Beyond Default SIEM: Why Custom Data Ingestion Matters

Part 2 of our 3-part series on ensuring SIEM effectiveness

Your Security Information and Event Management (SIEM) system is only as effective as the data feeding into it. While many organizations invest heavily in SIEM technology, they often overlook a crucial element: creating a strategic approach to data ingestion.

At Digital Hands, our security experts consistently see organizations struggling with poorly implemented SIEMs that cost too much while delivering too little security value. As Jonathan Ferrigno, our Director of Cyber Response, explains in the following video, the quality of your SIEM implementation directly impacts the effectiveness of your entire security program.

Missed part 1 of our series? Check out, The Hidden Costs of Poor SIEM Service: 3 Issues to Eliminate Now

The garbage in, garbage out problem

When it comes to SIEM data, more isn't always better. In fact, ingesting too much of the wrong data creates a dangerous cascade of security failures.

"For lack of a better term, garbage in, garbage out," explains Ferrigno.. "If you are solely reliant on the default configurations, default log source integrations, the default tuning of the default rules within a SIEM, your response cannot possibly be high quality and high fidelity."

This problem creates three critical issues that compromise security effectiveness:

#1: Indiscriminate data collection drives up costs without adding value

Many organizations take a "collect everything" approach to SIEM data, driven by fear of missing something important. This mindset results in:

• Skyrocketing cloud SIEM costs, as providers charge based on ingested data volume
• Processing speed issues as systems churn through irrelevant information
• IT budgets dominated by storage rather than active security measures

The reality? Not all data belongs in your SIEM. Logs that provide little security value should be offloaded to more cost-effective storage solutions for compliance purposes, while your SIEM should focus on high-value security data.

#2: Alert fatigue from poorly tuned detections

When your SIEM processes everything without proper tuning and filtering, security analysts drown in alerts, most of which are false positives or low-priority events.

This problem stems from the common denominator approach that most SIEM providers take with their default configurations

As Ferrigno explains:

"All vendors have their own rule libraries. They are developed for the lowest common denominator in that every single customer that buys that SIEM is going to get the exact same value out of these rules. In a perfect world, that'd be great. But the truth of the matter is... customers vary wildly, even if they have the same log sources."

Without tuning these generic rules to your specific environment, your SIEM will generate excessive alerts that overwhelm your team. Security analysts waste precious time investigating meaningless alerts while potentially missing critical threats - creating the perfect environment for alert fatigue to take root.

#3: Inadequate context for effective response

The true goal of a SIEM isn't just detection. It's enabling swift, effective responses. Poor data ingestion strategies leave security teams with insufficient context to understand and respond to threats when they matter most.

When investigating a potential security incident, your team needs more than just an alert. They need enriched context from properly correlated log sources that tell the complete story of what's happening.

According to Ferrigno, many organizations discover this gap when it's too late: 

"If you question the quality of your detection, say with a partner that you have today, absolutely question the response you're getting from your analysts. Absolutely question the automations that are being taken upon your behalf." 

Building a smarter SIEM data strategy

A strategic approach to SIEM data ingestion balances security visibility with cost efficiency. Here's how to get started:

1. Prioritize high-value security logs

Focus your SIEM on data sources that directly contribute to threat detection and response:

• Firewall logs that identify unauthorized access and exfiltration attempts
• EDR logs essential for detecting lateral movement
• Authentication logs from AD, SSO and MFA systems
• DNS logs crucial for detecting command-and-control traffic
• Cloud security logs to monitor your SaaS, IaaS, and PaaS environments

2. Offload low-value logs to alternative storage

Not everything needs real-time analysis. Consider this approach:

• Reserve your SIEM for high-priority, real-time detections
• Utilize cold storage solutions (S3, Azure Blob, etc.) for compliance logs
• Implement log forwarding for operational data that doesn't require security analysis

3. Implement continuous review and tuning

As threats evolve, your SIEM ingestion strategy must adapt accordingly. Regularly ask yourself:

• When was the last time your SIEM provider conducted a log source review?
• Are you regularly tuning out logs that contribute to noise and alert fatigue?
• Does your approach adjust based on emerging threats and changing business needs?
• Do you have visibility into how ingestion affects your SIEM costs?

Is your SIEM partner helping or hindering?

The quality of your SIEM implementation directly impacts your security posture. If your provider set up a generic solution without customization to your specific environment, you're likely paying too much for too little protection.

As Ferrigno emphasizes, "Look to the level of effort and thoughtfulness that your partner has approached your security program and your SIEM. If it's a generic approach and you go to them and they say, 'This isn't how it works,' you're going to get this and that's that. If they're not willing to adapt and come to you and meet you where you're at, then it's probably time to get a better partner."

The right SIEM partner will help you build a data ingestion strategy that:

• Is tailored to your unique environment and security needs
• Balances cost-efficiency with comprehensive threat detection
• Evolves with your changing threat landscape
• Provides the right context for swift, effective response

Bottom line: If your SIEM provider hasn't helped you refine ingestion based on security priorities and cost-efficiency, you're likely overpaying without getting real protection.

Ready to optimize your SIEM strategy?

Unsure if your current SIEM implementation is delivering the right balance of cost and protection? Our security experts can help.

Schedule a Free SIEM Consultation →

In just 15 minutes, one of our SIEM experts will discuss your current setup, identify potential optimization opportunities, and answer your questions about creating a more effective data ingestion strategy.

No obligation, no sales pitch. Just straightforward expert guidance to help you get the most from your security investments.