Though the frequency and impact of incidents continue to rise and most have experienced some type of cyber incident, justifying cybersecurity spends continues to be a challenge. In this article, we are going to help you navigate the TCO puzzle.
What is TCO?
One reason cybersecurity TCO is notoriously difficult to calculate is that leaders and organisations tend to be very focused on acquisition costs. Often, the first question raised is, “how much did this cost us to buy?” Yet acquisition cost or TCT (Total Cost of Technology) is only one component of TCO. Sometimes the differences in TCO for competing products can range between 50 to 100 percent.
But is that the correct way?
TCO is not just limited to the TCT cost, but also the TCR (Total Cost of Risk) and TCM (Total Cost of Maintenance). TCR is the cost to estimate and not deploy resources, processes, or technology for your enterprises, such as compliance risk, security risk, legal risk, and reputation risk. TCM is the cost of maintaining the information security program, such as people, skills, flexibility, scalability, and comprehensiveness of the systems deployed. So, the right way to look at TCO is by bringing in the other two variables (TCR and TCM) to analyse the difference between short-term (purchase price) and long-term (organisational goals), enabling decision-makers to evaluate an asset and obtain an accurate comparison in competitive bidding. It helps make an informed purchasing decision when selecting the right vendor from multiple alternatives.
Going down the rabbit hole
Some of the other questions that confound an organization is: To build or to buy, on-prem or cloud, can I integrate multiple points solutions, can I use open-source tools… the list goes on! Ok, now, before I go about answering the above questions, let me ask you this “Do you want to be a secure company or want to be a security company?” We are also seeing an interesting trend, where SMEs and Enterprises are trying to build their own Security Analytics solutions, and one of the most cited reasons for this adventure is they have had little or no success with products or solutions they have purchased. A year into this adventure and almost all realise that the annual cost and resources required to maintain DIY cybersecurity are almost always more than what companies expect, and because there’s a scarcity of security professionals, there aren’t enough qualified people to operate it.
On-prem or cloud
With fully on-premises systems, there are typically two CapEx investment bumps – the initial investment, and the hardware refresh around the fourth year for hard drive replacement and computer processing power and memory upgrades. The contrast in lifecycle cost between cloud and on-premises systems is a good savings of 15 to 20 percent on the former. In TCO cost comparisons that we have seen, the cloud TCO savings can range between 10 and 40 percent.
Integrating multiple points solutions
It’s not uncommon for today’s enterprises to use anywhere from 50 to 100 different cybersecurity tools and manage multiple vendors at any one time. These tools are often put in place by leaders who believe that solving niche problems with point products will help them be more secure. However, the resulting management and operational tasks involved present an enormous amount of complexity and burden in time and cost. Not only that—it often means your design architecture may have cracks and, as a result, lead to higher risk. Reducing the number of tools and using a single-architecture, portfolio-based approach is far more beneficial. By doing so, and by avoiding and rationalizing security infrastructure, organizations can attain proper security posture and become 30% faster compared to using point solutions, thus saving a huge amount of cost to the business.
How about free open source tools
Free doesn’t necessarily mean trouble-free. Keep in mind that these tools often require extensive adaptation at the outset and can be management-intensive throughout their life cycles. Some of the questions you should ask yourself are: Do these tools fit into your larger, strategic architecture? Do you understand what type of adaptation you’ll need in order to get up and running? Do you have the surrounding tooling to effectively manage them? When a security event occurs, the tool calls for people to try and stitch together the plethora of information spread across. As a result, many hours are spent evaluating the situation, correlating the information, and determining what’s at risk. That same group then needs to take action across all these different systems and tools to be more secure. You can quickly see how that time and talent-intensive approach isn’t ideal for optimising security or for the TCO of cybersecurity investments.
The options available in the market
Exabeam: Fusion SIEM from Exabeam is a cloud-only solution that combines SIEM analytics with XDR (extended detection and response), which attempts to streamline and unify a range of security capabilities. One key to the software is that it’s as much about the processes involved with triaging, diagnosing, and remediating as it is about any of the technology tools. This focus on processes and the people managing your security posture makes the technology that much more valuable. IBM: IBM offers its Security QRadar SIEM both on-prem and in the cloud under the banner of “intelligent security analytics.” The SIEM solution works alongside IBM’s Security QRadar Advisor with Watson to automate investigations of anomalies and other security tasks. LogRhythm: LogRhythm comes with an expansive feature set that includes integration with hundreds of other IT systems, a library of modules to evaluate compliance with various industry standards, and an array of offerings that run the gamut from basic SIEM to advanced SOAR-based automation and response. DNIF HyperScale SIEM: A new entrant in the segment is DNIF HyperScale SIEM. DNIF HyperScale SIEM is said to offer a composite solution that combines UEBA and SOAR into a single application. Its petabyte-scale data lake can ingest, enrich, store and correlate data in real-time. We also noticed that they offer one of the industry’s best data Compression Values, a general mode for up to 95% compression and the Maximal mode for up to 98.4% compression. It also comes power-packed with a 50K EPS processing capability with a standard 8 CPU server. DNIF HyperScale capabilities include ML-powered behavioural analytics to identify anomalous behaviours, real-time correlation against threat intelligence, predictive analytics, historical correlation, and other intelligent analytics to address a wide range of business-critical security use cases. In addition, the map signals on the MITRE framework can visualise attack progression and gain a timeline view of the events. You can investigate signals, perform incident analysis, hunt for threats, and correlate signals across solutions. The pricing is per device rather than by data volume. DNIF recently released a community edition of their SIEM solution that organisations can use without limits or restrictions. Azure Sentinel by Microsoft: Azure Sentinel is available only on Microsoft’s cloud, but also offers visibility across on-prem systems. A key differentiation is an easy integration with Microsoft 365 and Windows Defender, but it can ingest logs from a variety of sources. Azure Sentinel bills itself as both a SIEM and a SOAR platform that adds AI, automation, and collaborative tools. Splunk: Splunk was one of the first software vendors to discover gold in log file analysis. Splunk Enterprise Security draws on the company’s mature data analytics and visualization capabilities to deliver a SIEM solution integrated with threat intelligence and available in the cloud or on-prem. Securonix: Securonix enhances your log and event data with data enrichment. You can add relationships between different types of events in order to correlate and contextualize your alerting and analysis capabilities. As a bonus, Securonix runs on Hadoop with an open architecture, enabling you to use a wide variety of third-party analytics tools.
In conclusion
As choice abounds in SIEM platforms, there needs to be a blueprint for making an optimal selection. We believe that this blueprint should be one based on Total Cost Ownership (TCO) = TCR (Total Cost of Risk) + TCM (Total Cost of Maintenance) as this modelling takes a balanced approach in weighing objectives and costs. Furthermore, we argue that in following a holistic TCO perspective on SIEM selection, organizations position themselves to improve their risk management capability while ensuring cost certainty: a win-win outcome.