Information Technology Navigator

Tips, Advice & Insights from Technology Pros

Storage Implications of SIEM

Posted by Sean Gilbride

Thu, Mar 19, 2020


Every IT professional already knows that the proliferation of log files generated by Security Information and Event Management (SIEM) solutions can be overwhelming to manage. There are multiple SIEM tools that analyze and automate this tremendous amount of data to provide alerts that help troubleshoot network issues, quickly remediate threats, and identify potential non-compliance vulnerabilities.

It’s a big market that shows no signs of slowing down. The SIEM market is forecasted to grow to $6.24 billion by 2027.  The 2020 SIEM Gartner Magic Quadrant highlights threat management and compliance as the major drivers for SIEM deployments among large enterprises. Gartner also predicts a rise in managed services in this area as organizations look outside for expertise in analyzing security event data in real-time.

Storage Implications

Today’s SIEM solutions leverage AI and Machine Learning to aggregate and analyze the mountains of SIEM data and make them more actionable. But what about the storage implications? Where and how should you store the vast amounts of data generated by SIEM solutions?

Performance and scalability are both critical when evaluating data storage needs to keep pace with your SIEM data. To get an idea of the scale of the data involved, Gartner considers a small SIEM deployment to be one with up to 300 event sources, very large deployments have thousands of event sources, and may generate more than 25,000 events per second. In either case, once organizations realize the value which can be recognized by leveraging a properly designed SIEM solution, these environments tend to grow rapidly from tens of TBs to multiple PBs in scale. 

Scale, Scale, Scale

Being able to leverage this data requires exceptional performance at scale. Many enterprises need sub-millisecond access to their SIEM data across multi-terabyte (potentially multi-petabyte) data sets. Organizations also require a fast and easy way to add storage capacity as their SIEM environments grow. There are few storage solutions which are ideally equipped to provide the flexibility, efficiency, performance and massive scalability required for SIEM-generated data while not requiring extensive management and tuning to keep them running. For example, one of our customers has grown from an initial requirement of ~300TB offering at least 55K IOPS to greater than 2PB and 400K IOPS over a 3-year period. Fortunately for our customer, this was accomplished without ever requiring expansion or tuning of the underlying storage.

SIEM-generated data is a fact of life, helping organizations monitor and simplify the task of security management. Need help determining the appropriate storage for your SIEM solution? Daymark consultants have architected hundreds of storage infrastructures ensuring our customers data is consistently available at high performance without compromising on security, reliability or cost. 

Contact us if you’re unsure you can support the volume of data your SIEM solution is generating.