demonishen - Fotolia


What to know about SIEM as a service before deployment

There's been increased interest in SIEM as a service and enterprises need to get to know the model before using it. Expert Frank Siemons explains what's different about it.

Traditionally, an organization that needs a SIEM deployment has two options: Either build, maintain and use the...

SIEM on premises or pay an external service provider for a managed security services model, where that service provider takes on most of the SIEM responsibilities.

A few more options have opened up recently. Now, there are security information and event management (SIEM) products that are either partially or fully residing in some type of cloud environment. Some organizations were quick to label them as SIEM as a service products -- likely because anything new and linked to the cloud increased interest in their product.

Although SIEM as a service could be a valid term for some products, most of them are simply traditional, cloud-based, customer-owned or managed security service SIEM products. However, there are some unique characteristics that would justify a product carrying the SIEM as a service label and that have contributed to the rising interest in these products over the last few years.

What's different about SIEM as a service?

When an organization decides to put SIEM inside an infrastructure or platform as a service, the same installation, configuration and maintenance efforts still apply as if it were in an on-premises, owned data center. The only exception to this is the underlying platform and infrastructure.

For an actual SIEM as a service model, the platform and the infrastructure are entirely outsourced to the service provider. The customer is only responsible for the content development within the SIEM application and the actual use of the security data. This is a huge shift of responsibilities towards the service provider, which might be beneficial to the customer.

The SIEM as a service product can be seen as the step between a fully outsourced security operations center and a completely managed internal security architecture.

In a SIEM as a service setup, the responsibilities are not the only things moved from the customer to the service provider. Many of the initial costs of a SIEM setup -- such as licencing, installation and, usually, professional services consultancy -- are also moved to the service provider. This is beneficial for an organization that wants predictable expenses at regular intervals, or where there is not yet enough capital to justify the significant costs of setting up a SIEM environment. Although this is mostly an accountancy issue, it is easy to see that small and relatively new or fast-growing companies would prefer this option.

Another point to consider when looking at a SIEM as a service product is the required expertise and time commitment for an organization building its own SIEM platform. The development and installation of a large SIEM platform from vendors such as Splunk, Hewlett Packard Enterprise or McAfee requires a totally different skill set than what is required to operate it.

Companion article

See Infosec Institute's accompanying article on SIEM as a service

During the development stage, there might be a need for a SIEM architect for 12 months, but once the SIEM has been taken into production, there will be a need for multiple security analysts instead. This can be costly and hard to manage for any organization. With SIEM as a service, this is not an issue. The customer can focus solely on the required skill sets needed to cover content developers and security analysis within the SIEM. It is then up to the service provider to maintain a team of developers, architects and systems administrators to keep the platform operational and to make the required changes.

SIEM architecture and operational processes

Anton Chuvakin describes why the success of your SIEM deployment is determined more by operational processes than by its architecture or a specific tool.

Any organization considering using SIEM as a service or deploying their own SIEM within a cloud platform should consider the bandwidth and storage requirements. A SIEM is only as powerful as the information that is fed into it. That information can easily contain billions of events per week. That is a huge amount of traffic uploaded from the organization to the cloud service provider, which can be costly.

The other important requirement is to actually store all of that data within the cloud. Depending on local compliance regulations, that data might need to be stored for years to come. This brings both technical and financial challenges that should not be underestimated.


The SIEM as a service product is still developing, even though some early, sometimes very interesting and comprehensive offerings have become available. If the cost model matches an organization's requirements and the required skill set is not readily available to develop a SIEM platform internally, it can be a good option. The SIEM as a service product can be seen as the step between a fully outsourced security operations center and a completely managed internal security architecture. Of course, when it comes to making a decision, subjects such as compliance requirements need to be taken into account, as well. When all of the options are weighed against each other, SIEM as a service might come out on top.

Next Steps

Find out why SIEM services and products are crucial for enterprise security

Discover the top SIEM tools according to our readers

Learn more about SIEM capabilities for real-time analysis

Dig Deeper on Hybrid and Private Cloud Computing Security