The idea of collecting data from logs and using this data for analyzing the behavior of software applications, endpoints and servers dates back to the 80s. It took over a decade for the first Security Information and Event Management (SIEM) systems to appear as an on-premise security tool that collects logs from multiple collection points to detect abnormal activity.

Two Gartner experts coined the term Security Information and Event Management in 2005 when most SIEM solutions were still operating on-premise. The rapid expansion of cloud-based platforms extended to SIEM systems quickly as a method for reducing implementation and maintenance costs and taking advantage of a pay-for-what-you-use model that characterizes Software-as-a-Service (SaaS) corporate solutions.

Gartner Magic Quadrant of Leading SIEM Vendors
(February 2020)

Source: Gartner

The increased demand for threat intelligence services transformed modern SIEM systems from collectors of logs and detectors of malware footprints into complex threat-detection platforms. The latest generation of SIEM platforms takes advantage of cloud-based databases for collecting information about unknown threats and prevents a variety of cyber threats from entering and proliferating through organizations’ networks.

Both on-prem and cloud SIEMs offer specific benefits and drawbacks to an organization. They should carefully consider each before selecting one solution over another. The trend toward moving various activities to the cloud should not overshadow specific advantages of on-premise solutions while some downsides of cloud-based solutions should not prevent you from moving to the cloud if the benefits outweigh the disadvantages.

On-Premise and Cloud SIEM: Advantages and Downsides

An organization needs to evaluate several factors before it decides on the feasibility of adopting an on-premise SIEM solution or opting for a cloud SIEM. In this section, we evaluate the major pros and cons for both options.

Advantages of On-Premise SIEM

• It may seem obvious, but your organization keeps sensitive data on-site with an on-premise SIEM. It might be due to regulatory requirements or your organization may want to avoid transferring sensitive data to a cloud-based SIEM.
• Your organization keeps complete control over the SIEM platform. By keeping your SIEM on-premise, you can customize how the platform runs and set up to produce best results in the context of your specific business operations. These customizations can more accurately reflect the ways stakeholders connect to and interact with your systems, which improves the overall security and efficiency.
• Your organization keeps control over the whole cyber-security team. By keeping the team running the SIEM platform in-house, you are also keeping control over training the team members to the specific needs of your business. This approach enables organizations to have custom SIEM service deliverables and more seamlessly adopt policies tailored to the organization’s business context.

Downsides of On-Premise SIEM

• Adopting and running a SIEM platform on-premise requires financial efforts that are prohibitive for many businesses, with the exception of large and multinational corporations. The overall cost is not limited to the expenditures for purchasing, installing and maintaining the software but includes costs for collecting, storing and analyzing vast amounts of data from each collection point. Hiring, training and managing knowledgeable cyber-security specialists in-house is expensive while IT security talent is in high demand and require lucrative compensation to keep these employees on payroll.
• Training costs are another barrier before the adoption of on-premise SIEMs. An organization needs to both find and hire high-paid experts in the field of cyber-security but it also needs to train them to manage a complex SIEM system in accordance with the specific requirements each particular organization has in place. The team that runs the SIEM should fully understand an organization’s business model and business context for the SIEM to produce viable results, which means that the process of implementing an operational SIEM platform can take a year or even more, depending on the size of the organization.
• Fully integrating a SIEM system within a complex business ecosystem is time-consuming, requires specific expertise and the associated costs are high. A complex business IT infrastructure involves dozens of business applications as well as hardware and software modules that should be integrated to work in concert and mitigate security risks. An organization needs to have a very knowledgeable team to keep all integrations up to date and running while in the same time customize the SIEM platform to meet the requirements originating from a specific business context.

Unless your organization has decided on adopting a SIEM platform on-premise, you also need to evaluate the advantages and disadvantages a cloud SIEM system offers.

Advantages of Cloud-Based SIEM

While virtually all leading SIEM systems started as on-premise solutions, most vendors now support cloud-based or SaaS versions of their respective SIEM platform. There are also hybrid SIEM solutions while several cyber-security software makers offer their products only in the cloud.

• A major advantage of a cloud-based i.e. a managed SIEM, is that your organization immediately gains access to expert knowledge and there is no need to train your employees how to make the most out of the selected SIEM platform. You get a pre-configured SIEM system operated by a team that knows the ins and outs of managing the platform. You reduce the time for deployment, as there is no need to train an internal team to manage the platform.
• Selecting a cloud-based SIEM results in cost savings due to the SIEM vendors taking care for investing in infrastructure. In a SIEM-as-a-Service scenario, your organization does not purchase expensive hardware to run the SIEM platform. A managed-service provider can also take care of the software maintenance, support and updates, which eliminates your costs associated with having an internal IT support team to deal with the SIEM’s maintenance.
• With cloud-based SIEMs, you can have faster custom implementations as the software comes with a team of experts that can configure it to your needs without any IT training required.

Downsides of Cloud-Based SIEM

• An organization is always facing risks when moving sensitive data off-site. The risks associated with data in transit are always greater as compared to data in rest, although there are methods to mitigate the risks arising from transferring and storing data with a third party.
• Some cloud SIEM vendors focus on the monitoring and reporting features of their systems, which in turn exposes you to risks associated with the lack of proper threat management and threat remediation. It is better to have false positives and respond to them properly rather than to have a system that always generates genuine alarms, but no one to address them.
• When selecting a cloud-based SIEM solution, you may face an issue with vendors limiting your access to raw log data even though this is your data that comes from your endpoints and systems. Such a cloud SIEM vendor will still send you reports based on the data collected from your endpoints, but it is crucial to have unlimited access to raw log data for making your own analyses and estimates.

Conclusion

Many large enterprises prefer a SIEM platform installed on-premise while SIEM-as-a-Service is gaining popularity among small and medium-sized organizations that cannot afford to invest in the installation and maintenance of on-premise SIEM solutions.

The main advantage of a cloud-based SIEM lies with the shorter implementation times and the relative ease of scaling up and down to include or exclude collection points as business activities expand or decrease.

The on-premises SIEM model keeps organization’s sensitive data in-house and, in theory, allows for greater customization as compared to managed SIEM services.

The final decision whether the on-premise or the cloud-based model for SIEM adoption is more advantageous for your organization does not depend on a single factor such as implementation or maintenance costs since every SIEM adoption should also take into account an organization’s specific business context.

Datashield is intimately aware of the advantages of on-premise SIEM and cloud-based SIEM solutions. We work with companies of all sizes to help implement, tune, maintain, and scale their security suite. If you are looking to implement a SIEM tool within your organization, contact us today for a no-cost consultation to see if Datashield can assist in upgrading your cybersecurity.