The Average SIEM Deployment Costs $18M Annually…Clearly, Its time for a change!

Dan Schoenbaum
7 min readNov 28, 2022
The SIEM Struggle has a potential end in sight with a cadre of innovative new vendors; read below for more

A decade ago, log management was commonly used to capture and retain events for compliance and security use cases. As adversaries and their TTP’s grew more sophisticated, simple logging evolved into security information and event management (SIEM) and the power of rule-driven correlation made it possible to turn raw event data into potentially valuable intelligence. Albeit challenging to implement and make everything work properly, the ability to find the so-called “needle in the haystack” and identify attacks in progress was a huge step forward.

Today, SIEM’s still exist, and the market is largely led by Splunk and IBM Q-Radar. Many customers have finally moved into cloud-native deployments, and are leveraging machine learning and sophisticated behavioral analytics. However, new enterprise deployments are fewer, costs are greater, and — most important — the overall needs of the CISO and the hard-working team in the SOC have changed. These needs have changed because security teams have almost universally recognized that they are losing against the bad guys. The reduced reliance on the SIEM is well underway, along with many other changes. The SIEM is not going away, but its role is changing rapidly, and it has a new partner in the SOC.

Why the role of the SIEM is rapidly Diminishing?

  1. It is Too narrowly focused: the mere collection of security events is no longer sufficient because the aperture on this dataset is too narrow. While there is likely a lot of event data to capture and process in your events, you are missing out on vast amounts of additional information such as OSINT (open-source intelligence information), consumable external-threat feeds, and valuable information such as malware and IP reputation databases, and even reports from dark web activity. There are endless sources of intelligence, far too many for the architecture of a SIEM.
  2. COST (Data explosion + hardware + license costs = bad outcome): With so much infrastructure, both physical and virtual, the amount of information being captured has exploded. Machine-generated data has grown at 50x, while the average security budget grows at 14% y-o-y. The cost to store all of this information makes the SIEM cost-prohibitive…
Dan Schoenbaum

2x CEO, 2x COO. Fractional Exec, Turnaround leader, Growth expert, GTM & PLG Expert, marathoner, Former IDF Sniper.