If The Above Holds True, Ready On!
Fundamentally, SIEM (Security Information and Event Management) is a comprehensive approach to security management that uses rules and statistical correlations to turn log entries and events into actionable information. Over the last few years, other solutions such as UEBA and SOAR (User and Entity Behaviour Analytics and Security Orchestration, Automation, and Response) have also evolved as key cybersecurity tools and are often layered with SIEM.
However, today, with ever-increasing data loads, the ability to scale extremely fast without compromising on the effectiveness of SIEM operations, data availability, and data granularity gains prominence. Furthermore, with an increase in data loads, cost becomes a pivotal concern for the security operations centre.
Relevance of Scale and Cost
In this article, we discuss two pertinent issues with SIEM – the relevance of Scale and its consequence on the cost.
At its core, SIEM is a great log management tool. However, due to its innate structure, ingesting, analyzing, and correlating large volumes of data is not its core strength. One would typically argue that legacy SIEMs can manage voluminous data by filtering and abstraction before being ingested to SIEM. However, this approach compromises the resolution of data.
With high data traction, it becomes critical for every organization to have infrastructure capable of processing high volumes of data and providing visualization and data pulling across data sources. However, this would involve scaling up the database that stores the SIEM data, the analytics engine that queries the database, and the infrastructure that hosts it.
Here’s the catch 22!
Reducing coverage gaps entails high-cost investment in infrastructure, licensing, consulting fees, the list goes on! Furthermore, the critical question, “At what cost” begins to play down heavily as costs can spiral out of control when data reaches hyper-scale. Moreover, the absurdity of the situation is like building a vault spending $10mn to protect an asset worth $1mn! – this can hurt!
Unfortunately, most cybersecurity vendors punt and follow what they know best – charge basis EPS or GB of data ingested. Now, If you are a vendor, you are laughing your way to the bank, however, this wouldn’t hold true if you are the client! Paying for EPS and Data Volume kills your growth and sets you up for long-term failure.
How Do Market Leaders Charge?
Since we are focusing on Scale and Cost in this article, let us look at how the market leaders fare here.
IBM QRadar is an older SIEM solution that is widely adopted by many enterprises. It leverages correlation and other tactics to deal with large-scale data but is one of the solutions retrofitted to an aging data platform.
IBM QRadar pricing is based on events per second (EPS) and flows per second (FPS). The on-premises solution starts at $10,400, including 12 months of support, while the cloud-based solution starts at $800 per month on an annual term. The IBM QRadar Community Edition, a low-memory, low-EPS version of QRadar, is available for free.
Splunk is a great option as a modern SIEM solution that includes UEBA and SOAR capabilities natively. It does well at scale and excels at machine learning capabilities. The downside is that costs can quickly spiral out of control when data reaches peak levels.
Splunk’s pricing is based on the number of users and the amount of data ingested per day. A free version is available for a single user and up to 500 MB of data per day. While annual subscriptions are available for Splunk Cloud Platform and term licenses are available for on-premises products, the earlier pricing clarity provided on the website has been turned off to “Contact Us”.
In an earlier Gartner report, some of their clients had raised concerns about the licensing model and the overall cost of implementation. Splunk has introduced new licensing options to address those concerns.
HyperScale SIEM To The Rescue
We came across an industry newcomer called DNIF that recently launched HyperScale SIEM, a tool capable of processing high volumes of data. They claim to be able to ingest and enrich voluminous data faster and at lower costs.
We evaluated this tool further. Here are our observations.
DNIF HyperScale SIEM is a composite solution that combines UEBA and SOAR into a single application. Its petabyte-scale data lake can ingest, enrich, store and correlate data in real-time. In a user review, we came across online, the tool’s ability to scale hassle-free to Hyperscale data nodes has been mentioned.
We also noticed them having one of the industry’s best data Compression Values, the general mode for up to 95% compression, and the Maximal mode for up to 98.4% compression. It also comes power-packed with a 50K EPS processing capability with a standard 8 CPU server. Now what this means to a SOC is increased data compression leading to the low storage footprint, bringing down hardware cost to a third while delivering top performance. Also, Component level redundancy allows for system failure and data corruption.
Also, we have been told that the pricing is per device rather than by data volume or EPS.
DNIF HyperScale capabilities include ML-powered user behavior monitoring, network traffic anomaly detection, historical and real-time correlation against threat intelligence, predictive analytics, and other intelligent analytics to address a wide range of business-critical security use cases. In addition to the tool providing an in-depth coverage map with the MITRE ATT&CK and CAPEC framework, the alert investigation gets a lot easier with their automation and orchestration capabilities. Workbooks, context queries, modules, dashboards, and a lot more can be found in a single package on DNIF cloud. However, prior understanding of DQL (Dnif Query language) is needed for which they do provide assistance.
Check them out!