How are you currently managing SIEM costs? Have you found effective ways to actually reduce storage costs for your SIEM?

2.8k viewscircle icon1 Upvotecircle icon5 Comments
Sort by:
Chief Information Security Officera month ago

Make sure that Windows logging is configured in line with the threat landscape that your organization is likely to face and only include logs that relate to Windows functions that threat actors are known to actively exploit. There are a number of tools on the market that can help with this.

CIO in IT Servicesa month ago

We manage SIEM costs by filtering out unnecessary logs and only ingesting what’s really useful.
Hot data stays in the SIEM for quick investigations, while older logs are pushed to cheaper storage.
Retention is based strictly on compliance needs, not “keep everything forever.”
We also use a data lake for bulk logs and keep SIEM focused on security-critical data.
Finally, we review licensing models with vendors to avoid overpaying for daily volume.

Chief Information Officer2 months ago

We are mid-size and have found a solution that has unlimited upload storage. I'm told there is a limit theoretically, but I think you need to approach 100Tb/mo. in data storage before they start having conversations. 

Not sure your size/scale or requirements, but there are some solutions out there that don't charge based on capacity. For these reasons, we don't have to do the additional compressions or preprocessing of data. We are never on the upper end of the limit for our environment. 

Group Director of Information Security in Banking2 months ago

It would have been beneficial had you mentioned if your SIEM is located on premise or on the cloud and also if most of your applications are on premise or on the cloud. But assuming that your SIEM and workloads are on the cloud and bandwidth costs of transferring logs between workloads and SIEM are least of your concern, then you can try the following 5 step process:

1. Prioritize logs from critical systems and high-risk areas, as hoarding every log can bury valuable data and increase costs. 
2. Use tools to preprocess data, eliminate duplicate logs, and reduce redundancy before data enters your SIEM. 
3. Leverage different storage tiers, moving less critical or older logs to cheaper, "cold" storage options or external data lakes for compliance purposes.
4. Ensure that your data is compressed effectively before storing it in the cloud.
5. Set clear policies for how long different types of data should be retained and automatically delete old or unused data after their set period.

Let me know if you want to know beyond this give your specific environment or if my assumption of your environment is not correct.

CISO2 months ago

Using lower-cost disk alternatives generally has negative effects on SIEM searches and performance. Then, I believe, it is better to focus on the size of ingested traffic.
We have two initiatives to control the size of the ingested traffic into the SIEM environment:
- First of all, we reviewed all the log sources with the help of their admins/owners to understand whether they are meaningful and whether they are really essential for security processes. After this point, we also have a review process for all new log source integration requests. So, we are ingesting only needed amount of data.
- The second part is continuous monitoring of log sources and assuring unwanted fluctuation in log volumes. We created top-N log source reports/dashboards, continuously monitor log size trends and instantly take actions to abnormal fluctuations in log sizes.

Content you might like

Yes28%

Yes, for certain roles59%

No, but it helps11%

No1%

Unsure/something else

View Results

Yes70%

No26%

Other (comment below)3%

View Results