Maximising security spend and value; how SMEs can optimise costs in Microsoft Sentinel

IT leaders are looking for ways to rationalise costs, taking control of IT spend and establishing a structured approach to cost optimisation. In the UK, SMEs are forecast to spend approximately £29.8 billion on cybersecurity in 2025 so balancing effective security management with budgetary considerations is more important than ever. Organisations need to be smart with their spending. This can be particularly challenging for small and medium enterprises (SMEs) with tighter budgets and fewer resources which is why we work to support our clients in optimising spend and value across their security environments.

An encyclopaedic knowledge of Microsoft Security products means that we are perfectly positioned to help our customers harness some of the cost optimisation techniques available in Microsoft Sentinel and in this blog, we’ll be exploring some of the steps that businesses can take to maximise their security investment through Sentinel. We’ll also be discussing this topic on our stand at InfoSecurity Europe in June, so be sure to join us there for a deeper dive into the subject.

Data storage and retention; how long is too long?

The amount of data you store, and how long you keep it for, can be split into two requirement-driven categories. Firstly, there’s the data you need to retain to enable robust security operations, and secondly, there’s the data you are required to keep by law for compliance purposes.

When it comes to security operations, businesses will generally be comparing and analysing very recent datasets, for example what happened yesterday vs what happened last week. What happened last week vs what happened last month. It’s rare that you would need to analyse any event logs older than three months for threat analysis. However, retaining only three months’ data overlooks a critical factor: compliance, which often demands longer retention to meet regulatory requirements. Retaining data for longer than three months in Microsoft Sentinel equates to higher costs. The longer you keep the data, the bigger the bill and costs can easily spiral if businesses aren’t maintaining comprehensive data audits in line with compliance requirements.

Depending on your industry, you might need to retain data for five years, seven years or longer. Many SMEs don’t understand what is expected of them here and it’s crucial that you find out what the timeframe remit is for data retention for your specific industry and regulatory bodies and ensure that these requirements are met.

Making smart use of data ingestion

One of the most obvious ways to reduce your Sentinel fees is to ingest less data. But we advise our customers that this is one to approach with caution. Determining which data logs to bring in, is actually a really difficult decision. As we’ve mentioned above, an SME will typically need to have access to about 90 days’ worth of data for security operations. But should an attack be successful, then it’s going to be useful to look back and understand where the threat actor started their journey. At which points did they fail and where did they become successful? This will help to build a picture of what happened and when, to help you to mitigate a similar attack in the future. But, ingesting data costs money, so do you really want to keep huge amounts of data indefinitely, just in case?

We always advise our clients that the best course of action here is to ingest as much data as you can afford to. We want our customers to have robust security processes to protect their business critical assets but we don’t want to see them pouring money down the drain. It’s a case of cost vs benefit vs risk. It certainly isn’t an easy choice to make. What’s most important here, is that if you are going to ingest and retain data, then make sure you make use of it. If the compliance department dictates a long retention period of a large amount of data and you must pay for that data, then do something useful with it. If the data is there, you should be analysing it. Find a use case for it. For example, if you’re retaining data for three years, can any of your recent security alerts be traced further back in time? How long have threat actors been knocking at your door for? If you can maximise the retained data by using it to build a bigger picture of the threat landscape, then it was money well spent. If there is no use case and the compliance department didn’t ask you to retain the data, then why are you keeping it?

Short-term retention savings with Unified Sentinel

We’ve been talking to our clients in depth about this relatively new Microsoft feature recently. Microsoft Unified Sentinel has been with us for some time and integrates the capabilities of Microsoft Sentinel and Microsoft Defender XDR to enable streamlining of security operations through a comprehensive set of tools. What this has now brought to the table is the ability to cross-query data between Defender and Sentinel but without paying the ingestion fees. The data that exists in Defender, which is included in your subscription, can be used in the same query as data ingested into Sentinel at no additional charge. There’s a caveat to this though. How long do you need to retain your data for? This cost saving only really works in the immediate here and now because if you need to retain the Defender data for any longer than a month, then you’ll need to pay Sentinel ingestion and retention fees. We’ve found this is great way to help our customers to save money. If they have data that needs to be analysed but they only need to retain it for a month, then harnessing Unified Sentinel can amount to quite big cost savings. It’s a benefit that is often overlooked so keep this in mind when duplicating data from Defender to Sentinel.

Events vs metrics: know the difference to save money

Be aware and be wary of the costs associated with storing metrics. This is something we come across quite frequently within our customers’ Sentinel storage, and our advice to them is always the same – Sentinel should be used for security events. Firewall logs, application and system logs – anything that produces a security event. Not metrics. Security teams are often asked to help monitor and compile metrics due to their analytical skills but it’s important to avoid storing events in security log systems that don’t belong there. They bring little to no benefit to security analysis and the costs can quickly start to run away with themselves. When monitors are being set up across the wider Azure environment, it’s important to only capture the logs that contribute to security events. Get this right and it can result in a huge Sentinel cost saving. In fact, according to a study carried out by Forrester, organisations found that Microsoft Sentinel decreased their total cost of ownership, providing return on investment (ROI) of 234%.

Saving money within Sentinel comes from knowing what you need to ingest and retain from a compliance perspective and then maximising that data from an analytics perspective. This is what we help our clients to achieve. It’s crucial that you know and understand your specific regulatory requirements, working costs down to that level and making the most of all the data that you are required to keep hold of. This way not only are you optimising cost, but you are also optimising the use of that data, making the most of what you’re paying for.

Across our customer base, we work to maximise the tools and features of Microsoft technologies so that security processes are streamlined, technology is maximised and costs are optimised. This helps to deliver a robust, resilient business environment that promotes sustainable growth.