IT and cybersecurity budgets are not growing. With economic turmoil on the horizon, enterprise IT and security teams are striving to squeeze efficiency out of security operations. This blog highlights areas to gain greater efficiency in your cloud security operations.

Building an Efficient Foundation

Cloud infrastructure service costs are a rapidly growing part of the budget (see below chart). In the same way that a solid house needs to be constructed on a strong foundation, efficient cloud security operations need to be built on a solid strategy. Building things right optimizes security operations while avoiding inadvertently draining your budget. Establishing the right strategy can control costs while also providing flexibility to adapt as your business changes. You don’t want a rigid architecture that cannot adapt as the business evolves.


Cloud security costs are complex. Simple answers are hard to come by, but our internal SOC experts have pointed out some key areas you can scrutinize to control costs while maintaining an efficient security posture.

Ways to Save on Cloud Costs

Practically every enterprise operates in one or more infrastructure-as-a-service (IaaS) clouds. The major cloud service providers like AWS, Microsoft Azure, and Google Cloud Platform have a huge portfolio of services and a variety of ways that they charge for it. Navigating that complexity to arrive at the most efficient approach takes effort, and there is no one-size-fits-all. Below are some of the key focus areas to scrutinize when trying to optimize your cloud security operations costs:

Data Ingress and Egress Charges

Cloud providers charge for data going into (ingress) and leaving (egress) their cloud environments, much to the chagrin of many cloud users. Enterprises with centralized SIEMs may frequently pipe log telemetry from one cloud provider to another or from one cloud provider to an on-premises SIEM. This runs up a bill given the volumes of raw log data being shipped. You can never eliminate these charges, but you can look for ways to reduce them. Here are a few scenarios common among ReliaQuest customers:

  • Using the data where it naturally resides, rather than shipping it to a centralized SIEM. Investigations in GreyMatter can gather just what you need from where it naturally lives. This data stitching approach avoids the ingress/egress costs of transporting all of your security telemetry to a second location.
  • Maintaining an existing SIEM technology while using Microsoft Sentinel for the Microsoft telemetry coming from Defender for Endpoint or Defender for Identity.
  • Utilizing AWS GuardDuty instead of shipping CloudTrail logs to a SIEM for threat detection. A downside of this approach lies in the limited signature set in GuardDuty and the inability to create custom signatures/rules.

Cloud Log Storage

Cloud log storage is frequently an overlooked area for optimization. Logs are often generated in a native cloud service and then sent to the SIEM. For example, AWS Cloudtrail logs are often sent to an S3 bucket to then be sent onward to a SIEM, effectively incurring double the storage costs. One way to reduce costs would be to enable a lifecycle policy for the S3 bucket to delete or change the storage type to a lower-cost alternative.

SIEM Licensing Optimization

SIEMs are beautiful technology for correlating security events, but you can run up a bill if you don’t configure things properly. There is a wealth of log data that you could potentially ingest into your SIEM, but figuring out what is important and what is irrelevant is an important problem to solve.

Data filtering is one area where customers find cost savings. If you filter out irrelevant data, you can ensure you are ingesting the right telemetry into your SIEM. Another way we see customers optimizing their SIEM licensing costs is by taking advantage of opportunities like Microsoft E5 licensing. Enterprises frequently maintain their existing SIEM infrastructure but use the Microsoft Sentinel SIEM provided as part of an E5 license for their Microsoft telemetry. To no one’s surprise, the Microsoft SIEM plays particularly well with other Microsoft products. While you need to be careful to make the right log filtering and ingestion decisions, this “multi-SIEM” approach with Microsoft Sentinel for Microsoft telemetry can frequently provide the desired visibility and risk management at an optimal cost.

It is worth noting that this sort of multi-SIEM approach is not something that every security operations or MDR provider can accommodate. If you have a provider that requires centralized log collection, you may not have much flexibility in controlling SIEM costs with a multi-SIEM approach. In contrast, ReliaQuest GreyMatter is designed to integrate with multiple SIEMs and clouds to facilitate a multi-SIEM approach.

Data Transformation

Transporting log telemetry across cloud platforms typically incurs data ingress/egress charges (see above), and it also may require data transformation. That transformation ensures that the data is usable inside the SIEM, but it comes with a cost. That cost can be direct (software licensing) or indirect (the time and effort of your team to construct the solution). If you can architect your solution to avoid having to move data, you can frequently avoid data transformation and the cost associated with it. Microsoft environments are a prime example of this; Microsoft Sentinel, the Microsoft SIEM, is designed to easily ingest data from other Microsoft tools. It is “point and click,” saving your team from spending significant resources constructing a data pipeline.

Cloud Security Telemetry and Visibility-Cost Tradeoffs

Moving infrastructure to the cloud generates a larger volume of security telemetry, and data in the cloud costs money. This dynamic results in a tension between visibility and cost. While you can build efficiency into your cloud infrastructure to handle the increased telemetry volume, you may uncover gaps in visibility along the way. IT teams may not communicate actively with the security team, and the security team may discover unmonitored applications or infrastructure. Security leaders want the maximum possible visibility to potential threats, but visibility can have a cost when it comes to ingesting log telemetry. You may discover as you evaluate your environment that you have blind spots and need more log collection to gain visibility and manage your risk. At ReliaQuest, our SOC regularly locates gaps in cloud infrastructure visibility and works with customers to fill those gaps. That can require ingesting more log data, and that comes at a cost that needs to be weighed.

Tuning, Tuning, Tuning

Choosing the right cloud infrastructure and tuning that infrastructure ensures that you are using your budget wisely. It’s important that you make the right design choices and then continuously tune the environment.

For example, if you are deploying a SIEM in an infrastructure-as-a-service (IaaS) provider, you want to choose the right instance type to deliver performance while conserving IaaS costs. This sort of advice is something that the ReliaQuest SOC helps customers with their decisions, and then the ReliaQuest team can tune the environment to optimize log ingestion to control SIEM costs.

Taking Your Security Operations to the Next Level

This blog highlights some areas where you can improve your cloud security operations efficiency. As you look for ways to gain greater efficiency from your security operations program, give us a shout. We know a few things about cloud security and efficiency because we’ve seen a few things. ReliaQuest helps make security possible by enabling security operations across clouds, endpoints, and on-premises assets. Through our GreyMatter security operations platform, we help customers detect, investigate, and respond to threats in the cloud and improve their security operations programs. Our security operations experts can help you to extract the maximum value from your existing security investments and provide the flexibility to make certain you effectively manage risk with maximum efficiency.