SIEM License Management — Staying in Control of Ingestion Costs
Managing the cost of a SIEM solution can indeed be a challenging task. During my recent attendance at Infosecurity Europe, the most common concern raised from security operations center (SOC) managers and architects was regarding SIEM ingestion costs. The substantial shift toward SaaS adoption in the last two to three years has rapidly compelled almost all SIEM vendors to adopt ingestion-based licensing models. As a result of this transition to SaaS, the majority of SIEM vendors have embraced ingestion-based licensing, which has introduced complexities in managing licenses. These costs can vary significantly and have the potential to spiral out of control if not effectively managed. As an illustration, let’s look at a couple of examples from public price books offering SIEM as a service:
- Splunk Cloud: Offers a plan priced at $92,000 per annum for a daily ingest of 100GB. This plan is EMEA-based hosting in AWS.
- Azure Sentinel: Offers a plan priced at $134,000 per annum for a daily ingest of 100GB. This plan is UK-based hosting in Azure.
It is evident that SIEM vendors encourage users to ingest as much data as possible without offering efficient ways of predicting or controlling ingestion for the end user. Recognizing this challenge, Exabeam has addressed this critical pain point based on feedback from numerous clients worldwide and introduced functionality to combat this issue and optimize SIEM license management.
Three key features were released earlier this year for Exabeam, which help manage SIEM ingestion and consequently reduce long-term SIEM costs:
With Log Stream, security analysts and architects can visualize and manage parsers in greater detail. This feature displays which parsers are active and how they’re being used. From a license management perspective, analysts can order parsers by event usage over the last 24 hours to identify the most popular parsed events.
By identifying less useful events, such as the example of “checkpoint network traffic success accept” registering two to three times higher than the second most popular parser, analysts can choose to turn them off and reduce ingestion by more than 50%. Additionally, parser calibration scores are provided, helping analysts determine areas where improvements in parsing can be made.
Outcomes Navigator allows analysts to evaluate their use case coverage within the SIEM system. It provides feedback on the coverage levels for key security use cases based on the current logging.The recommendations generated by Outcomes Navigator play a crucial role in license management. By analyzing how well a log source is being parsed and used to achieve the relevant security-based outcomes, analysts can identify opportunities to improve parser calibration and extract more value from the already-ingested data.
The screenshot above displays recommendations to improve the Lateral Movement use case. It informs the analyst that, despite receiving relevant log sources for Lateral Movement coverage, they may not be fully calibrated. Calibration scoring is based on the extraction of relevant metadata from the log itself. Exabeam ranks parser calibration and provides recommendations for improvement. From a license management perspective, this will add value to the data that is already being ingested.
Why pay for data to be ingested if it’s not being utilized correctly? This is a significant trend we observe in SIEM.
Service Health and Consumption
The Service Health and Consumption feature provides a simple graphic breakdown of SIEM ingestion, indicating where the data is coming from per vendor and per parser. In this case illustrated in figure 3 above, BeyondTrust is sending approximately 5GB of data to the SIEM system each day. This visual representation helps security professionals identify potential ingestion surprises and understand the sources of data more effectively.
In conclusion, controlling SIEM costs can be achieved through two key areas:
- Visualizing data ingestion in detail
- Understanding where ingestion is occurring and assessing the effectiveness of the parsing process
The Exabeam Security Operations Platform excels in both aspects, requiring no advanced training and ensuring that your investment in data ingestion is optimized.
In the next part of this SIEM license management series, we will explore how Exabeam can assist in log filtering to further reduce the overhead of log management.
If you’d like to explore how these features can efficiently control your SIEM licensing costs, feel free to schedule a demo.
Want to learn more about these features?
Have a look at these resources:
- Introducing Exabeam SIEM: A Hyperscale Cloud-native SIEM
- Fourth-gen SIEM is New-Scale SIEM™: Cloud-native SIEM at Hyperscale
- Exabeam Security Log Management — Because Security Operations Isn’t IT Operations
- From Blind Spots to Comprehensive Protection: Bridging the Gap in Cyber Coverage
- Safeguarding Banks With Security Updates, Patching, and Pen Testing
- A CISO’s Roadmap: Enhancing Detection, Automation, and Empowerment in Cybersecurity
- What’s New in Exabeam Product Development
Exabeam Commences IRAP Assessment Process for New-Scale SIEM™
What’s New in Exabeam Product Development — July 2023
Making the Switch: A Step-by-Step Guide to Migrating from On-premises to Cloud-native SIEM
Human Connections in Tech: A Dialogue With Brad Sexton
Generative AI and Top Honors: Highlights from Google Cloud Next ‘23
Defending Against Ransomware: How Exabeam Strengthens Cybersecurity
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See How New-Scale SIEM™ Works
New-Scale SIEM lets you:
• Ingest and monitor data at cloud-scale
• Baseline normal behavior
• Automatically score and profile user activity
• View pre-built incident timelines
• Use playbooks to make the next right decision
Request a demo of the industry’s most powerful platform for threat detection, investigation, and response (TDIR).
Get a demo today!