You may know the classic Eagle’s song “Hotel California,” about greed and excess in America with the final lyrics, “You can check out any time you like, but you can never leave!”
Yeah, I am an old timer, and I was listening to this track lately, and it hit me how many security vendors have a “Hotel Califonia” business model. Not only do security vendors try to lock customers into increasingly expensive licensing, but they also make it challenging to integrate with other tools within the security ecosystem, requiring additional tools with different licensing if they provide integrations with other tools at all. Here are a few things to watch out for when selecting a SIEM to ensure it’s not a Hotel California where you can never leave.
One way some SIEM vendors get their foot in the door with a new account is to offer an “all-you-can-eat” license for data ingest. The idea here is that the vendor provides an amazing deal to consume as much data into their SIEM as they want for a long time, usually three years. The vendor will then help onboard data across multiple organizations within a company and ensure that the organization becomes heavily dependent on this tool.
The trick is that this is often a one-time deal rather than something that can be renewed. The customer is then hit with sticker shock when their sales rep provides a “true-up” license renewal based on the data they are ingesting. The vendor then feels they can hold the customer’s security data for ransom if they don’t pay the higher license cost; you have to reduce the amount of data you ingest or switch to a different SIEM. Vendors are aware both of these prospects are painful endeavors and not something that can be done overnight and will require the customer to pay at least another year of licensing before they can migrate.
Leveraging a SIEM that can decouple the detection engine and ingest from the Security Data Lake helps organizations not be held hostage by a single vendor. Being able to filter data is critically important for a SIEM, mainly if that SIEM’s pricing model is based on data ingest volume. Being able to filter, redirect, or bifurcate data based on various parameters is critical to a modern SIEM architecture.
One challenge I have seen with customers leveraging SIEM tools provided by cloud platforms is that they, by design, need to play better with others. Trying to ingest logs from another cloud platform, for example, can be quite painful to get working, as data egress methods differ across platforms. The ingest of external data often comes with a higher price tag where you are often double dipped, one by the vendor for data egress and again by the SIEM platform for data ingest.
Getting data in is one challenge, but also getting data out, whether it is to export to a different platform, can be a challenge, notably when the SIEM leverages a proprietary storage format; if you want to convert the data to another format, there are often additional costs associated with this process.
The ability to send alerts to multiple destinations, not just within the SIEM, has become critically important to modern SIEM use cases. Panther is unique in the SIEM space for providing multiple methods out-of-the-box to send alerts to various collaboration tools such as Jira, Slack, GitHub and even integrates with other SIEMs such as Splunk. In addition to out-of-the-box alert destinations, Panther also provides custom webhooks to send to internal tools and applications. Empowering detection engineers also to send alerts to different destinations depending on the data source, severity, or even within the logic of their detection puts the power of SIEM into the hands of detection engineers.
Another trap many security vendors lay for their customers with “surprise pricing” is to nickel and dime them on use cases. For one SIEM vendor, you may pay one price for data ingest and basic search capabilities. Still, suppose you want their security features for correlation rules, risk-based alerting, anomaly detection, and other use cases. In that case, there is an additional premium that you will need to pay, whether a percentage of the ingest price, a completely different licensing model based on company size, or other strange calculus.
Many SIEMs also operate on a “black box” model when it comes to their detections, where the customer can’t see the actual logic; this becomes problematic in many cases as the customer has a difficult time tuning false positives and may not provide the context to identify the source of a given threat. Leveraging modern approaches to managing detections, such as detection-as-code, provides not only open access to detection logic but also provides detection engineers a platform to develop and manage detections more efficiently.
Modern SIEMs need to be able to integrate any data source regardless of the platform, even if it is a competing tool. Security leaders are tired of vendor lock-in and want to be able to pick the best-of-breed when it comes to their tools. Ingesting data from any source and filtering only relevant fields has become a critical capability for modern SIEMs. Storing this data for long-term searchable retention well beyond 90 days is also becoming increasingly important; at Panther, we provide one year of data retention with high-performance search for threat hunting, investigations, and dashboarding. Panther also allows sending alerts to any destination, whether it is a ticketing system, collaborative tool, another SIEM, or a custom webhook. When your SIEM provides flexibility and plays nicely with your existing tools, you may never WANT to leave.
