Vendors are gonna vend: Don’t fall for cheap tricks from some SIEM vendors

Gorka Sadowski
6 min readFeb 8, 2023

--

Frustrated with the endless games and deceptive tricks that some information and event management (SIEM) vendors play? It’s time to gain the upper hand and make informed decisions. That’s why I and other people at Exabeam have decided to launch a blog series to help you recognize and effectively counter vendor gimmicks. Our goal is to provide valuable insights and information to help you make the best choices for your organization’s security needs. Join us as we explore various cheap tricks that some SIEM vendors play, and arm you with the knowledge to choose your vendor wisely.

SIEM vendors’ empty promises

Empty promises abound in the wonderful world of SIEM vendors. My two favorites are “Our SIEM is free” and “Up to”.

“Our SIEM is free; it is included in our bundle <xyz>.”

Yeah, right. Look at the fine print, and you realize that once in production using real data 1) the SIEM is actually not free at all, and 2) the cost is really unpredictable, and can actually be pretty expensive — bad surprises can lurk at the end of the fiscal year.

“Our SIEM allows up to 1,000,000 events per second (EPS).”

Yeah, sure. Put that SIEM in production and watch it drop events way before that upper limit.

All customers and prospects, all the security organizations, all the CISOs, and all the people responsible for the procurement of cybersecurity solutions say the same thing: we are tired of the little games that vendors play, and the constant tricks that they use to confuse us and essentially make us buy more than what we need, at a price higher than what we would like.

I’m glad that with Exabeam, not only do we stay away from all of these tricks and instead focus on delivering your required outcomes with optimized total cost of ownership (TCO), we have developed a blog series to warn you about these gimmicks and give you ways to recognize and avoid them.

Vendors are gonna vend — common gimmicks

I have a pretty unique perspective on the typical tricks that cybersecurity vendors — and particularly some SIEM vendors — use today. Over the past 30 years in cybersecurity, I have:

  • Worked for market-leading SIEM and threat detection, investigation, and response (TDIR) vendors such as LogLogic, Loggly, Splunk, and now Exabeam. I held many different roles — notably sales and marketing — and have attended many training sessions on some of the sales playbooks and methodologies that we will discuss in this series.
  • Worked at Gartner as an industry analyst covering Security Operations, observing, analyzing and writing about SIEM and TDIR vendors. I was fortunate to have candid conversations with all the vendors who explained the tricks that they use.

Vendors are usually well-intentioned when they bring their solutions to market; they genuinely hope that they will help their customers somehow improve their security posture. At the same time, “Vendors are gonna vend,” as I used to say when I was at Gartner — meaning that vendors need to generate revenue in order to live another day. And the more desperate a vendor (read: the less relevant their value proposition), the more likely they will resort to using a number of tricks and gimmicks that today constitute a sort of “best practice”.

Some of these gimmicks that vendors use to secure a sale include (read our series for more detail on each of these):

  • Fake freemium. A carefully crafted “free” offering where it is next to impossible to not spend money, often loads of them in the mid to long-term — the work of some very smart product managers and pricing committees that avoid cannibalization at all costs.
  • Performance numbers… in a lab. Watch out for the keyword “up to”. Some “too good to be true” performance numbers certified in some esoteric labs. Put the solution in production and watch those “up to” performance numbers plummet as the solution struggles to keep up with the claims.
  • Security through obscurity. Cloud-delivered SIEM vendors use cloud services underneath, implying a shared responsibility model. Beware of a cloud-delivered SIEM vendor who is not willing to discuss how they handle such aspects as authentication, encryption standards, or secrets management.
  • Fake AI and overblown analytics claims. Exabeam is a pioneer of the user and entity behavior analytics (UEBA) space. We are well positioned to observe those SIEM vendors touting machine learning (ML) and artificial intelligence (AI) when there is really nothing more than simple statistical model analytics. Challenge your SIEM vendor on these capabilities by using the guidelines in the “Two simple ways to uncover fake UEBA” section in my previous blog post, “A Crash Course on Security Analytics — And How to Spot Fake UEBA From a Mile Away”.

Plausible deniability?

Keep an eye out for these tricks. Make sure you recognize and pay attention to them, that you acknowledge their impacts to your project and organization, and that you can mitigate any undesired effects. Specifically:

  • Be attentive to “plausible deniability” wording, for example, the keyword “up to” is dangerous for criteria that are important to you. To illustrate my point, “up to 1M EPS” usually means “1M EPS in the lab for very short bursts, while all other processing is suspended as we hope that the burst will not last long because otherwise we’ll quickly run out of buffer, at which point the solution will go down”. On the other hand, when you read that New Scale SIEM from Exabeam is certified at 1M EPS, it means that we can absorb 1M EPS sustained from end to end in the pipeline, while all processing continues normally, without filling out any temporary buffer. This is why it says “1M EPS” and not “up to 1M EPS”.
  • Likewise, do not hesitate to ask your vendor for clarification on any ambiguous verbiage. Natural languages are ambiguous by nature, and creative marketing teams have a knack for writing in a way that benefits the vendor.
  • Challenge your vendor on “too good to be true” capabilities, and do not hesitate to kick the tires during a proof of concept (POC). If something is important to you, make sure that you validate functionality during a POC.
  • Acknowledge product limitations beyond marketing claims. If a vendor says “up to 1M EPS” and you realize that it is really 100,000 EPS, maybe it is not that bad if all you need is 1,000 EPS. But do realize that this vendor is likely making similar claims in other aspects, so be on the lookout for other criteria that are important to you.
  • Mitigate product limitations, and understand the extensibility of its platform. For example, maybe you really liked a vendor’s solution but the POC revealed the unavailability of a parser for an esoteric data source that is important to you. In this case, ask your vendor for access to a parser generator. Can you write the parser yourself, can the vendor do it, or do you need to contract with an external firm to write this for you?

Chose a partner who doesn’t play these games

The SIEM vendor landscape can be treacherous, with many companies using underhanded tactics to mislead customers and prospects. It’s essential to be vigilant and educated in order to protect your organization from the negative effects of these practices. To do this, you must acknowledge the issue, be able to recognize the typical tricks in the industry, understand the impact these tricks could have on your organization, and take measures to mitigate any unwanted consequences.

One of the best ways to safeguard your organization is to choose a vendor that values transparency and honesty — a partner that puts your needs first and refuses to engage in the types of games that other vendors play. And that’s where we come in with Exabeam. Let us be your trusted partner.

Here is the first post in the series, which will delve into the pricing and scalability games SIEM vendors play.

--

--

Gorka Sadowski
Gorka Sadowski

Written by Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.