How the Right SIEM Pricing Model Improves SecOps

The success of your SecOps team depends in no small measure upon their data access, training, and the quality of their analytical tools.

Equipping and training your security analysts to work with Security Information and Event Management (SIEMs), or Security Orchestration, Automation and Response (SOAR) tools are vital moves but alone cannot guarantee success. The third variable is a bit of a wild card and can be an expensive one at that. In a typical SIEM, the more event data you ingest, the higher your bill. These metered, volume-based pricing models discourage SecOps from ingesting all available security data for analysis — forcing analysts to make do with less.

The most effective security teams I’ve seen demand almost unlimited data access. Does such an economic model exist? Happily, yes, and more on that in a moment.

First, let me explain why this in-depth analysis matters, at least from my vantage point as a Symantec TIPP Partner.  Exabeam’s Security Management Platform plugs into Symantec products such as Integrated Cyber Defense Exchange (ICDx) to collect log data, apply behavioral analytics to detect complex attacks, and automate incident response, both on-premises or in the cloud. We conduct behavioral analytics to identify both known or unknown threats — such as attacks with no detectible signatures. We also find threats that span many different data silos — from endpoints to cloud services.

Second, it stands to reason that the less event data you analyze, the less you know, and the higher your risk exposure. Thus, analysts may not be able to find or respond to anonymous intruders who steal data or deliver malware to your network. Applying Exabeam’s Data Lake, Advanced Analytics can not only capture more insights it can also prioritize data loss prevention (DLP) alerts based on high risk use or asset behavior and surface those to an analyst.

Third, higher productivity SecOps teams drive greater cost savings. Exabeam’s Incident Responder enables automated responses when we find a threat. Analyzing log data, we may detect a threat, then contain, quarantine, investigate, or mitigate a threat using automated response playbooks.  

The Right Model

We’ve moving away from a traditional SIEM model, a correlation and rules-based engine, which tends to find only known threats and requires a lot of maintenance. Our SIEM is built on an analytics platform: We apply machine learning to baseline how all users and machines act on your network, recording and noting any deviations from normal activity. This capability, known as User and Entity Behavior Analytics (UEBA) helps identify unknown and insider threats. UEBA enables us to not only review all anomalous behavior it also reduces the occurrence of false positives — incidents that stifle SecOps team productivity.

We are built to scale because our Security Management Platform employs ElasticSearch with a flat pricing model. That allows our customers to look at tons of data without sweating the cost. We charge based on the number of users, which is not a metric that changes very rapidly. Customers tell us we have turned the SIEM pricing problem on its head.

Once you turn away from volume pricing, Exabeam’s centralized approach and console enable your team to pull in ample event data, apply Advanced Analytics, and hunt for threats. Unlike manually-intensive, legacy SIEMs, which require analysts to determine asset ownership and build incident timelines, Exabeam automates that discovery process to enable faster mitigation. Exabeam pushes actions to other systems such as active directory, or your email servers, or security products such as those produced by Symantec, to achieve an automatic response.

A Great Partner

Symantec ICDx opens the flood gates of valuable security data available to security teams from Symantec products. Exabeam’s flat pricing model makes it possible to log and store it all in a SIEM without having to swallow a giant bill. It also allows SecOps teams to spend their budget in more productive ways. Discover more about Exabeam’s Security Management Platform and Symantec's ICD Platform.