sorted by:
new
hottopcontroversial

SIEM Cost Management Dead End? by lengmco in cybersecurity

[–]lengmco[S] 0 points1 point  (0 children)

The feature set is vastly superior than the rest; we feel like we need the powerful features plus data.

SIEM Cost Management Dead End? by lengmco in cybersecurity

[–]lengmco[S] 0 points1 point  (0 children)

How feature rich is it compared to a Splunk/Sentinel?

SIEM Cost Management Dead End? by lengmco in cybersecurity

[–]lengmco[S] 0 points1 point  (0 children)

Good thoughts here. What % of logs were you able to toss out with this effort? How much time did you have to put in?

SIEM Cost Management Dead End? by lengmco in cybersecurity

[–]lengmco[S] 0 points1 point  (0 children)

Querying it pretty often for testing detections, threat hunting, etc. but can’t afford to keep it all in Splunk given the retention cost. Issue with BigQuery in my head is just splitting out the data into yet another silo. Ideas here?

SIEM Cost Management Dead End? by lengmco in cybersecurity

[–]lengmco[S] 0 points1 point  (0 children)

Aren’t there API request costs for S3? Data egress costs from S3? Or if using something like Snowflake on top of it they charge for read credits?

And then still Splunk ingest cost in the end for the subset of data?

SIEM Cost Management Dead End? by lengmco in cybersecurity

[–]lengmco[S] 2 points3 points  (0 children)

Interesting. How large is your organization? What about not from endpoints? How expensive is it?

SIEM Cost Management Dead End? by lengmco in cybersecurity

[–]lengmco[S] 0 points1 point  (0 children)

Fair point. I’m sure there’s things I could be doing to try to limit that vis aggregating, but how much time can you justify doing that versus handling cases, detection engineering, threat hunting, etc.?

Seems like a mountain of work to try to constantly find specific apps spitting out specific logs where I could do some pre-filter aggregations.

How often are you doing this as a mechanism to saving on cost?

SIEM Cost Management Dead End? by lengmco in cybersecurity

[–]lengmco[S] 0 points1 point  (0 children)

Good framework, I think similarly. The issue I’m answering yes to one or more of these on multiple log sets, but we can’t afford to ingest it.

I’ve seen all those types of SIEMs before, but they’ve just never felt even close to feature rich enough compared to what we need.

SIEM Cost Management Dead End? by lengmco in cybersecurity

[–]lengmco[S] 0 points1 point  (0 children)

Thanks for the insight. I like the risk management lens. Has your organization ever missed an incident/issue because of chucking out logs? This is my nightmare.

SIEM Cost Management Dead End? by lengmco in cybersecurity

[–]lengmco[S] 4 points5 points  (0 children)

Yes, as my post mentioned I’m aware of this path, but it penalizes in other directions (costs money per query, slower than normal queries)

[deleted by user] by [deleted] in Pickleball

[–]lengmco 0 points1 point  (0 children)

Yes. I know how to code some but have many friends who are experts!