With IT budgets declining for the first time in many years as a result of the pandemic, business leaders and IT decision-makers alike may be looking for places to consolidate, trim fat and even cut corners.
And, while security is the last place we would recommend cutting budget, if you are looking for efficiencies, you may have the opportunity to sunset certain technologies or consolidate several detection technologies into one, especially if you consider those solutions that managed detection and response (MDR) effectively replaces.
1. Vulnerability Scanner
Vulnerability scanning tools detect weaknesses across networks, assess threats, and manage security on managed apps and devices. They help you understand and evaluate your tolerance for vulnerabilities. Knowing which vulnerabilities and how many are in your environment remains a pivotal part of your security strategy. Think about the hasty rollout of technology in work-from-home setups during the pandemic. Are you sure everyone is patching and updating properly? Don’t you want to know? How would you even know?
So why are we suggesting that you can sunset your vulnerability scanner? Because vulnerability scanners are largely commoditized and bundled in with a number of services, including ActZero’s MDR. So while vulnerability scanning remains hugely important (most breaches exploit vulnerabilities within your environment), you can replace the scanner by rolling it into an existing service, or by taking advantage of a vulnerability scanner you already have access to via another service. Our MDR service is one of few where vulnerability scanning is included with the service.
The important thing is that you won’t have to (and don’t want to!) give up the outcome it yields. And with the average cost of vulnerability scanners standing at about $6k (with some around $2,500 and others around $10,000), that can mean real savings for your IT budget.
2. IPS/IDS/nIPS
Intrusion prevention systems (IPS) are so often coupled with intrusion detection systems (IDS) and network-based intrusion detection system (nIPS) that you’ll usually see their titles run together, as we’ve done above.
In essence, you can’t have an IPS with an IDS, since an IDS monitors networks for active or imminent security threats, while an IPS aims to stop such violations from happening altogether.
You’ll notice some overlap with MDR services in an IPS, and you’d be right. Both services aim to identify threats and block them.
However, IPS/IDS/nIPS services all share common drawbacks (and share them with SIEM solutions, which we’ll talk about in a minute), including alert fatigue, configurations leading to false positives, and generalized systems interruptions.
On the other hand, MDR, as a managed solution, leaves it in the hands of our threat hunters to determine whether something is worth their investigation (with their assessments augmented by AI to do so at machine speed).
Again, rolling IPS/IDS/nIPS type-services into a comprehensive MDR solution could be a big assist to your budget. The average IPS/IDS/nIPS service will run you anywhere from $10k to $25k depending on the provider. When we start talking about total cost of ownership (TCO), it can be considerably higher. Implementation and configuration can run another $5k. Ongoing management of a tool like this, including reviewing logs and creating rules all add to your costs.
3. SIEM
Okay, just so we’re clear: some businesses will need SIEM for compliance and reporting reasons. If you’re one of them, sunsetting your SIEM won’t be an option. For the rest of you, read on.
Security Information and Event Management (SIEM) software aggregates log data from across an organization’s IT infrastructure. It identifies, categorizes, and analyses security incidents and events to report on possible malicious activities, sending alerts if predetermined rules indicates a potential security issue. SIEMs are inherently reactive - an 'after the fact' type of monitoring, because they require the data to be analyzed and correlated to outcomes. MDR, on the other hand, is proactive and can contain and disrupt threats in real time.
But with a SIEM, the big question is whether this solution justifies its cost. You have to factor in both hours (alert fatigue) and what is usually a pay-by-the-data-submitted cost structure. Costs can rack up quickly. This is especially the case if you have a managed SIEM via a MSSP, which casts a wide net (and thus lots of data) trawling for threats that analysts then have to investigate. Typical packages start at $3k per month for SMBs.
4. Log Management Solution
This is the solution that SIEM grew out of, so it has some similar functionality.
The challenge here is who is reviewing these logs? What’s their purpose within your organization? Are you only storing them for compliance purposes? If these logs trigger an alert (or, thousands of them per day), is your team ready and capable to react and address issues? Is having these logs worth the cost? Log management tends to be about the same as a SIEM, typically starting at $3k per month.
ActZero MDR leverages logs for our investigations, correlating with security indicators of compromise. With our service, you get to specify, on your own virtual machine (VM), how much storage is attributed, and how long logs are stored. If having the logs is important to your business, you can retain/retrieve copies from your VM.
5. EDR
Endpoint detection and response (EDR) solutions monitor end-user hardware devices for suspicious activities and behavior, automatically blocking potential threats (when tuned correctly, and depending on the ‘freedom’ you impart them with) and logging data for further investigation. Even well-defended networks are only as secure as their weakest point—often an end-user—and are just ‘one stolen credential away’ from a breach.
Even if you have EDR, you may find that your IT team has difficulty leveraging its full potential (especially if you haven’t invested in a 24/7 squad/coverage model to make it genuinely effective). Is that worth the cost, which averages $4 per endpoint, per month?
While not all MDR services include EDR, ours does. So ActZero MDR is a good all-in-one solution, for one low monthly price.
When you’re considering sunsetting a piece of technology, remember that while you often want the results it provides, you likely can’t afford the cost of all of them. You also have to ask whether you’re maximizing the service and getting the most value from it. And keep in mind that these technologies have other problems and costs to factor in beyond just their TCO.
ActZero MDR allows you to consolidate most of these security functions under a single service, for a single low monthly fee. Beyond the outcome of consolidated technology and tools, which reduce clutter, cut costs, and integrate elegantly, ActZero also manages/operates the technology platform; removing the need for you to invest in people and processes to operate. Unlike an MSSP, we don’t have you buy expensive technology and amortize it over time; our SOC comes included.
Of course (because money is no object, right?) you could always bring everything in-house and build your own SOC. Check out our examination of the business case for MDR vs. building your own SOC here. Go ahead—we’ll wait. Still considering it? Have a look at what makes building a SOC a lengthy, complex, and expensive path.
But if your budget is actually finite, but you still need comprehensive security for an IT budget-friendly price, ActZero can help. Get in touch today to discuss options, or schedule a demo.