KPMG Technology consulting deploys Elastic Security to cut storage costs, increase visibility, and reduce false positives

After six years on its previous SIEM platform, one KPMG client made the strategic decision to migrate to Elastic Security in the pursuit of better system defenses and more efficient data management. The transition was complex, involving the migration of thousands of dashboards, 300 data sources, and 2,000 alerts all within an aggressive timeline. Every alert and dashboard needed to be fully operational in Elastic before the incumbent SIEM was decommissioned, ensuring a seamless transition without disruption to security operations.

Rather than a complete overhaul, the project followed a lift-and-shift approach for the first phase, ensuring Elastic provided a mirror-like solution to the previous platform. Yosef says, “Given the sheer scale of data ingestion and the critical nature of security operations, the new SIEM had to match, and ultimately exceed, the performance and functionality of the earlier system.”

With the support of KPMG’s cybersecurity and data engineering experts, the client successfully deployed Elastic Security ahead of schedule, streamlining data ingestion, storage optimization, and real-time alerting.

Elasticsearch Query Language (ES|QL) became the client’s primary query tool, streamlining the migration of alerts and dashboards without compromising performance. KPMG used Elastic Watcher to create real-time alerts based on ES|QL queries when predefined conditions were met. Watcher is also used for the dynamic updating of enrich policies, keeping search-time data enrichment current and efficient.

To optimize storage and cost management, the client implemented index lifecycle management (ILM). This enables a large volume of data to be held in a frozen tier storage for cost-efficient long-term storage with hot nodes for active data and cold nodes for archived data.

Kibana dashboards also play a critical role in the new security environment. KPMG helped the client deploy a combination of Lens, ES|QL panels, and Vega to display dynamic, interactive charts and tables. The security team now has deeper visibility into security data, enabling analysts to detect threats faster and respond proactively.

With KPMG Technology consulting guiding the migration, the client successfully transitioned to a more scalable, cost-effective SIEM solution. Elastic delivers greater visibility, stronger security analytics, and improved operational efficiency, setting a new benchmark for modern security intelligence.

The client can now process approximately 2TB of data per day, equating to nearly one billion security events. The system supports hundreds of scheduled alerts while enabling some 50 security analysts to work in parallel using advanced discovery and dashboarding tools.

One of the most transformative benefits was Elastic’s data tiering strategy, which enabled the client to expand from 70TB of stored security data to 840TB on Elastic while reducing storage costs by 75%. 

“Speed, scale, AI and value are the cornerstones of Elastic’s platform,” says Yosef. “With this foundation we can help clients unlock new possibilities while keeping costs under control. It’s a partnership that drives real results.”

With Elastic’s distributed architecture and flexible indexing, the client can now retain significantly more security events, including cloud-based archival storage. Unlike the previous system, where limited storage forced event data truncation, Elastic ensures that critical security insights are never lost.

“Elastic’s tiered architecture is a game changer,” says Yosef. “By optimizing data storage — keeping frequently accessed data in high-performance tiers and moving older data to cost-effective ones — the client’s SIEM is far more cost efficient.”

He also highlights Elastic’s machine learning-driven anomaly detection, which was not available with the previous SIEM platform. These automated detection mechanisms significantly reduce false positives, offer better threat visibility, and reduce investigation times. Elastic's alerting system also notifies users of potential issues before an incident fully escalates.

Other popular features include Elastic role-based access control (RBAC), which gives security teams complete control over managing data access and permissions, and cross-cluster search (CCS), which enables them to search for data across different networks without the need for multiple authentications from separate lightweight directory access protocols (LDAP).

As more KPMG clients move to Elastic Security, they are enthusiastically embracing AI-driven security features. These include contextual investigations, AI-driven risk assessments, automated runbooks, and response recommendations.  

More recently, KPMG has adopted Elastic AI tools that further streamline and accelerate the migration process, including Automatic Import, which dramatically accelerates onboarding of new data sources, and Automatic Migration, which uses AI to translate and map detection rules from legacy SIEMs into Elastic’s ES|QL for use in Elastic Security. Client security analysts can also take advantage of Elastic AI Assistant, a conversational interface that helps them interact with data using natural language.

With Elastic, KPMG can also deliver a variety of data storage architectures. Some clients prefer not to migrate their historical data at all. With Elastic Security, they can retain the older data on their original SIEM platform until it becomes irrelevant based on their defined retention policies for each data source.

Elastic is equally beneficial for clients where the old platform is unsuitable for historical data. Here, migration starts with mapping existing indices, source types, and fields from the old SIEM platform. KPMG uses custom connectors primarily based on Logstash to facilitate migrations. These connectors support both historical and real-time data, and their performance can be scaled to accommodate both high and low data volumes.

Following the success of these projects, KPMG Technology consulting is looking forward to expanding business in Israel and beyond as more businesses seek to replace their existing SIEM solutions with Elastic. “Elastic’s natural language processing capabilities are exceptional,” says Yosef. “For Hebrew, which poses unique linguistic challenges, Elastic’s analyzers deliver highly accurate and robust search solutions.”

The collaboration between KPMG Technology consulting and Elastic continues to evolve with both teams committed to driving innovation and delivering exceptional results for clients. “We’re excited about the future, especially given Elastic’s aggressive AI roadmap,” says Yosef.

As data volumes grow and technology needs become more complex, the partnership with Elastic ensures that the organization can tackle these challenges head-on. “Together, we’ll continue to explore new use cases, push the boundaries of what’s possible, and provide unparalleled value to our clients worldwide,” he says.