Skip to main content

The SOC missed attacks.
The bill kept climbing.

Detection that sees more, for less money

A global industrial multinational, around 27,000 workplaces. The SOC missed attacks, ransomware landed, and the SIEM bill kept climbing. In 12 weeks we built a cost-efficient multi-SIEM architecture that sees more, carried by the same team.

Detection coverage · techniquesAfter the engagement
Broadly covered
Covered techniquesRemaining gaps, known and owned
Source · multi-SIEMDiagnosis · architecture · operations
Sector
Global industrial multinational
Scale
± 27,000 workplaces
Lead time
12 weeks to production
Frameworks
NIST CSF, CRA
Lead time
12 wks
from diagnosis to a working multi-SIEM in production.
Coverage
Broader
on the attack techniques that matter, demonstrably.
Data cost
Down
without sacrificing coverage. No premium for storage that adds nothing.

The challenge

The SOC was meant to stop attacks. It did not even see them.

The security team ran a SOC that was supposed to catch attacks. In practice they slipped through, with a consequence: ransomware landed. Not as a near miss, but as fact. Meanwhile the SIEM bill kept climbing, while the team was too small to keep up with the alerts.

What the team sawAlerts
Signal
Noise, alerts without substance, day after day
The signal that matters
Noise
  • 01

    Attacks went unseen. With successful ransomware attacks as the result.

  • 02

    Coverage was insufficient. No one could prove what the SOC did and did not see.

  • 03

    It was too slow. Detection and investigation ran behind the facts.

  • 04

    And it only got more expensive. The data bill climbed, the team was too small, and there was no budget for new staff.

The problem was never too little data. It was too little visibility, too late, for too much money.

The approach

Diagnosis first. Then the choice.

No picking a tool and then looking for problems to fit it. We started from the facts, built an architecture, and only then chose.

Diagnosis-firstFacts
Architecture before selectionVision
Automate: more with the same peopleOperations
01

Diagnosis

Analysis of the current problems, the underlying security stack and the technology roadmap. What was going wrong, what was already there, and where the organisation wanted to go.

02

Architecture vision

A target architecture that dissolved the false trade-off: coverage up and data cost down, instead of trading one for the other.

03

Selection, diagnosis-led

Solutions and vendor chosen on the basis of that vision, not the other way around. A multi-SIEM setup that fit what the organisation actually needed.

04

Implementation and optimisation

Go-live, and then keep steering, operationally and from the architecture, so it kept getting better instead of standing still.

The solution

Lower cost and more visibility. At the same time.

The assumption was that coverage and cost worked against each other: seeing more means more data, and more data means a higher bill. That trade-off proved false. With the right architecture the data bill went down while coverage went up.

CoverageData cost
Cost and coverage

No more paying a premium for storage that adds nothing to detection, while coverage actually grew broader.

Alert
Triage
Response
Response playbooks

Investigation and remediation partly automated, so the same team handles more and acts faster.

Multi-SIEM architecture

One cost-efficient setup that processes the right data in the right place, without sacrificing coverage.

Operating model

After go-live, steered continuously, operationally and from the architecture, instead of standing still.

“More visibility, faster action, lower cost. That is what we steered on, and that is what stands now.”

Security architect · global industrial multinational

The result

From firefighting to grip. With the same team.

Before
  • -Attacks were missed, with ransomware landing
  • -Insufficient coverage; no one could prove what the SOC saw
  • -Too slow, always behind the facts
  • -Data bill climbing, team too small, no budget
Now
  • Broader, demonstrable coverage on the techniques that matter.
  • Data cost down, without sacrificing coverage.
  • The same team acts faster and does more, because playbooks take over the work.
  • Continuously optimised, from firefighting to grip.

A similar challenge?

No pitch. One conversation.

One conversation in which we determine whether, and how, this works for your organisation too.

Schedule a conversation

30 minutes with a senior, no pitch.

Speak with an architectCall directly088 - 163 23 25