MDR · 4 MIN READ · SCOUT SCHOLES · MAR 20, 2025 · TAGS: Partnership / Webinar
TL;DR
- Sarah Crone and Bret Steiman from Expel chatted with Sumo Logic CTO Seth Williams to discuss smarter solutions for storing security data
- They covered common data management pitfalls
- You can watch the full webinar here
When you think security data, logs are probably the first thing that come to mind. They can quickly get out of control, because you can log almost anything. That problem gets worse when you realize you have to pay to store that ever-expanding data, too.
Recently, Expel Product Marketing Manager Sarah Crone sat down with Bret Steiman, Senior Enterprise Account Executive at Expel, and Seth Williams, Field CTO at Sumo Logic in our webinar, Security data done right: breaking free from bad storage habits. She led them through a candid discussion on security data changes, challenges, and strategies for addressing your specific needs.
Collecting Hoarding observability data
Across the industry, we’ve accepted that collecting everything is the best way to maintain compliance and find the answers we need. The mindset was more data equals more context, but the reality is more data is just more money unless you have the time and resources to parse through it and find what matters.
And on top of that, it’s not just a financial problem—information overload can burn out your analysts, too, which is just as big of a concern for security leaders. When asked about the implications of these pains on analysts, Bret said:
“Candidly, storage costs can bleed some security teams dry if they’re not being managed correctly. I’ve seen a lot of customers with bloated budgets, or teams spending more time than they’re interested in on low-value alerts. And then you consider the volume of logs in petabytes of on-prem data on top of that. You have to determine if you’re paying to store data for a reason, or if you’re just paying to store data for the luxury of having it.”
Seth chimed in, “So it’s more like drowning in data for data’s sake, right? We bring everything downstream, and if it’s bad coming in, it’s bad going downstream, too. What you’re ending up with is analysts who must sift through tremendous amounts of data. Alert fatigue is a big issues for analysts gathering insights from these large volumes of data.”
And they both agreed that the way out is data prioritization. Whether you do it yourself, or find a partner who can help, you have to decide what matters and get to the root of the data you’re using to make impact go up and cost go down.
The impact of constant market changes on your data storage strategy
After some back-and-forth conversations, our experts agreed that there are three key considerations when you’re looking for a partner in a field rife with mergers and acquisitions:
- Analyze alternatives. This applies to alternative technologies, but also to alternative routes this partner might take in the future. Is this a piece of technology that’s going to be around and evolve with us? What’s its longevity? Seth summed it up nicely: “Keep providing features and functionality that are going to continue to help us be more efficient. But also, what are you doing as an organization?”
- Assess the company, not just the product. Mergers and acquisitions happen all the time, sometimes for good, and sometimes not so good. It’s a fact of the industry, so it’s critical you find a partner, not just another vendor.
- Look for flexibility in data democratization. Budgets aren’t limitless, and you can’t just “buy more shelves” to store more data. Not only should your partner help you prioritize data, but they should also be willing to include you in making your own decisions. While that sounds silly, it’s not always a reality. Some data collection methods are proprietary, or limit access, so be aware and choose your partner wisely.
Compliance ≠ high-fidelity security data
In the past, SIEMs were often treated as a catch-all for storing any data, whether it was for security or compliance purposes. Some industries do require you to store certain types of data for a certain amount of time. But that doesn’t mean it’s all relevant data. Seth clarified that relevant and security-relevant data are two different things, and that specifying the difference can save you SIEM storage costs.
He said, “Relevance to me is an attributable log file we can analyze for malicious activity. Sometimes we have to store other data that isn’t necessarily attributable because it’s in scope for a compliance framework, and in the yesteryears, the SIEM was the place you stored it. Nowadays, we have tools that give you the flexibility to choose what data is collected for compliance and if it goes to a low-cost storage option [like a data lake]. And if it’s security relevant, it goes to the SIEM.”
In doing this, you create an immutable source of truth within your SIEM that can be automated and alerted against for security needs, reducing your low-fidelity alerts and storage costs with one change.
Those lower-cost options like data lakes have gone from cheaper ways to store data and satisfy auditors to a Swiss Army knife-like storage option. The challenge is the data isn’t filtered, but with the right tool you can get value out of it when you need it. Data lakes are a scalable solution ready to provide value, if and when you need it. And if not? At a minimum, it’s reducing your data storage bill.
How to avoid bad data management habits
Seth and Bret also shared some great tips for evaluating your current data storage state and remediating bad habits, including:
- Understand your foundation before building on it. Seth said, “Investing the time in understanding what’s in your environment is extremely important to be successful when you change your storage habits. You’ll learn a lot about the many stakeholders within your organization and what’s important to the business, and it’ll also tell you what’s most vulnerable.”
- Have a trusted, experienced advisor to walk through the journey with you. Whether it’s just a friend in the industry or a hired person, having someone (or several people) you can ask questions or trust with their knowledge is a great tool.
- Focus on your priorities and security goals to help determine spending. What your org needs for storage might be different than another customer, so find a flexible partner and be clear on your priorities to help know where to cut and increase spend to make the biggest impact on budget.
- Lean on your MDR. “Ultimately it comes down to making sure you’re storing data that you aren’t using regularly in a place where it doesn’t need to be accessed regularly, and you’re storing actionable data in your SIEM. Be meaningful with it, and providers can often give you perspective on that business risk and objectives,” Bret said.
And the TL;DR? Be intentional, and start with a good foundation.
Want more? You can find the full conversation here.
