially happening combined with having remediation processes in place, will ensure you not only can remain resilient, but also be able to improve your organization maturity to Cybersecurity.


Finally, it should be noted that a SIEM alone will not resolve your Cybersecurity issues, but will address large areas that might be missing from your Cyber strategy, but should be complemented with other security practices such as risk management, security compliance and ensuring designing of Cloud systems and applications is reviewed by a Security Architect.


At Complete Cyber, we work with Clients to support them in both their journey for implementing a Cybersecurity strategic plan and support them from a technical perspective in driving Clients to "shifting to the left" ensuring security is embedded top-down. Why not check out our Security Architecture Services that support activities associate with protecting your Cloud Infrastructure and your Organization?