Our SIEMs have developed quite the appetite over the years.
What were formerly lean, mean systems consuming all logs and metrics in their path have, in numerous instances, become bloated, sluggish behemoths. Like a once-svelte cat gradually climbing the “chonk chart,” SIEMs nowadays are gorging themselves at an all-you-can-eat buffet of observability, telemetry, and security data, whether they actually require it all or not.
The result? Bloated budgets, lagging performance, and lower ROI.
Perhaps it’s time to rethink what we’re feeding our SIEMs and how much. That doesn’t mean starving your tools of the information they need. It means taking a smarter, tiered approach to data management that balances real-time needs with the cost considerations of longer-term storage.
Data Gluttony Isn’t Sustainable
The contemporary approach to SIEM data ingestion often boils down to this: shove it all in and sort it out later. It sounds great—until you receive the bill. In reality, not all data is created equal. Some are protein-rich: high-value, time-sensitive logs that are critical for real-time detection and response. But much is digital filler, low-calorie content that’s rarely, if ever, needed in a hurry.
Despite that, the majority of organizations forward all their “just-in-case” data to their SIEMs so it can be searched. That’s functional, but it’s terribly inefficient for the SIEM’s primary function of security detections. And that inefficiency shows up in all the usual complaints: high costs, slow performance, poor scalability, and agonizing bottlenecks. The issue may not be the SIEM itself. It may simply be overfed and under-optimized.
Enter: Data Tiering
If your storage approach remains “keep everything, just in case,” it’s time to upgrade. Data tiering is the process of matching where and how data is stored to its value, relevance, and frequency of use.
Let’s take it apart:
Top Tier: This is the high-value, high-access information your SIEM really lives for—security event logs, IAM activity, endpoint information, and other telemetry that requires real-time visibility. It should reside in fast, searchable storage to facilitate quick detection and investigation. If it’s normalized for your SIEM and you’ve got a detection rule for it, then that data fits here.
Middle Tier: This is where you put the data you still need available, such as historical logs for trend reporting or incident post-mortems, but that doesn’t require split-second access. Consider it the leftovers that you want to refrigerate, not freeze. Put it in inexpensive formats with enough performance to allow delayed but eventual access.
Bottom Tier: This tier is for the compliance crowd. Seldom used but frequently kept, it consists of things like old audit logs or system configurations. Storage in this tier prioritizes retention and cost over performance.
Knowing What Goes Where
So how do you decide what information belongs in each tier? It all comes down to some simple but powerful factors:
Age: Newer data is typically more desirable. Older data isn’t, but may still be necessary for compliance or investigations.
Criticality: Production system logs usually matter more than those from a test environment.
Accessibility: How quickly do you need it? Who needs access?
Volume: More logs doesn’t always mean more value. In fact, the inverse is often true.
Environment State: In a breach, everything might be relevant. Outside of one, maybe not.
The key is realizing that data value isn’t fixed. It changes based on context, and your architecture should be flexible enough to reflect that.
Building a Leaner, Smarter SIEM Strategy
Modern environments demand agility. Compute and storage should scale independently. Analysts need to search across tiers without barriers. And the systems handling telemetry data, whether SIEMs, APMs, or observability tools, must function as part of a connected ecosystem, not isolated silos.
A tiered data strategy doesn’t just reduce costs. It improves performance where it matters, streamlines compliance, and helps your teams move faster with the right data at the right time.
So, is it time to put your SIEM on a diet? Not necessarily. But it might be time to stop letting it consume everything in sight.
