Balázs Scheidler - Axofllow
by 
Balázs Scheidler
March 5, 2025
and
No items found.
data pipeline
axoflow

How high-quality data saves you $$$$

Tomorrow (March 6) afternoon I'm giving a talk at the 15th Edition New York Cybersecurity Summit. For those who aren't attending, here's a brief summary of "How High Quality Data Saves You $$$$":

The security data trap

By definition, Security Operations Centers (SOCs) rely on security data, and an essential part of building a SOC is starting to collect relevant data. At first, the amount of data is usually manageable, because you start to collect only enough to power your initial analytics.

The problem is that collecting data is way easier than analyzing and using the collected data. As a result, it is very easy to fall into the data collection trap and focus on collecting data, thinking that analytics (which is used to derive actionable insights) will be able to catch up later. But more often than not, the focus shifts disproportionately towards amassing data and leaves analytics lagging behind.

All that means you're collecting vast amounts of data, but most—often over 90%—remains unused, because it's collected without clear use cases or objectives. This inefficiency turns your SIEM into a very expensive log storage solution, a.k.a. a data swamp.

In addition, the quality of the collected data is often very low, which, coupled with the high data volume, leads to further problems:

  • Detection engineering becomes a complex, often manual, labor- and time-expensive task.
  • Detections and alerts become fragile (research shows that ~18% of alerts never fire, mostly because of missing fields and malformed data).
  • On the other hand, many alerts have a high false positive rate, causing alert fatigue in your SOC teams.

How high-quality data saves you $$$$

Manual data engineering (fixing and cleaning data in the SIEM) is expensive, error-prone, and soul-crushing. With enterprise data volumes, it's also completely unfeasible. However, you can move these tasks into the security data pipeline and automate them, so you classify and parse the incoming data before it reaches your SIEM, monitor the ingested data, and improve your classification and parsing based on that feedback. When done right, this approach can greatly increase the quality of your security data, which has several benefits, including:

  • Improved Detection Engineering. Better data means better and more reliable event detection in your SIEM, and better security posture overall.
  • Data Reduction. Improved data classification and parsing can open the way to reduce the amount of data ingested into the SIEM, by dropping unneeded messages, and also by removing redundant or empty data fields. This can immediately lead to significant (50% and more) cost reduction.
  • Routing. A SIEM is most often a final destination for the data, so you can’t really forward the parts that you’d rather need somewhere else, for example, to a monitoring or analytics system, low-cost storage, or nowhere (because it’s not security-relevant).

Customer success story

How does what we've described so far work in real life? I believe the experiences of our recent customer (a large multinational industrial concern) shows that you can get amazing results real quick.

The challenge

The challenge the security team faced was that:

  • Their security data volume was approaching the 3 TB/day tier.
  • Because of budget constraints, they had to maintain their current spending, but they
  • also needed to add new locations (meaning a significant number of new devices and data sources) to their SIEM.

Key results with Axoflow

After introducing the Axoflow Platform into their infrastructure, this enterprise achieved:

  • 50% Reduction in overall SIEM spend, including reduction in Windows traffic by 56%, and Zscaler traffic by 36%. This allowed them to keep using their current license tier, even after adding the new locations.
  • 85% Reduction in MTTR
  • Significant reduction in the total amount of tickets opened.

In addition, the data flow visualizations of Axoflow allowed them to identify several health issues within their environment, including:

  • Message drops
  • Syslog parsing issues
  • Sudden increases of internal logs going to Splunk
  • Multiple abandoned disk buffers (with log messages that were never sent to the SIEM)

Conclusion

High-quality security data isn't just about better detections—it directly translates to massive cost savings, operational efficiency, and a stronger security posture. By shifting data processing and optimization upstream in the security data pipeline, organizations can dramatically reduce SIEM costs, improve detection accuracy, and streamline SOC operations.

Our customer success story is proof that focusing on data quality leads to immediate, measurable results. Whether it's reducing data volume, improving alert reliability, or uncovering hidden inefficiencies, investing in high-quality security data is an investment that pays for itself—both in dollars saved and in a more effective security operation.

If you’d like to get similar results for your team and are attending the New York Cybersecurity Summit, visit the Axoflow booth, so we can dive deeper into this topic! If not, feel free to reach out with any questions, or watch the recording of our related webinar about Feeding your SIEM Reduced and Actionable Security Data.

Stay tuned!

Follow Our Progress!

We are excited to be realizing our vision above with a full Axoflow product suite.

Sign me up
This button is added to each code block on the live site, then its parent is removed from here.

Recent posts

AxoRouter Opens Windows! (WEC Edition)
How to upgrade syslog-ng to AxoSyslog
Google Pub/Sub gRPC, Sentinel and Azure Monitor destinations in AxoSyslog 4.10
AxoRouter Opens Windows
$7M to improve security data quality

Any Questions?

We are here to answer!

Stay in Touch?

Sign up to our newsletter!