What were your main pain points during the SIEM product purchase process?

You’ve got some pretty good answers so far. Here are a few of the pain points I’ve experienced.

• Log source integration – not all SIEMs will work with all log sources easily. Be sure to catalogue all the different (especially non-standard) logs sources you want to integrate ahead of time.


• Volume of ingest – it can be extremely difficult to calculate before purchase what your log volume will be, and this will affect the cost significantly. It will also determine the footprint for relays and on-prem hardware needs. There are quite a few tools to help calculate this, but most are very hard to use.


• Pricing models – each SIEM has its own pricing model, and they can be very problematic. There can be quite a few hidden or micro charges that seem insignificant upfront but lead to huge surprises once the product is in use.

I’ve led the purchase of three enterprise SIEMs at two different enterprise organizations and they were all very unique in their challenges. Take your time doing your due diligence and plan as much as possible ahead of time. Don’t get enamored by the sales jargon and really press the vendors on your needs and concerns. Get your needs addressed early in the negotiation process and do your best to cover all your requirements before you sign a purchase agreement. It can be a pricey mistake to underestimate your needs. Be vigilant about what the on-prem server footprint will be as that is the cost that is not part of your contract price (compute cost). Moving from one SIEM to another is both costly and difficult so be sure the SIEM you purchase will be able to grow with your org as its use cases grow.

We've worked in SOC for many years. Here are a few pain points in SIEM solution purchases.

• Difficulty evaluating and comparing different SIEM products: With a large number of SIEM products on the market, it can be challenging for organizations to determine which product is the best fit for their needs.


• Complexity of the purchasing process: The process of evaluating and purchasing a SIEM product can be time-consuming and require significant resources, particularly for larger organizations.


• Integration and deployment challenges: Implementing and integrating a SIEM product into an organization's existing systems and processes can be complex and may require specialized expertise.


• Cost: The cost of SIEM products can vary significantly, and organizations may need to carefully consider the balance between cost and functionality when evaluating different products.


• Lack of clear ROI: It may be difficult for organizations to quantify the return on investment for a SIEM product, particularly in terms of the cost of the product versus the benefits it provides in terms of improved security and incident response.


• Ongoing maintenance and support: Organizations may need to consider the ongoing maintenance and support costs associated with a SIEM product, including the cost of updates and bug fixes.

1. License models are not communicated transparently which makes planning complicated. You have to talk to multiple people at multiple vendors in several meetings to fully understand the cost scaling factors. That is quite time-consuming. You can overcome this when you just dictate price limits - yes you can actually do that.

2. Planning and conducting a PoC can be a challenge. Depending on how a PoC process is being setup by the vendor. You can overcome this if you ask for the PoC Procedure Plan right from the initial contact with the vendor and use it for internal planning.

Volume versus costs.
Using an intermediate (free) tool to store, transform data and  forward only the sumarization (smartdata) of what really matters.