For years, conventional wisdom in security operations was simple: collect everything. Logs were cheap. Storage was plentiful. And the more data a team had, the more confident it could feel about detection and forensics.
That assumption quietly broke as organizations scaled.
At Vensure Employer Solutions, a privately held HR services and payroll provider supporting more than 95,000 businesses, telemetry volume did not just grow; it exploded. Rapid acquisitions, expanding infrastructure, and a growing customer base turned routine firewall traffic into a relentless stream of raw data flowing into the company’s security information and event management (SIEM) environment.
“We were ingesting everything,” says Dwayne Smith, SVP of Information Security and Global CISO at Vensure. “People would shove everything they could in there.”
The breaking point was not a breach; it was the bill. As Vensure integrated more environments through mergers and acquisitions, the cost of ingesting logs began to climb at an unsustainable rate. Network traffic, routine firewall connection logs, flow records, and benign system events accounted for the bulk of the growth. By Smith’s estimate, ingestion costs nearly tripled over two years.
“It’s not only the cost of storing it,” he says. “It’s maintaining it, managing it, and the policy and evidence around it.”
Just as concerning, the flood of low-value telemetry made it harder for analysts to see what actually mattered. Alerts were buried in noise. Investigation queues lengthened. Mean time to respond crept upward.
“It wasn’t sustainable,” Smith says.
Rethinking What Belongs in the SIEM
Rather than cutting tools or headcount, Smith’s team took a harder look at the data and security data pipeline that ingests, enriches, and routes telemetry across tools and teams. Not all logs, they realized, deserve equal treatment.
Utilizing machine learning and large language models in the security data pipeline enabled Vensure to automate filtering incoming logs (e.g., DNS or firewall “allows”) and identify and filter out high-volume, low-value data. This reduced SIEM costs and noise without losing critical alerts.
Firewall telemetry became the first test case. While threat and intrusion alerts carried clear security value, raw connection logs, which made up the majority of events, were rarely used in day-to-day detection or response. They were kept “just in case.”
“Paying for all those logs, just to have them laying around, becomes a real business problem,” Smith says.
The result was an 83% reduction in firewall log ingestion, without eliminating threat, intrusion, or authentication events.
Proving Signal Wasn’t Lost
Filtering data before ingestion is a high-stakes decision for any CISO. Lose the wrong logs, and detection gaps can follow. To validate the approach, Smith’s team ran side-by-side comparisons using native firewall metrics, historical data, and simulated attack traffic. They also used artificial intelligence models aligned to frameworks like MITRE ATT&CK to ensure filtered data was still interpreted through the correct threat context.
The goal was not just cost reduction. It was confidence.
“When we filtered those logs, we were actually able to understand our environment better,” Smith says.
With fewer irrelevant events crowding dashboards, analysts could more clearly see scanning activity, vendor-initiated testing, and genuine anomalies. In some cases, the cleaner signal helped the team confirm whether external security tools were functioning as expected, something that had previously been obscured.
Measurable Operational Gains
The financial impact was immediate: approximately $250,000 in annual savings tied directly to reduced ingestion and storage costs.
But the operational improvements mattered more. Mean time to respond dropped by roughly 50%, as analysts spent less time triaging false positives. Detection accuracy improved as broad signatures were refined into more precise indicators. Administrator behavior became easier to track, strengthening identity and access monitoring. Compliance reporting improved, particularly regarding regional data-handling requirements.
“It led to the same amount of people doing not only more work, but better work,” Smith says.
Cost Control, Not Just Automation
Much of the industry conversation around AI in security focuses on autonomous response, agentic workflows, and predictive analytics. Smith does not dismiss those use cases, but he believes cost discipline may be the technology’s most immediate and underappreciated benefit by controlling the runaway spending on data.
“This isn’t sustainable,” he says. “If AI can help reduce that pressure, that matters.”
For Smith, the lesson is not about adopting a specific tool or model. It is about questioning long-held assumptions, especially the belief that more data always equals more security.

No responses yet