SIEM is so hot right now (see: the hype of next-gen, AI-enhanced, and tech acquisitions abound), but with the vast number of vendors crowding the space, how can small and medium-sized businesses choose?
Often it can all come down to pricing; not just the initial upfront capital costs including setup, implementation, configuration, tuning, maintenance and infrastructure, but also the ongoing operational costs associated with data volume. It’s important to consider the pricing model as you evaluate security vendors to partner with for the long haul.
The amount of data logged, or sent to a vendor’s solution, and analyzed for anomalies is often used to determine pricing. Many SIEM providers may charge you by the amount of data you send to their service per time period (also known as ‘pay-as-you-go,’ data volume, or consumption), which can be problematic for a few reasons:
Charging by data ingestion can really add up over time as your environment grows. Microsoft’s pricing calculator for 500GB/day amounts to $43,824 for 30 days or $525,888 a year (and that’s at a discounted rate).
Others charge by endpoint for XDR capabilities, in addition to the data volume associated with sending your logs to a SIEM – at the higher end, a well-known enterprise vendor will run you upwards of $100,000 a year for 500 endpoints to start, in addition to an unknown and fluctuating amount based on data ingestion. Elastic’s SIEM calculator estimates $333,576 annual cost for 450 endpoints (roughly 500GB) and one year of data retention.
This often does not include long-term data retention, which is required by many compliance frameworks and to be approved for cyber insurance (see Azure pricing by log type, search capabilities, and retention).
It’s not just more expensive for the ongoing ingestion costs alone; most vendors also charge for add-ons (that’s how they getcha). Want 24/7 security support, onboarding, configuration, technical assistance or custom detection rules? Proactive threat hunting and outreach for emerging threats? Managed and tuned detection rules? Parsing or additional integrations? External threat scanning to identify unknown open ports? Ongoing security assessments and recommendations? Pre-built reports or the ability to access and/or search all of your raw logs? That’ll be extra, or you’ll need to outsource or do all of the development in-house, which means hiring and training additional costly security staff.
It’s hard to budget in advance as your data needs fluctuate from month to month based on user, network and app activity or unforeseen changes in your tech stack. These are all variables that can result in data increases and cost surges that may push you over budget.
Without analyzing your full dataset (and having to make financial decisions about limiting your data based on costs), you may miss critical indicators of a compromise – meaning, you may not catch an attack in progress until the damage is already done. That can include customer data loss, reputational damage, operational downtime, compliance violations, legal fees and more.
To reduce costs, some SIEM, MDR and/or XDR vendors may talk up their approach to dropping many of your logs while keeping some of your data history in cold storage in order to check a compliance box. But compliance does not always equal security (especially in this scenario), and this approach can result in holes in your complete log history and frustration for forensic investigation after an incident occurs.
Blumira’s pricing model is fixed at a flat monthly rate per seat at your organization to help SMBs predictably budget for their security costs. That means by the total number of knowledge workers/employees at your organization that have a corporate email address (excluding any factory workers or students, in the case of manufacturing companies or education). We do this in order to more accurately approximate the amount of data each employee is generating and sending to our platform. Additional agents are available for a low monthly fee for organizations with more endpoints than seats.
The great part about this for our customers is there’s no limit on the amount of data you can send to Blumira’s platform for analysis, detection and response to give you the greatest visibility across your entire environment. That means you don’t need to worry about making tough decisions around which application you want to collect data from, or how much data you can afford to send each day; you can just hook them all up and continually ship logs over to us at no additional cost. Our around-the-clock streaming and analysis gives you peace of mind and 24/7 monitoring, without any disruption.
As for long-term data retention, we’re not in the business of ‘thinning out’ your log history or making it difficult or slow to access your logs. Blumira holds a year of all of your logs in hot storage so it’s readily available when you need them – crucial in the time-pressed aftermath of an incident when you need to verify how an attacker got in and if they still have access to your systems. A year of data retention is included in the flat rate for our editions and even longer retention options are available too.
What else do you get for the flat XDR rate?
Blumira’s value is not just in the automation, ease of use and advanced security technology built into our platform, but also in the teams of people on the ready to back you up during stressful security scenarios. That value is like adding another security team member to your team, or being able to tap us if your small IT team is short on resources or expertise.