Build or Buy SIEM: Three Considerations

Build or Buy Modern SIEM: Top Three Considerations

Every security team faces this question of whether to buy or build a security solution (SIEM) that they need to ingest terabytes of security log data, monitor, and alert to be able to detect and respond to attacks. Companies today rely heavily on SaaS applications and multi-cloud infrastructure — all of which generate massive amounts of logs.

Detection at scale is hard

The truth is that the majority of legacy SIEM platforms weren’t designed for detection at scale. Their architectures weren’t probably designed for the cloud. These platforms were designed as general logging solutions that are trying to solve modern security analytics problems but often aren’t purpose-built to work with a terabyte or exabyte scale security data.

In this article, I’ll examine Build or Buy SIEM: Three Considerations. Three key considerations that can help security teams make informed decisions about whether to buy or build their security stack especially when operationalizing massive security data with cloud-first architectures and developer-driven workflows.

1- Are you centralizing or collecting data from the right log sources?

The key question here is how much native support does your security solution or SIEM provide for log sources? Some of the primary log sources you’d be inspecting could be:

  • Cloud logs (from providers like AWS or GCP)
  • SaaS application logs
  • Network logs
  • Host logs
  • Application logs

Many times, companies try to guesswork without making informed data source predictions just to keep the costs low. This is a trap. Instead, teams should focus on achieving more than adequate security even at the expense of incurring extra costs simply because data breaches can prove costly both in terms of money and loss of reputation. Be sure to include all the data sources you could and should be working with as well.

2- Are you factoring in the scale and resources?

Another point to consider whether you’re buying a SIEM or building a home-grown solution is that as your organization grows, you will have even more data sources that need to be centralized and normalized. It’d be worth considering how are you placed with the time it will take (several months or a year) to build your home-grown solution and then factor in the maintenance activities associated in the long term such as patching or adding more detections and logic.

If you’re going for a home-grown security solution, it’s best to account for the resources beforehand. The quality of engineering talent is key and you might even require a large team for continuous development and maintenance of your build. The team must also ensure that your security solution stays future-proof through the addition of new features to ensure you’re maintaining the expected security posture and visibility of your environment and infrastructure.

3- Speed of forensics and having an “analyst-friendly” solution

A truly modern security solution should be able to help security analysts quickly correlate IOCs (Indicators of Compromise) across data sources to detect and investigate malicious activity early in the attack sequence. Speedy and accurate investigations and forensics across a large data set is an important consideration whether you are building or buying.

Read more..

  1. ThreatStack: To build or buy your own security platform
  2. Panther: Buy or Build Your Security Solution
  3. Sentinelone: Why XDR vendors must build, buy, and partner

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.