Choosing the right SIEM solution is a challenging task, especially when it comes to pricing and figuring out the total cost of ownership (TCO). SIEM pricing schemes have a reputation for being complex and difficult to budget for. In some cases, you even risk running out of money after a few months into the operations because there is a severe lack of transparency and predictability for the most adopted licensing methods. It doesn’t help that most SIEM vendors don’t have their pricing publicly accessible – probably because of the complexity.
Here, we’ll compare the different SIEM pricing models, their pros and cons, and which model vendors use.
Buying a SIEM doesn’t have to be a struggle
There are almost as many SIEM licensing models as vendors on the market. Unfortunately, this makes the commercial buying process extremely difficult for you as a customer. You need to put in extensive work to understand your infrastructure on various parameters such as data volumes, EPS, users, servers, employees, etc.
Ultimately, many SIEM buyers end up guesstimating some parameters to enable the vendor to deliver a price and then try to compare whatever alternatives you are looking at. This poses a significant risk to the SIEM project and the TCO in the software's lifetime.
The hidden costs
To make things even more complicated, several SIEM pricing models impose a significant hidden cost to the buyers, making it challenging to estimate the TCO upfront. Of course, most SIEMs require staffing resources to maintain and develop, which is difficult to avoid.
However, you must be diligent when assessing licensing for some SIEM vendors, as you might face paywalls to access e.g., additional data sources, use cases, functionality, more processing power or storage.
The top 5 SIEM licensing models
Generally, SIEM vendors licensing is based on a subscription (Operation expense, or OPEX) model. In the past, perpetual licensing (Capital expense, or CAPEX) was widely available, but today most companies that want CAPEX-based pricing opt to pay for multiple year’s subscriptions up-front.
Every SIEM vendor’s licensing model falls into one of these categories*, but some vendors license based on a combination of two or more. In some cases, vendors also have different licensing models depending on whether you select an on-premises or SaaS deployment.
| Licensing Based On: | Predictability | Example Vendors |
|---|---|---|
| Events per second (EPS) or flows per minute (FPM) | Low | IBM, Fortinet, ArcSight, Securonix, LogRhythm |
| Gigabyte/data volume per day | Low | Splunk, Devo, Exabeam, Microsoft, Sumo |
| Server/Asset-based | High | Logpoint, Rapid7 |
| Employee/workstation-based | High | Logpoint, LogRhythm |
| Compute and storage (open source) | Low | Elastic |
*Based on publicly available information
The pros and cons of each SIEM licensing model
Events Per Second (EPS) or Data Volume-Based Licensing
EPS and data volume-based pricing follow a similar structure, the pros and cons are mainly the same. These licensing models are also the most adopted in the market. The customer pays based on the EPS/data volume processed by the SIEM solution. To effectively scope the cost of SIEM using EPS/data volume, you’d need to thoroughly understand your infrastructure and estimate how many events it generates. Depending on your organization, this can be a difficult and complex task. Using a tool such as our SIEM Sizing Calculator might be helpful. Consider any application-level logs you need in case you want to use the MITRE ATT&CK framework or similar.
As data will only continue to grow, so will your SIEM license based on these models. An alternative to increasing your license cost is to optimize the data you ingest into the SIEM. This is a dangerous path to take, as you might undersize your requirements to fit your budget – or even worse, end up in a situation where you lack the data you need to utilize the SIEM for the reason you bought it in the first place. You will rarely know in advance what systems you’ll need data from. Adversaries often choose the path of least resistance, for example, when Target was recently breached through its air and ventilation systems.
Pros
- The customer only pays for what’s used based on the amount of data processed.
- Pricing is beneficial for devices sending small volumes of data.
- A scalable pricing model that can handle large and increasing volumes of data.
Cons
- Data can be dropped or delayed if EPS/data volume exceeds your contracted limit.
- Customers with unpredictable event volumes may face unexpected costs.
