SIEM Bill Shock Is Real — Try This Budget-friendly SIEM Tool Instead
If you've been trying to do SIEM with a traditional logging tool, you'll notice the power of a purpose-built SIEM immediately with DNIF.
Join the DZone community and get the full member experience.Join For Free
I was recently in conversation with Shomiron Das Gupta, CEO of DNIF, a SIEM startup based out of India. He was eager to share his views on the SIEM and cybersecurity space, and talk to me about releasing a community edition of their enterprise-grade SIEM software, DNIF Hyperscale SIEM.
Image: Shomiron Das Gupta, CEO, DNIF.
SIEM is Not the Same as Log Management
Having worked with many log management startups in the past, I've seen many of them now start to position themselves as SIEM tools as well. Das Gupta is suspicious of this trend. He remarks that combining logging and SIEM sounds attractive as you pay for a single tool and avoid the costs of a dedicated SIEM tool. However, the catch is that a log management tool has just a small subset of the features of an SIEM tool. For example, threat and malware detection, alerting, and context awareness are all features that are very resource-intensive, and log management companies aren't equipped with the talent to do these at the level enterprises require.
Balancing Scale and Costs With SIEM Data
One of the chief claims of DNIF Hyperscale SIEM is its ability to scale to petabytes of SIEM data, which Das Gupta is proud that they've battle-tested both in their labs and with multiple customers. I was curious to know more about the challenges of scale with SIEM. Das Gupta commented that cost control is critical to the success of an SIEM operation. No doubt, SIEM data is typically ingested in large volumes, in most cases around 10-30 TB per month for a single organization, and in extreme cases 10-20 TB per day if it’s a very large enterprise. These costs can quickly spike, and big-name SIEM vendors make it unaffordable.
The solution to this is state-of-the-art data compression that doesn't compromise on data resolution. Das Gupta mentioned that they've been able to compress 18TB of SIEM data all the way down to 600GB. That's a whopping 96% compression rate — and without any loss in data resolution. This greatly reduces the cost of storing SIEM data, without any compromise in performance.
When it comes to pricing models, here too, SIEM vendors come in many shapes and sizes. Many SIEM vendors charge by the volume of SIEM data ingested and stored. This may sound fair, but in reality, this results in unpredictable costs each month. As a result, organizations look for ways to reduce the data they ingest to save on costs and end up compromising on security data resolution. Das Gupta believes that a better pricing model is to charge per device. This is the model that DNIF follows, and it results in more predictable costs each month, and there is no limit on the amount of data that can be collected from a device. DNIF has two tiers — enterprise and community, but more on that in a bit.
Data Transformation Is Table Stakes
Our conversation then moved on to talking about integration and support for different technologies, which is important in enterprise use cases. Large organizations typically have different applications written in many different languages. These applications generate SIEM data in various formats. To make sense of this all, the incoming raw data first needs to be transformed into a unified format.
Das Gupta commented that having ready-made integrations is essential here. It makes it easy for teams to quickly reformat data and not spend time in data plumbing chores. He notes that DNIF has spent years developing their own collection agents, parsers, and data enrichment plugins. They’ve invested in building community contributions for these plugins and even have a public roadmap to channel their efforts. SIEM tools that have these capabilities baked-in are more valuable than those that expect you to clean up the data before sending it to their solution.
The Build vs. Buy Dilemma
We winded down our discussion with the eternal debate of whether to build or buy an SIEM solution. To be sure, modern open-source tooling makes it possible to build your own SIEM tool from scratch in a few days to weeks. Typically, this would have Elasticsearch as its foundation and would work flawlessly for the initial 3-5 use cases at the start. The problems arise once the number of use cases starts to add up. When this happens the DIY SIEM tool would need a lot of wrangling to meet the organization's requirements.
One of the biggest reasons to not build an SIEM tool in-house is that the developers who build the tool may move on in a few months, orphaning the tool and requiring the organization to then buy a SIEM solution.
Today, SIEM solutions come in all shapes and sizes, and you're sure to find one that fits your organization's needs and budget perfectly. Das Gupta is of the view that you need not reinvent the wheel when it comes to SIEM. There are many solutions to fit small budgets or even a zero-dollar budget.
The DNIF Community Edition
Das Gupta was excited to talk about the community edition of DNIF HyperScale SIEM that they recently released. To be sure, this is a battle-tested product that's been out in the market for almost a decade now and has been vetted by large enterprises. With the release of this community edition, DNIF has taken all the product's features and made it freely available in their community edition with no strings attached. It is free to use, and there is no limit on the amount of data, or restrictions on the featureset. To me, this seemed almost too good to be true.
Das Gupta clarifies that they have a paid enterprise edition that comes with priority support. However, for most organizations, the community edition with the support is all they'll ever need. There is no catch, and DNIF will never ask you to upgrade. Das Gupta is keen on getting the community edition of DNIF into the hands of as many developers and SecOps folks as he can.
To that end, I encourage you to visit the DNIF website and download their community edition for free. This is especially for you if you've been trying to do SIEM with a traditional logging tool. You'll notice the power of a purpose-built SIEM immediately with DNIF.
Opinions expressed by DZone contributors are their own.