When it comes to security information and event management solutions, pricing is an important factor. After all, SIEM involves a lot of data that flows in every moment, and this data needs to be stored and analyzed somewhere — usually on a SIEM vendor platform. Due to the high costs, many organizations end up compromising on the data they collect. They leave out high-volume sources and hope that their SIEM operations would still be as robust. In this article, we look at the various SIEM pricing models available today. If you’re in the market for a SIEM solution, you’ll find some useful insights here.
The three SIEM licensing models
While there are numerous SIEM vendors today, they all fall into one of three categories of how they price their solutions. Here are the categories:
- Events per second (EPS): Every device within the organization generates events that are ingested into the SIEM. This method considers the estimation of the number of events ingested into the SIEM per second. This is the traditional way of calculating the size of the license required.
- Volume per day/Volume per month: This method calculates the actual size of the events (GB/TB) generated and ingested into the SIEM collector per month/day.
- Device-based: The license is sized on the actual number of devices integrated with the SIEM. Ideal for small and midsize setups as it is independent of the variation in the number and volume of events generated across the devices in the network.
The challenges with volume-based pricing
There are different issues with each method that you need to be aware of when deciding between them.
With the events-per-second model, you need to ensure the data volume never exceeds your set EPS with the SIEM vendor. For example, if your limit is 5,000 EPS, and if you experience a peak of 6,000 EPS during one hour of the day, the extra 1,000 events will get dropped off completely or be delayed to be added on at a later time. This is not ideal as it doesn’t give you a holistic view of your SIEM data.
Similarly, with the volume per day/month model, you’ll calculate how many GB of data is generated by your systems and buy a license accordingly. Here again, if you stay within this GB limit, things work fine, but the minute your data crosses that threshold, you risk losing or delaying access to your SIEM data.
Licensing policies based on EPS and log volume lead you to optimize the data you ingest into the SIEM tool. This means significantly undersizing your requirements to fit your budget, and later paying for expensive upgrades.
SIEM licenses are often sized without considering any application-level logs. However, collecting and analyzing these logs is mandatory in today’s environment. Often, organizations may consider only minimal events being collected from standard technologies. This assumes the best-case scenario, which, as we know, never turns out to be true. It means that much of the MITRE framework TTPs (tactics, techniques, and procedures) that rely on these logs cannot be performed using the SIEM tool.
Another issue with both the above models is that you’ll inevitably end up over-provisioning and buying way more capacity than you need on usual days.
The better alternative — Device-based pricing
The SIEM pricing model based on the number of devices is more predictable. This is because the number of devices in an organization is more consistent and predictable than the volume of data generated each second, or day, or month. Yes, there would still be new devices added and existing devices removed, but this is much less change than data that can spike sky-high one moment and drop to normal levels the next.
Device-based pricing works well, provided there are no caveats. For example, if the cost per device is unreasonably high, this model would not work. Or if there is an unsaid limit on the data captured per device, then again, this model will not work.
However, an ideal scenario would be if SIEM pricing is per device and the amount of data is uncapped or unlimited. This gives you peace of mind knowing that all SIEM data will be captured in real-time no matter how much data flows in, and secondly, the costs will remain predictable month-on-month.
What is a device in SIEM?
It helps to clarify what a device is in the context of SIEM. To be sure, there are multiple types of devices, and each SIEM vendor would have its own definition of what they would consider as a device. In simplest terms, every individual log forwarding entity is a device. Here are some examples of device types:
- A Linux server with an Apache web server and an Oracle database
- A perimeter firewall handling traffic for the whole data center
- A firewall Management server managing five different firewalls
- An AWS EC2 server or RDS database instance
Each of these devices needs a separate license. As is clear from the list, each of these devices will generate a different amount of data. It is important to check if a SIEM vendor has different prices for each device type. Get a list of all device types from a SIEM vendor you’re considering, and ensure to account for all devices in your system when estimating costs.
Advantages of an uncapped device-based licensing
The best type of device-based pricing is an uncapped device-based license. This simply means that there is no limit on the amount of data stored or processed per device.
With an uncapped device-based license you can ensure that there is no cap on:
- Log volume/EPS of logs forwarded by each individual device
- Number of users using the SIEM tool
- Number of queries, or dashboards created to analyze the data ingested
- Number of copies of SIEM data
- Retention period for the SIEM data
As you get down to this level of detail, you’ll notice huge variations between each vendor’s pricing model. But as the saying goes, the devil is in the details. These details matter when investing in a critical security solution that your organization will rely on for the years ahead.
SIEM vendors and their pricing models
Here is a list of SIEM vendors large and small organized by the type of pricing models they offer:
SIEM EPS pricing
- IBM QRadar, ArcSight, RSA NetWitness, McAfee
These vendors are some of the oldest on the market. They follow the most widely-used pricing model in SIEM today — EPS. Their platforms are widely used and are especially popular with large enterprises. If your organization is an enterprise with very specific requirements, these vendors can meet every need as they’ve seen it all over the years.
SIEM volume per day/month pricing
- Splunk, DNIF
Splunk is one of the most well-known tools on the market. They primarily price their offering based on the volume. Splunk is a robust offering with all the bells and whistles of a modern SIEM.
DNIF is not as well-known as the others here but is a capable SIEM offering that offers volume-based pricing, though this is not their only pricing model.
SIEM device-based pricing
- Splunk, DNIF, FireEye Helix
Coming to the interesting device-based pricing, Splunk does offer a device-based licensing model, but it comes with a caveat that volumes are “subject to service limits.”
DNIF’s main pricing model is device-based. They offer a true UDL (uncapped device-based license) that doesn’t limit the amount of data ingested from each device. Additionally, they have a uniform price for any type of device. DNIF has recently released a community edition of its SIEM software that is full-featured and is a great way to gauge whether the platform is a good fit for your organization.
FireEye Helix is a relatively newer vendor in the space. They offer a device-based pricing model and are competitively priced.
DNIF and FireEye Helix are worth looking into if you’re looking for device-based pricing and Splunk is still too expensive or restrictive for you.
SIEM vendors and pricing: Many to choose from
As you can tell, there are many options to choose from when it comes to SIEM vendors. You need to look into the details when it comes to pricing and choose one that suits your needs best. With a device-based license, you can enjoy predictability in your SIEM costs and integrate all log types to ensure full visibility.
Featured image: Pixabay