Elastic (formerly ELK) Stack v. SIEM: Which is the Right Choice for Your MSSP

When you have to respond quickly to organizational or compliance directives from clients, in addition to the cyber security threats and risks that your organization faces every day, it can be difficult to gauge how effective you are in doing so.

When configured correctly, both security information and event management (SIEM) solutions and the open source Elastic stack can give you the information you need to assess the threats facing your organization and develop a strong response. But would one of the two solutions work better for your organization?

SIEM vs. Elastic in Time and Cost

The main advantage of using Elastic is that less time is required in order to deploy, in comparison to the standard SIEM solution. In most cases, the deployment time for a SIEM is somewhere between 14 and 18 months.

Aside from time, cost is also a factor worthy of consideration, as Elastic often requires a smaller up-front investment to set up, as it is open source technology. With a typical SIEM costing $1.2 million on average, many small and mid-size organizations are turning to the Elastic stack, as the more cost-effective option.

The Advantages of SIEM

The great advantage of a SIEM solution is that it is purpose-built to quickly look across all your security data to detect incidents you wouldn’t have otherwise and streamline incident response. Once you have completed the lengthy set up process, the technology can monitor the most important threats facing your organization and give you the data you need to track and respond to them.

However, there is the risk of overwhelming the technology with a large number of rules and oversight requirements, meaning the performance of the SIEM system can suffer. The time to manage these rules can weigh heavily on a managed security team as well.

SIEM systems also come with a host of pre-built analytics that aim to help quickly generate threat event detections.  The danger here is that the generic correlations are prone to false positives until tuned properly.

The Advantages of Elastic

Knowing how your system works is just as important as having the right tools. The search capabilities of the Elastic stack offer great flexibility, allowing you to analyze data for your clients from a range of security tools in a central location. As you explore Elastic, you will need to spend time crafting a dashboard for your clients, establishing the metrics you want to use, and ensuring a smooth flow of data from your sensors through to your results dashboard.

This process should leave you with a good understanding of how your security system works to protect your clients’ organization against cyber security threats. The danger with Elastic is that it is mostly up to you to define the security model correctly and to understand sensors.  It will take a deeper understanding of security architecture in order to get started.

More than Just a SIEM

More than just a SIEM, Elastic can be a valuable tool for your entire Security Operations, Analytics and Reporting workflow.

The challenges that MSSPs face can often be condensed into two critical questions: how can we grapple with the security data that we generate for our clients, and how can our tools rapidly adapt to changing business needs?

In search of answers to these questions, more and more MSSPs are turning to data intelligence solutions  which include tools for data analytics and visualization.

Final Thought

For most mid-size organizations, the significant cost of setting up, maintaining and license costs of commercial SIEM solutions is difficult to bear, leading them to seeking the expertise of MSSPs. In order to avoid these same costs, MSSPs that have the resources available, can often benefit from using the Elastic stack while enjoying the significant benefits of flexibility and quick-turn around on results.

When you choose to use Elastic stack, setting up and learning about the technology is an initial investment that should swiftly pay dividends as you roll the solution out to multiple clients.