PacketViper's approach to reducing SIEM (Security Information and Event Management) logging and the associated costs combines sophisticated traffic filtering with the capability to identify and mitigate unnecessary or malicious network traffic. This document outlines the efficiencies and savings that can be achieved through the strategic deployment of PacketViper solutions, emphasizing the reduction of traffic that would otherwise be logged and analyzed by a SIEM system.
In the complex and dynamic landscape of network security, managing the volume of data logged by Security Information and Event Management (SIEM) systems presents a significant challenge. PacketViper addresses this challenge head-on, offering a sophisticated solution that not only reduces the unnecessary logging of network traffic but also enhances the overall cybersecurity posture of an organization.
A typical network environment encompasses numerous boundaries, both external and internal. Each boundary acts as a critical point for protection, inspection, and filtering of network traffic. However, this intricate setup is prone to generating vast amounts of unnecessary log data, particularly when devices within the network make superfluous connections.
Consider the scenario where an internal device, due to misconfiguration, attempts to synchronize time (NTP sync) with an external network. This activity, though seemingly benign, triggers a series of log events across transporting devices like routers, switches, and firewalls. Such incidents, albeit simple in isolation, can exponentially increase the volume of logs collected by SIEM systems when multiplied across thousands of systems, devices, applications, and plugins. The result is a deluge of data that contributes to network blindness, false alerts, and operational fatigue, complicating the task of threat detection and response.
PacketViper stands out as a proactive measure to this pervasive issue. By strategically positioning PacketViper within the network and configuring it to accurately identify and filter out unnecessary internal requests, organizations can significantly curtail the volume of logged traffic. A prime example of PacketViper’s efficacy is evident when it intercepts and drops misdirected NTP sync requests from internal devices. Such interventions ensure that only relevant data is logged, dramatically reducing the clutter within SIEM systems and enhancing the focus on genuine security threats.
The initial logging of an unwanted request serves as a vital cue for network administrators to rectify source misconfigurations. Once addressed, PacketViper ensures that similar future attempts are seamlessly filtered out, preventing redundant logging. This targeted approach to managing network traffic stands in stark contrast to the capabilities of traditional SIEM or Syslog systems, which often struggle to sift through the overwhelming volume of information to pinpoint and track minor yet critical misconfigurations or security concerns.
Key Highlights:
Traffic Reduction: PacketViper is renowned for its ability to eliminate a significant volume of unnecessary network traffic. On external network boundaries, it can reduce traffic volume by up to 70%, while internal deployments can reduce up to 30% of unnecessary traffic. This filtering directly translates into fewer events logged by SIEM systems, addressing the overload of data these systems often face.
Operational Efficiencies: The reduction in traffic volume not only decreases the storage and processing demands on SIEM systems but also enhances operational efficiencies. By filtering out irrelevant or harmful traffic, PacketViper allows security teams to focus on analyzing genuine threats, reducing the time and resources spent on investigating false positives.
Financial Implications: The deluge of false positive alerts generated by SIEM systems can lead to significant operational costs. Given the labor-intensive nature of responding to SIEM alerts, the financial implications of managing these systems are considerable. PacketViper's ability to reduce unnecessary logging directly impacts these costs, offering potential savings by minimizing the need for extensive analysis and manual intervention.
Strategic SIEM Deployment: The document discusses the costs associated with deploying SIEM solutions, emphasizing the high expenses related to software, implementation, and staffing. By reducing the volume of traffic and, consequently, the number of events that need to be logged and analyzed, PacketViper can significantly impact the overall cost of SIEM deployment and operation.
Enhanced Security Posture: Beyond financial savings, the strategic deployment of PacketViper enhances an organization's security posture. By proactively filtering unnecessary or malicious traffic, PacketViper helps maintain a cleaner, more manageable SIEM environment. This proactive approach enables more effective threat detection and response, bolstering overall cybersecurity defenses.
Calculating Savings
This is calculated based on where PacketViper is located. For instance on external network boundaries (between internet and customer firewall/router) PacketViper is known to eliminate a combined 70% of the traffic volume. Internal PacketVipers are also known to eliminate up to 30%. This savings is realized on only those boundaries PacketViper is protecting.
Understanding Percentages: Savings: Basic Example
There are also other bring along benefits which are realized after log and alert reductions
Reduction in MTTD (number of days to detect)
Reduction in MTTR (number of days to recover)
Improved days to detect and respond
Average daily breach costs
Reduction in Total annualized losses expected from breaches
Reduction in Monthly alerts
Reduction in false positives
Reduction in time spent on each alert in minutes
Analyst Efficiency
There was a new study which showed that Every hour, 15 Minutes Are Wasted on False Positives and that false positives stand as one of the top five issues that make the threat hunting and SOC ineffective. Some 49% of organizations report it as a top challenge. Approximately 67% of CISOs, CIOs, and CTOs told Fidelis Cybersecurity that alert overload is one of the main issues their teams face. Clearly it is all interrelated—the Fidelis study, for example, reported that the two biggest barriers to threat hunting are a lack of time (49%) and a lack of skills (41%). Clearly the pain points are all interconnected.