- Difficult to predict prices over time – as your data volume increases, so will SIEM costs.
Server/asset-based
Here the customer pays based on the number of servers/assets the SIEM solution monitors. In the simplest terms, every individual log-forwarding entity is an asset, some examples could be Linux servers, firewalls, endpoints, AWS servers, or databases.
Since each device generates a different amount of data, it’s essential to check if the vendor provides different prices for various categories of devices. For example, a firewall could send more data than an IoT (Internet of Things) device, such as door locks. This is typically available to ensure the SIEM vendor’s pricing is suitable for organizations with many devices that generate less data.
- High predictability on the cost of the SIEM, as the license does not fluctuate based on unpredictable factors such as data volume.
- You don’t have to filter away data to stay within your budget, giving you better security coverage.
- Budgeting for future costs is associated directly with the number of assets you add, keeping you in control as you scale.
- Licenses must be added when you want to increase the data sent to the SIEM.
- If the number of devices goes down, you might pay for assets that you are not using.
Employee/workstation-based
Employee-based pricing is a licensing model where the customer pays based on the number of employees in the organization. This pricing model is popular with organizations that want a predictable and scalable pricing model tied to their workforce size.
- Licensing is easy to understand as it is directly tied to the number of employees.
- Limited need for scoping of infrastructure, EPS, data volume, etc.
- This licensing model is highly suitable for organizations with a large or fluctuating IT infrastructure but a smaller workforce, such as SaaS companies.
- In organizations where a large part of the workforce are laborers with little IT interaction, this model might become too expensive compared to the other pricing models.
- Usually, employee-based licensing has a data ingestion cap. Ensure you investigate the licensing terms to avoid surprise costs due to data volume.
- Significant changes in the workforce, for example, via acquisitions, will increase the SIEM cost.
Compute and storage (open source)
Usage-based pricing is a model where the customer pays for the license based on the resources consumed by SIEM system processes. Customers can download, use, and modify the software for free but usually pay for support and maintenance on top of computing costs.
This pricing model is popular with companies that do not want to pay for unused capacity, want complete software control, and have significant in-house resources to maintain and develop the solution.
- Pay only for what is used, and no direct licensing fee is applied.
- Quickly scale up or down as needed.
- It’s easier to modify the SIEM to meet specific needs.
- A significant team is needed to maintain the SIEM solution. A big part of the TCO for this licensing model is hidden and not related to the vendor’s licensing.
- The complex and unpredictable pricing structure makes it difficult to budget. The resources required to process and analyze data up-front are likely unknown.
- Analytics and coverage may be limited - increased usage means increased costs.
The Logpoint approach
We couldn’t finish this blog without including our take on what we think is the most customer friendly SIEM licensing out there. During our decades of business in the SIEM space, we have heard the pains and gains a SIEM licensing model can cause customers.
“Logpoint offers a pricing model that is among the easiest to understand in the market.”
We license based on the number of assets/servers for our on-premises platform, while our SaaS platform follows the employee-based approach. We have chosen this approach because we believe in predictable SIEM licensing that should be based on factors within our customer's control, and the platform's value must never be limited by the licensing. We pride ourselves on transparent pricing; therefore, you always get full functionality included in your SIEM license with no hidden costs.
“Logpoint has a vision to create the lowest total cost of ownership for converged SIEM for midsize enterprises, and thus far it is delivering.”
Of course, choosing the suitable pricing model for your SIEM solution depends on your organization's budget, size, and security requirements. And ultimately, there is no one-size fits all, so your organization must think about what is important to you when you look to buy a new SIEM. Also, remember to evaluate all aspects of a SIEM solution, not just the pricing model, as vendors offer significantly different functionality.
As mentioned earlier, SIEM licensing has a reputation for being painful to the customer's budget due to its complexity. We are here to change that! Thanks for reading, and feel free to calculate what Logpoint would cost for you right here.
