What a SIEM actually does
SIEM stands for security information and event management. Strip away the acronym and it's four jobs:
- Collect. Every system you run produces logs — sign-ins, file access, firewall connections, mailbox rules, admin changes. A SIEM pulls them into one place.
- Correlate. Individually, a failed login means nothing. A failed login in Kyiv, followed by a successful one in the same account five minutes later, followed by a new inbox forwarding rule — that's a story. Correlation rules connect events across systems into that story.
- Alert. When a pattern matches something bad, a human gets told.
- Retain. Logs are kept — commonly 90 days to a year or more — so that when something does happen, you can answer the only questions that matter afterward: how did they get in, when, and what did they touch.
That last job is quietly the most valuable. After an incident, businesses without log retention are guessing about scope. Guessing is expensive — in downtime, in legal exposure, and in breach-notification decisions made blind.
Why "managed" is the operative word
Here's what the vendors selling SIEM software don't lead with: an unmanaged SIEM fails in a predictable way. It gets installed, it starts generating alerts, the alerts are 95% noise, the one person responsible stops reading them by week three, and from then on it's an expensive log archive.
Tuning a SIEM — teaching it what your normal looks like so it only escalates genuine anomalies — is skilled, ongoing work. So is investigating what it escalates, at 2 a.m., on a holiday. That's the case for managed SIEM: you're buying the platform plus the analysts who tune it and watch it. The team doing that watching is a security operations center — the SIEM is the instrument they play.
What managed SIEM costs
Pricing models vary, but they reduce to three shapes:
- Per device / per user per month. The most predictable for small businesses, and the easiest to audit — the same logic as per-unit managed IT pricing.
- By log volume. Priced per gigabyte of logs ingested daily. Fine at small scale, but costs climb as you add sources — and the wrong incentive quietly follows (sending fewer logs to save money defeats the purpose).
- Tiered bundles. A flat fee covering up to N sources with set retention. Read what's excluded.
For a typical small business feeding endpoints, firewall, and Microsoft 365 into a managed service, expect quotes from a few hundred to a couple thousand dollars a month. Two contract lines deserve more attention than the price: how long logs are retained (compliance frameworks set minimums — a year is a common requirement) and what the provider commits to do when an alert fires, in minutes, in writing.
When a small business actually needs one
The honest triggers, roughly in order of how often we see them:
- A compliance framework says so. HIPAA's Security Rule requires audit controls and log review; PCI DSS requires logging and daily log review (Requirement 10); CJIS requires audit logging for criminal-justice data; CMMC expects audit and accountability practices for defense contractors. If one of these applies to you, some form of log monitoring and retention isn't optional — the only question is whether you staff it or buy it.
- Your cyber insurer asks. Renewal questionnaires increasingly probe for log monitoring and 24/7 detection alongside MFA and EDR — the same trajectory we covered in the cyber insurance guide. "No" answers raise premiums; misrepresented answers void claims.
- Nobody can say what normal looks like anymore. Past roughly 25–50 people, multiple locations, or a mix of cloud apps and servers, no single person holds the picture in their head. Correlation has to be automated because comprehension no longer scales.
- You've had an incident. Post-incident, the first gap every review finds is visibility. The second is retention.
When you don't need one yet
A SIEM is a detection layer. If the prevention layer has holes, fix those first — they're cheaper and they stop more.
If you're a 10-person office with no regulatory overlay, your money does more work in this order: MFA everywhere, managed EDR on every endpoint, patched systems, tested backups, and the payment-verification habits that stop business email compromise. A SIEM that watches an environment with no MFA is recording the burglary in high definition through an unlocked door.
This is also the test of a trustworthy provider: ask them whether you need a SIEM. The right answer for a small unregulated office is usually "not yet, and here's what to do first." A provider who quotes one to everybody is selling shelf-ware.
What to ask any managed SIEM provider
- What sources do you ingest at this price? Endpoints, firewall, Microsoft 365 / Google Workspace, servers, VPN — and what's extra.
- How long are logs retained, and where? Match the number to your compliance requirement, not their default.
- Who watches the alerts, and when? "24/7 SOC" should mean named humans on shifts, not an auto-forwarded inbox.
- What happens when an alert fires? Response time and first actions, in the contract, in minutes.
- How is it tuned over time? Untuned SIEMs drown their owners. Ask how false-positive rates are reviewed and by whom.
- Can I get my logs out? Your history shouldn't be hostage to a vendor change.
If you're weighing whether any of this applies to your environment, that's a conversation we have honestly — including the "not yet" answer — in a 20-minute intro call. The wider picture of how detection fits the rest of the stack is on our security page.