Home > Categories > Security Incident and Event Management > Making Sense of SIEM Pricing: Pricing by Data Volume

Software Category

Security Incident and Event Management

Write Review

Making Sense of SIEM Pricing: Pricing by Data Volume

As the Security Information and Event Management (SIEM) market continues to grow, organizations now have more options than ever to decide which SIEM is right for them. While SIEM vendors continue to innovate and add to the breadth of features already available, decisions around which SIEM is right for organizations sometimes comes down to price. In the second of this five-part series on SIEM pricing, we will dive into pricing by data volume.

Before diving into the traditional pricing model, let’s understand what is generally required upfront. Typically, organizations can expect to put forward a large capital expenditure when purchasing a SIEM if they are managing it on-premises. There are many different deployment models that have implications for how to manage the SIEM including:

  1. On-premises:
    • Managed internally
    • Managed by service provider
    • Managed internally and with service provider
  2. Hybrid on-premises and cloud:
    • Managed internally
    • Managed by service provider
    • Managed internally and with service provider
  3. Cloud:
    • Managed internally
    • Managed by service provider
    • Managed internally and with service provider

These deployment models each require different strategies for managing the resources that will be fed into the SIEM. The management of the SIEM may be dictated by in-house expertise versus efficiencies made available by hybrid management between internal personnel and with a managed security service provider.

This leads us to the topic of pricing by data volume. Data volume can be priced based on events per second or based on Megabytes or Gigabytes indexed per day. On average, organizations tend to assign more value to vendor capabilities than to costs and may begin their SIEM search by looking at the breadth of capabilities. However, when organizations solely look at the breadth of features, initial capital expenditure plus operational expenditure from licensing based on data volume is usually met with staggering sticker shock.

This is because organizations do not generally consider the many preparation efforts needed before approaching SIEM vendors. To begin with, determining the amount of data that will be fed into the SIEM is difficult because organizations do not typically have that calculation on hand. For instance, if you need to feed your firewall logs into the SIEM, is it clear how much data will be ingested and how often that ingestion needs to take place? Generally, some data should be fed at near real time for incident response and prevention as well as for automation and correlation rules. While other data should be fed in non-real time for operational/informational goals such as event and problem management, vulnerability management, and for regulatory compliance. Knowing these will drastically impact your understanding of the number of events or data that will be fed per day.

Once you have defined these goals, you will need to map out the assets that you want to feed into your SIEM initially and plan for what will be added in the future. Furthermore, you will need to determine how much data all these resources will produce so that you have an idea of how to plan your licensing and your initial SIEM implementation.

Finally, organizations need to consider their data retention policies for all the different data types that will be fed into the SIEM. Some of these configurations may require different policies depending on regulatory compliance, but others should be preserved depending on your needs:

  • Hot log retention: 1 to 60 days for real-time analysis
  • Warm log retention: 61 to 120 days for determining if something is historically inconsistent
  • Cold log retention: 121 to 180 days that triggers a threshold review
  • Frozen log retention: 181 days to 6 years for limited searching capability

Source: Security Incident and Event Management at SoftwareReviews, Report Published October 2019

Our Take

All these considerations factor into data volume pricing, which does not simplify things for IT security shops that are strapped for time and cash. However, pricing by data volume can save organizations time and money if done effectively, since there are other costs associated with implementing a SIEM besides data ingestion. For instance, if the above can be done internally, deployment will be that much easier because the security operations team will understand how to configure resources to be sent to the SIEM and potentially save costs in hiring consultants for deployment. Furthermore, knowing what needs to be ingested at both near-real time and non-real time will potentially reduce the costs of data ingested per day or events per second. Finally, knowing log retention will be important for strategically using the data beyond security incident response and prevention, which can draw in other business units’ interest in using the SIEM for their own event and problem management. As many SIEM vendors still price their solutions by data volume, understanding the various deployment models, resource data volume, resource inventory, event management ingestion timeframes, and log retention periods are crucial when starting your SIEM search.


Want to Know More?

Build your Security Operations Program from the Ground Up

Other Recent Research in Security Incident and Event Management

Security Incident and Event Management

Chronicle Expands Its North American Presence by Partnering With Herjavec Group

Chronicle, Alphabet’s enterprise security company, expands its North American partner base with Herjavec Group, its first Canadian partner. Herjavec Group is the first service provider in Canada to be certified in, and provide access to, Chronicle’s security intelligence products.

Security Incident and Event Management

IBM Raises Price on Software Support; Shoves Customers Toward the Cloud

IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.

Security Incident and Event Management

Organizations Report Higher Satisfaction When Switching to Software With an Info-Tech Award

Thinking about choosing a new software vendor but don't know where to start? Narrow down your shortlist by focusing on software that has received an Info-Tech Research Group award. New data from SoftwareReviews shows that organizations reported higher satisfaction when they switched to software that had received an Info-Tech award.

Security Incident and Event Management

Bomgar & BMC Team Up to Speed Trouble-Ticket Resolution

For organizations that experience time-sensitive incidents that must be resolved in the most optimal and efficient manner, Bomgar (Beyond Trust) and BMC Software may have the solution. The two vendors have teamed up to address a reduction in the time it takes to resolve problematic tickets and assist in lessening the impact of cyber threats to which all organizations are subjected.