In this article, we will examine six questions that can help security teams make an informed decision about whether to buy or build the capabilities they need to ingest, retain, monitor, and alert on the various sources of security data they need to detect and respond to cyber-attacks.
The cloud is fundamentally changing the way organizations do business. Some companies are fully cloud-native, and others are just starting their digital transformation journey and find themselves with a hybrid solution. In either case, companies today often have dozens, or even hundreds, of SaaS services, multi-cloud infrastructures, and multiple cloud accounts – all of which generate logs and other types of security data.
Many workforces are now remote, at least some of the time. How security teams think about their infrastructure perimeter has changed dramatically. Innovative tools and applications are transforming how people access information and systems. As companies move to the cloud, adopt more SaaS services, and depend on new tools and applications, it’s become painfully clear that legacy SIEM solutions are woefully inadequate.
The amount of data that security teams need to monitor and analyze has exploded over the last decade, and every indication is that this trend will continue. This dramatic increase in the amount of security data that teams are responsible for, combined with the inability of their current tools to handle that much data at a reasonable cost, has caused some companies to consider building the capabilities they need in-house.
The adoption of cloud infrastructure and SaaS is streamlining business operations but making security more complex at the same time. Gaining visibility across your environment requires data from many different sources. Proper alert investigations require that you don’t skimp on data retention either.
To name a few, security teams should ingest, monitor, store, and create alerts around data from:
Because of the business model used by traditional SIEM providers, many companies attempt to keep costs down by playing a kind of security data monitoring wack-a-mole. To provide adequate security at a reasonable cost, they try to predict what data sources are less likely to produce relevant alerts and can be assigned a reduced retention plan or neglected altogether.
When considering whether to buy vs build a better SIEM solution, be sure to include all the data sources you can and should be working with. Even with better tools for writing detections and reducing alerts, if you don’t have visibility across all the relevant data, your home-grown solution will likely disappoint in the end.
When it comes to assessing the cost aspects of the buy vs. build question, the engineering can-do attitude of some security teams bends toward an “I can build this thing for less than buying it.” And, that may very well be true.
Even though a security team has the internal expertise to build a home-grown solution to augment or replace their legacy SIEM, four additional considerations must be factored into the equation.
Time to build: Depending on their needs, it will likely take six months to a year for a team to build a solution to the point that it will produce their desired outcomes.
Ongoing maintenance: Invariably, there will be ongoing maintenance issues to be dealt with. Patching, improving, and maintaining a library of valuable detections will take time and resources, which, of course, add to the project’s overall cost.
Scaling it: Your business is not static, and so your security data needs are not fixed either. As your business grows, more and more data sources and larger volumes of data will be added to your solution. You must ask yourself if you can dedicate the resources necessary to scale your solution continually.
Internal customer needs: If you build an effective solution to ingest, monitor, and store data, you may find yourself the proud owner of a business-critical application that the entire enterprise depends on as a resource. You become the internal “vendor.” This means you need to provide the same service to your stakeholders that an external vendor would offer.
Getting information into a single location solves one problem. However, the diverse formats often make correlating and analyzing the data challenging.
For speed of detection, you want to monitor data from all sources on the fly. Creating real-time normalization as you ingest the data enables real-time alerts. When you choose to build your tool, you’re responsible for normalizing the data. Be sure to assess your team’s ability to create real-time normalization to avoid being left with a solution that does not meet your need for real-time alerts.
Remember that as your company grows, more data sources must be normalized and monitored as you ingest them.
After aggregating and normalizing everything, you need the ability to create alerts. Understanding security analytics in complex systems may be more than your developer team can manage.
If your team has the appropriate skill sets, that’s great. Be prepared to retain those individuals, or hire others will the same skills in a competitive market. It’s certainly doable, but add this to the cost column of your decision tree.
Obviously, the amount and type of resources needed to build a home-grown SIEM will vary for each company. How your company manages CAPEX and OPEX expenses will be a critical factor in determining if you have the necessary resources. For cash-rich companies with a liberal attitude toward CAPEX purchases, purchasing the servers and infrastructure needed to build a SIEM may be more feasible than for growth companies.
As the home-grown solution scales, the resources needed to ensure availability also increase. For example, as you’re building out your solution, you need to consider the following resource costs:
If you’re trying to create everything on your own, you need a large team of people. Your team needs to be able to manage the time and costs of the continued development. If they can’t, then your build doesn’t give you the security visibility you need.
Other companies that have gone the “build” rather than “buy” route report that it will take at least two engineers assigned to the security data project full time to keep up with maintenance and growth issues.
Security investigation must be done quickly, accurately, and over the largest possible data set. If you want to do an accurate assessment of the buy vs. build question, be sure to compare your ability to build against the capabilities of solutions that you may opt to buy.
Your home-grown solution should be able to quickly create customized queries that can be applied to current and historical data to identify indicators of compromise. Reducing attacker dwell time is essential and should be a top priority as you contemplate building your solution.
Building your tool seems like a cost-saving at the outset. However, the time and resources required make the project cost-prohibitive or leave you struggling to manage security activities.
With Panther’s platform, you can find the partner you need to give you the security analytics you want. By decoupling storage and compute, Panther provides security teams the agile, flexible, scalable security data lake they need while still providing the cost savings that come with cloud storage.
As Panther ingests logs, the platform parses and normalizes the data in real-time to provide security teams rapid visibility into potential threats. Meanwhile, leveraging the power of Python, you can build detection-as-code to customize alerts. Panther detects anomalies in real-time, giving you enhanced security along with visibility.
