A well implemented security information and event management system can offer a number of benefits, but also comes with some hidden risks.
There's nothing flashy about security information and event management (SIEM), so it can be a hard sell to get funding for it when you go up against revenue-generating or transformational IT projects.
Budgets "are allocated to visceral security issues people can see and feel, rather than being based on critical consideration of risks to the organization. In other words, it's much harder to get the CEO to sign off on a six-figure investment when you can't directly demonstrate a corresponding drop in profit or an asset loss," according to Mike Rothman, analyst and president of security advisory firm Securosis. "Complicating matters in many cases, such as the theft of a credit card, it's someone else who suffers the loss."
Your SIEM system can only be green-lit if you demonstrate that a) it's cheap and b) it's worth it. Fortunately, that's a pretty easy lift.
Even so, isolating SIEM's costs can prove a little tricky because SIEM is a set of functions, not a product, and it can be delivered a number of ways: as software, an appliance or a cloud-based service. So the first step in determining the baseline costs is to figure out what capability the SIEM system gives you; then we can calculate how much you're paying now to do the same thing.
SIEM Decision Drivers
Essentially, SIEM monitors and manages user privileges by collecting data from network and security devices into log files (the information management part), then storing and interpreting the logs (event management). The reports generated aren't just useful in themselves, but also as regulatory compliance documents.
Here's what the current state of the relevant operating costs could look like:
|Figure 1: Current costs to be impacted by SIEM system adoption|
We're going on the assumptions that the following processes are currently manual and rather labor-intensive:
- Data aggregation and correlation: 8,000 hours/year at $60/hour for skilled internal labor;
- Alerts and dashboards: 10,000 hours/year at $50/hour for semi-skilled internal labor;
- Data retention: 6,000 hours/year at $60/hour;
- Compliance: 6,000 hours/year at $160/hour for professional staff preparing for and cooperating with audits.
Further, the company incurs $500,000 per year of fines and losses directly due to non-compliance with standards, which would be addressed by SIEM.
The automated target state would, over time, reduce aggregation and correlation costs by 50 percent, alerts and dashboards as well as the data retention by 75 percent and compliance by 25 percent. Penalties would also decline by 75 percent.
The target state would require an initial $750 per month for SIEM as a service, uplifted 5 percent every year.
|Figure 2: Targets costs of SIEM system adoption|
That suggests than no net-new appliances or software need to be acquired but, just to keep it real, let's assume that the project necessitates $100,000 in one-time refreshes ahead of schedule and $300,000 in design, implementation and training services.
|Figure 3: Transition costs for SIEM system readiness|
So if we assume an 11 percent discount rate, the business case looks strongly positive, if a bit light in terms of payback period:
|Figure 4: Investment analysis for SIEM system project|
Making The Case For SIEM
SIEM is one of those projects replete with soft benefits and hidden risks.
On the plus side, SIEM can prevent losses due to fraud and downtime due to malware attacks. These value propositions, as well as the improved reputation they reflect on your brand, might be difficult to quantify, but you can still address them in bullet points.
On the minus side, you'd be remiss not to mention that SIEM projects occasionally fail. According to a whitepaper by Daniel Frye of the SANS Institute, a major barrier to success boils down to paralysis by analysis; only actionable data should be sent onward, so any marketing hype about how many reports a SIEM system is capable of generating might be worse than fluff.
All a SIEM report has to do is answer five questions:
- When did the event take place?
- Who requested the report (username or IP address)?
- What is the description of the event?
- Where was it generated (system or app)?
- Why is the action being taken and the investigation being pursued?
Going much beyond that could soon become counterproductive as you become inundated with exactly the kind of data flood you bought SIEM to take care of in the first place.
Another issue, according to Frye, is ensuring that you have a compelling use case for SIEM. "Table stakes" or "part of an overall transformation" doesn't cut it. Do you want to more closely monitor ATM transactions to hasten physical security response time? OK, that's a reason. Do you need to enhance confidentiality, integrity or availability of a given system or application? OK, just be specific about that.
A third issue is that SIEM isn't supposed to work perfectly out-of-the-box. It requires a great deal of customization to each environment, requiring your enterprise to have the skills and process maturity to stand it up and run it.
Business Case Resources:
To help you get your business case for SIEM off the ground, download this Excel calculator and PowerPoint template, which you can customize to your needs.
The Excel calculator will help you determine your current state, project costs, and target state. It includes all of the inputs you'll need so you can present the final analysis. The PowerPoint template will walk you through adding the analysis from the Excel calculator so you can present the information to your stakeholders in a logical way.
To get a better understanding of the key metrics and math used in these resources, take a look at How to Build a Successful Business Case for an IT Project.
More Business Case Resources:
- Building a Network Virtualization
- Building a Business Case for Private Cloud
- Building a Business Case for the New 802.11ac Wi-Fi Standard