How to Avoid Runaway SIEM Data Storage Costs

Brian Stoner,
Author: Brian Stoner, VP of service providers, Stellar Cyber

Security problems are essentially data problems. For threat detection, investigation and forensic analysis, one would ideally like to collect as much data as possible and store it as long as needed.

But having a SIEM or XDR system that sucks up every packet or every log entry creates an ongoing demand for more storage, which can be expensive over the long term whether you’re using on-site resources or the cloud. Another issue is that searches or queries on huge volume of data can take a long time when a quick response may be critical for stopping an attack.

MSSPs with dozens or hundreds of customers have these problems in spades, and they face a conundrum: With unpredictable storage costs, MSSPs have trouble accurately pricing their security services to avoid losing margin -- but storing data is a requirement for providing those services in the first place. What’s an MSSP to do?

SIEM and XDR Solutions: Key Questions MSSPs Should Ask

The first thing is to realize that different security solutions have different storage mechanisms and options. With that knowledge, MSSPs can ask some probing questions of their SIEM or XDR solutions vendor:

  • Does the solution store all data, or does it filter out extraneous data and focus on collecting only security-relevant data?
  • Does the solution have flexibility to store data in a data lake with on-premises storage (NAS for example), the cloud, or a combination of these?
  • Can you choose hot or cold storage for the collected data, and can you move data seamlessly from cold to hot storage for on-demand forensics analysis?
  • Can you customize the data retention time by data type and/or by tenants?

Some legacy SIEM or XDR vendors start to sweat when you ask questions like these, but they’re all questions your chosen solution provider should be able to answer with a resounding “Yes.” If not, you should look at Stellar Cyber’s Open XDR security operations platform.

Brian Stoner is VP of service providers at Stellar Cyber, which develops a next-gen security operations platform that provides high-speed, high-fidelity threat detection and response across the entire attack surface. Read more Stellar Cyber guest blogs here.