Every time a security analyst receives an alert, the analyst is supposed to:
Triage that alert along with other alerts to determine priority;
Gather additional context related to the alert;
Conduct an investigation;
Determine if the alert is legit and not just a false positive; and
If it’s legit, perform incident response
The deluge of false positive alerts can lead to increased costs. As mentioned earlier, the activities related to alert processing are quite labor-intensive. According to the US Bureau of Labor Statistics, the latest national estimates for information security analysts’ mean hourly wage is $57.63. Depending on the industry and state, that number could go up to almost $80 per hour.
Spending approximately $60/hr to $80/hr per information security staff, who then go on a wild goose chase every day, can be very expensive. Plus, in order to deal with the mounting deluge of alerts, you may be forced to hire additional security staff.
What is alert fatigue in cybersecurity?
Cybersecurity alert fatigue occurs when infosec staff are constantly exposed to alerts and alarms from the tools and technologies organizations use to defend their data and IT assets, and over time become desensitized to them.
Security alerts often take the form of individual emails sent to a user’s inbox or push notifications on a software dashboard. On average, each alert takes at least ten minutes to investigate—and large companies typically deal with at least 1,000 cybersecurity alerts a day.
All that time adds up. Unfortunately, 75% of businesses report spending just as much time investigating false positives as they do genuine security incidents.
What is a false positive?
According to the National Institute of Standards and Technology (NIST), false positives are alerts that incorrectly indicate a vulnerability is present, that malicious activity is occurring, or that classify benign activity as suspicious. Put simply, a false positive is like a house alarm going off and telling you that someone’s trying to break in, but your doors are still locked and there’s no sign a burglar tried to steal from you. On the flip side, a false negative is like your house alarm not going off when it should be. This happens too as the cybercriminals behind these attacks constantly find new ways to slip past defenses.
It's like a game of cat and mouse, with the attackers always trying to stay one step ahead. False negatives cause their own set of headaches, but that’s a topic for another day.
The risks of alert fatigue
If left unaddressed, alert fatigue can develop into full-blown burnout, impacting an organization’s ability to deal with true cybersecurity incidents. Critical alerts may easily slip through the cracks.
Cyber alert fatigue was discussed as a potential cause of the 2013 Target security breach that resulted in the theft of credit card credentials and private data for an estimated 70 million customers.
Speculation focused on two issues, including the fact that no initial response was taken by Target IT—most likely because the alerts were included with other ‘false’ alerts—as well as the possibility that alerting systems may have been off to reduce false positives.
Security Information and Event Management (SIEM) solutions have been around for more than a decade. Yet, the industry is far from seeing the level of satisfaction and broad commitment to SIEM as in other security technologies at the same stage. However, SIEM must be a critical part of an organization’s security strategy and toolset. Why? The driving problems still exist and are growing – how does one detect, analyze and remediate a breach to IT infrastructure? SIEM still addresses these problems better than other solutions. The frustration frequently comes from underestimating the costs and complexity of deployment and operation of a SIEM. To overcome these challenges, managed SIEM services have been introduced to address the unique needs and strategies for organizations of all sizes. But, how should an organization choose between self-managed and managed SIEM?
Understand the Calculations
Ultimately, the goal of this paper is to provide an insightful understanding on the benefits when a tool like PacketViper is inserted into the stack.
There are two primary SIEM deployment models, self-managed (Do-It-Yourself) and managed security services. This paper compares the costs of SIEM under two delivery models, self-managed and managed SIEM for three different customer scenarios based on organizational size. The cost comparisons capture both capital expenses (upfront costs) and operating expenses (ongoing usage costs).
The three customer scenarios presented are:
•Large Enterprise
•Medium Enterprise
•Small Enterprise.
The value of these scenarios comes from applying and adjusting the appropriate scenario to an organization based on the descriptions and profiles provided within this analysis.
We understand that there are strategic considerations in addition to the financial ones. This paper briefly discusses three strategic issues due to the frequency in these discussions and their direct influence on costs.
Cost Methodology
The cost models presented apply a total cost methodology by incorporating most indirect costs of buying a SIEM across a typical service time period of three years. For example, we include labor costs associated with operating the SIEM including:
• Training
• Deployment and implementation support
• Turnover and recruiting
• Fully-loaded labor rates (i.e., salary + overhead expense).
We intentionally exclude certain indirect costs, such as data center space, power and cooling that are included in many service provider total cost of ownership (TCO) models. The Trustwave Managed SIEM architecture requires a SIEM device on the customer’s premises. Therefore, these indirect costs are the same for both delivery methods.
