Navigating the SIEM Landscape: How to Recognize and Counter Vendor Gimmicks
Frustrated with the endless games and deceptive tricks security information and event management (SIEM) vendors play? It’s time to gain the upper hand and make informed decisions. That’s why we’ve decided to launch a series of blog posts aimed at educating you on how to recognize and effectively counter vendor gimmicks. Our goal is to provide valuable insights and information to help you make the best choices for your organization’s security needs. Join us as we explore the often murky world of SIEM vendors and arm you with the knowledge to choose wisely.
In this article:
- SIEM vendors’ empty promises
- Vendors gonna vend — common gimmicks
- Read the fine print
- Exabeam: your trusted partner
SIEM vendors’ empty promises
Empty promises abound in the wonderful world of SIEM vendors. My two favorites are “Our SIEM is free” and “Up to”.
“Our SIEM is free; it is included in our bundle <xyz>.”
Yeah, right. Look at the fine print, and you realize that once in production using real data 1) the SIEM is actually not free at all, and 2) the cost is really unpredictable, and can actually be pretty expensive — bad surprises can lurk at the end of the fiscal year.
“Our SIEM allows up to 1,000,000 events per second (EPS).”
Yeah, sure. Put that SIEM in production and watch it drop events way before that upper limit.
All customers and prospects, all the security organizations, all the CISOs, and all the people responsible for the procurement of cybersecurity solutions say the same thing: we are tired of the little games that vendors play, and the constant tricks that they use to confuse us and essentially make us buy more than what we need, at a price higher than what we would like.
At Exabeam we agree, and we are on your side. Not only do we stay away from all of these tricks and instead focus on delivering your required outcomes with optimized total cost of ownership (TCO), we have developed a blog series that starts tomorrow, to warn you about these gimmicks and give you ways to recognize and avoid them.
Vendors gonna vend — common gimmicks
I have a pretty unique perspective on the typical tricks that cybersecurity vendors — and particularly the SIEM and TDIR vendors — use today. Over the past 30 years in cybersecurity, I have:
- Worked for market-leading SIEM and threat detection, investigation, and response (TDIR) vendors such as LogLogic, Loggly, Splunk, and now Exabeam. I held many different roles — notably sales and marketing — and have attended many training sessions on some of the sales playbooks and methodologies that we will discuss in this series.
- Worked at Gartner as an industry analyst covering Security Operations, observing, analyzing and writing about SIEM and TDIR vendors. I was fortunate to have candid conversations with all the vendors who explained the tricks that they use.
Vendors are usually well-intentioned when they bring their solutions to market; they genuinely hope that they will help their customers somehow improve their security posture. At the same time, “vendors need to vend,” as I used to say when I was at Gartner — meaning that vendors need to generate revenue in order to live another day. And the more desperate a vendor (read: the less relevant their value proposition), the more likely they will resort to using a number of tricks and gimmicks that today constitute a sort of “best practice”.
Some of these gimmicks that vendors use to secure a sale include (read our series for more detail on each of these):
- Fake freemium. A carefully crafted “free” offering where it is next to impossible to not spend money — the work of some very smart product managers and pricing committees that avoid cannibalization at all costs.
- Performance without scalability. Watch out for the keyword “up to”. Some “too good to be true” performance numbers certified in some esoteric labs. Put the solution in production and watch those “up to” performance numbers plummet as the solution struggles to keep up with the claims.
- Security through obscurity. Cloud-delivered SIEM vendors use cloud services underneath, implying a shared responsibility model. Beware of a cloud-delivered SIEM vendor who is not willing to discuss how they handle such aspects as authentication, encryption standards, or secrets management.
- Fake AI and overblown analytics claims. Exabeam is a pioneer of the user and entity behavior analytics (UEBA) space. We are well positioned to observe SIEM vendors touting machine learning (ML) and artificial intelligence (AI) when there is really nothing more than simple statistical model analytics. Challenge your SIEM vendor on these capabilities by using the guidelines in the “Two simple ways to uncover fake UEBA” section in my previous blog post, “A Crash Course on Security Analytics — And How to Spot Fake UEBA From a Mile Away”.
Read the fine print
Keep an eye out for these tricks. Make sure you recognize and pay attention to them, that you acknowledge their impacts to your project and organization, and that you can mitigate any undesired effects. Specifically:
- Be attentive to “plausible deniability” wording, for example, the keyword “up to” is dangerous for criteria that are important to you. To illustrate my point, “up to 1M EPS” usually means “1M EPS in the lab for very short bursts, while all other processing is suspended as we hope that the burst will not last long because otherwise we’ll quickly run out of buffer, at which point the solution will go down”. On the other hand, New Scale SIEM from Exabeam is certified at 1M EPS, which means that we can absorb 1M EPS sustained from end to end in the pipeline, while all processing continues normally, without filling out any temporary buffer. This is why we say “1M EPS” and not “up to 1M EPS”.
- Likewise, do not hesitate to ask your vendor for clarification on any ambiguous verbiage. Natural languages are ambiguous by nature, and creative marketing teams have a knack for writing in a way that benefits the vendor.
- Challenge your vendor on “too good to be true” capabilities, and do not hesitate to kick the tires during a proof of concept (POC). If something is important to you, make sure that you validate functionality during a POC.
- Acknowledge product limitations beyond marketing claims. If a vendor says “up to 1M EPS” and you realize that it is really 100,000 EPS, maybe it is not that bad if all you need is 1,000 EPS. But do realize that this vendor is likely making similar claims in other aspects, so be on the lookout for other criteria that are important to you.
- Mitigate product limitations, and understand the extensibility of its platform. For example, maybe you really liked a vendor’s solution but the POC revealed the unavailability of a parser for an esoteric data source that is important to you. In this case, ask your vendor for access to a parser generator. Can you write the parser yourself or do you need to contract with an external firm to write this for you?
Exabeam: your trusted partner
The SIEM vendor landscape can be treacherous, with many companies using underhanded tactics to mislead customers and prospects. It’s essential to be vigilant and educated in order to protect your organization from the negative effects of these practices. To do this, you must acknowledge the issue, be able to recognize the typical tricks in the industry, understand the impact these tricks could have on your organization, and take measures to mitigate any unwanted consequences.
One of the best ways to safeguard your organization is to choose a vendor that values transparency and honesty — a partner that puts your needs first and refuses to engage in the types of games that other vendors play. And that’s where Exabeam comes in. Let us be your trusted partner.
Come back tomorrow for the first post in the series, which will delve into the pricing and scalability games SIEM vendors play.
See what Forrester Consulting is saying about the ROI from Exabeam SIEM
The Exabeam Fusion Total Economic Impact™ (TEI) study by Forrester Consulting revealed how a group of Exabeam Fusion SIEM customers achieved a composite ROI of 245% over three years, with a payback period of less than six months.
Read the report to learn:
- Four measurable areas where customers achieved ROI using Exabeam Fusion SIEM
- Why customers choose Exabeam Fusion SIEM
- How the Exabeam Next-gen SIEM can transform security operations
What’s New in Exabeam Product Development – February 2023
The New CISO Podcast: Translating Your Military Skills for Security Success
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!