One indirect expense most companies do not capture when budgeting for their SIEM is staffing costs associated with recruiting, turnover and ongoing staff training and certification. These costs can be significant. This paper uses widely-published standards to capture these costs.
Capital Costs (CapEx) and Operating Costs (OpEx)
Many equipment purchases (e.g., servers, software, etc.) involve a CapEx and an OpEx component. Allocation of these expenditures into the “right” CapEx and OpEx buckets can quickly devolve into a technical accounting discussion based on individual accounting practices. This paper keeps the allocation simple and intuitive. Capital expenses are the upfront costs paid for the products (hardware and software) that the customer purchases. Ongoing costs associated with certain use of products (e.g., support and maintenance) are considered operating expenses. These expenditures are considered OpEx even if the customer pays in full at the beginning of the use period.
Common Strategic Trade-offs
There are several strategic considerations when comparing self-managed and managed security services delivery models. Addressing all of these are beyond the scope of this paper. But, the strategic trade-offs that we most commonly hear about are:
• Cost allocation
• Strategic and tactical control
• Retention of in-house skills and expertise
• Risk management.
Large Enterprise
The large enterprise scenario is representative of a large organization with at least 10,000 employees. The key characteristics for this analysis are the number of IT devices which are used for system sizing and service pricing. Workstation count is related to employee size but is not meant to equal it. Some organizations have more employees than workstations due to the industry and type of work.
Platform sizing – number and type of devices
• 10,000 workstations
• 30 policy devices (IDS, Firewall, etc.)
• 60 network devices
• 125 servers
• 15,000 events per second (~1 billion events per day)
Medium Enterprise
The medium enterprise scenario is representative of a typical medium-sized enterprise with 1,000 or more employees. The key characteristics used for this analysis are the number of IT devices which are used for system sizing and service pricing. Workstation count is related to employee size but is not meant to equal it. Some organizations have more employees than workstations due to the industry and type of work.
Platform sizing – number and type of devices
• 1,000 workstations
• 18 policy devices (IDS, Firewall, etc.)
• 25 servers
• 1,500 – 3,000 events per second (130 – 260 million events per day)
Small Enterprise
The small enterprise scenario is representative of a typical small business with 250 to 500 employees. The key characteristics are the number of IT devices which are used for services pricing. Workstation count is related to employee size but is not meant to equal it. Some organizations have more employees than workstations due to the industry and type of work.
Platform sizing – number and types of devices
• 250 workstations
• 6 policy devices (IDS, Firewalle, etc.)
• 8 Servers
• 1,000 events per second (~86 million events per day)
Estimate Costs By Item
- Fully-loaded salary of $115,764 for an Information Security Analyst.
- Security Threat Correlation Specialist using a fully-loaded salary of $130,340
- Recruiting costs are conservatively calculated at 20% of the first year’s salary.
- standard system administration using a fully-loaded salary of $99,136
- SIEM Hardware can range from $25,000-$100,000, depending on the size.
- Software costs can range from $20,000 – $1 million
Event Logging Formula
You can estimate the cost of your SIEM data volume and Event Per Second (EPS).
1GB = 40 EPS
Event Logging by Device Estimated EPS
1 User Authentication / SSO / PAM / IAM = 10 EPS
1 Active Directories, Domain Controllers = 10 EPS
1 Switch (syslog enabled) = 2 EPS
1 Router = 1 EPS
1 Wireless Access Points = 5 EPS
1 Firewall = 200 EPS
1 DDoS Protection = 5 EPS
1 VPNs = 5 EPS
1 Proxy Systems = 20 EPS
1 Vulnerability Scanners = 5 EPS
1 IDS / IPS = 15 EPS
1 Threat Intelligence Feeds = 5 EPS
1 Data Loss/Leakage Prevention (DLP) = 5 EPS
1 EDR (Endpoint Detection & Response) = 5 EPS
1 WAF (Web Application Firewall) = 30 EPS
1 Network Load Balancers = 5 EPS
1 Windows workstation = .0005 EPS
1 Surveillance systems = .0005 EPS
Event Logging by Application Estimated EPS
1 Windows Servers (physical and virtual) = 10 EPS
1 Unix Servers (physical and virtual) = 10 EPS
1 Virtual Infrastructure Servers (Hypervisor) = 15 EPS
1 Web Servers = 10 EPS
1 Application Servers = 5 EPS
1 Database Instances = 1 EPS
1 Storage Arrays = 5 EPS
Event Logging by Cloud Environment
1 Cloud Services - Azure = 25 EPS
1 Cloud Services - AWS = 25 EPS
1 Cloud Services - Google = 25 EPS
1 SaaS = 25 EPS