Are You Overpaying for Log Management and SIEM Services in the Cloud?

Resource-Based Pricing Means You Pay More

Richard Piotrowski, Founder and COO


Are You Overpaying for Log Management and SIEM Services in the Cloud?

Wednesday, February 03, 2021

YOUR ISSUE: Each day you send IT Architecture data to a cloud-based log management or SIEM services provider. However, sending an extra 100 - 200 GB of data means that you are forced to add a new resource, or two, or three — and your vendor’s pricing matrix is a combination of the volume of data sent plus all the resource usage.

YOUR NOT-SO-GREAT OUTCOME: The more data you send, the more resources required, and the more you pay.

WHY ARE YOU OVERPAYING?

Splunk, Elastic, Sumo Logic, and DataDog are all public companies that provide cloud-based log management and SIEM services. Each quarter they report their cloud business operation revenues, cloud operation cost of goods sold (COGS), and therefore, calculating cloud operation margins is simply the difference between the two. Each quarter, they report the money they collect from customers like you, and the amount of money they pay to their hosting vendors like AWS and Azure. Those are hard dollars paid to Amazon and Microsoft, reported every quarter, that are subsequently passed onto their customers - that’s you.

Let’s use those margins as a heuristic device to show you how much money can be saved by the customers/users of those Log Management and SIEM services that use LogZilla NEO. Depending on the configuration of your IT Architecture, what if you could reduce the volume of data sent and reduce the number of resources used while maintaining full fidelity, maintain the source data, do so in true real-time, and still be able to use your current downstream SIEM? Our patented deduplication algorithm and patented ability to scale means you can use LogZilla NEO as a very effective pre-processor to those downstream services.

LogZilla NEO gets 40-60% deduplication out of the box, and about 70% dedup with some tweaking to the unique characteristics of your IT Infrastructure. That reduced data flow, at full fidelity, with zero loss of source data, means that the downstream resources being used are reduced. Moreover, LogZilla NEO will ingest, index, and display up to 10 TB/day on a single resource, and up to 20 TB/day if used as a simple forwarder.

Using Splunk’s quarterly reported data as a proxy shows you what happens when your data flow and resources used are reduced.


Interestingly if Splunk spends less on resources, their cloud margins increase by about 2300 basis points and their overall Company gross margin increases by about 560 basis points - every quarter
Interestingly if Splunk spends less on resources, their cloud margins increase by about 2300 basis points and their overall Company gross margin increases by about 560 basis points - every quarter


Look at the savings! Moreover, these numbers reflect the savings in the first year. As the cloud business grows, the savings increase proportionately.

Using LogZilla NEO as a front-end pre-processor reduces Splunk’s cloud COGS by $130 Million at 50% deduplication (Dedup), and by $180 Million at 70% Dedup in one year. Since Splunk spends less on cloud resources, its cloud margin increases by about 2300 basis points. Even more pointedly, its overall Company gross margin increases by over 560 basis points - every quarter. We don’t know if Splunk would be able to extract the full benefit outlined above, but the direction is unmistakable - its margins go up. That means savings to the customer - you.

WHY IS THIS TRUE?

Wall Street has taught us that companies can choose to pursue one of two business models:

a) Profits: Focusing on Gross margins and earnings, or

b) Low Price: Focusing on Cash flow and market share

Companies pursue a business model characterized by option (a) or option (b); you can’t choose both as they are mutually exclusive. Even though Splunk has been offering cloud-based log management and SIEM services for several years, it was not nearly as focused as it has been in the last year when cloud-only competitors began gaining mind share and market share. Last April, Microsoft said that it has seen two years of digital transformation (movement to the cloud) occur in two months. As a result, we believe that Splunk has been pursuing option (b) since its gross margin is about 2000 basis points lower than the other three public company competitors: namely, Elastic, DataDog, and Sumo Logic. Yet, many know that Splunk is typically viewed as a higher-priced vendor, and it does offer other higher-priced and specialized enhancements to the various products within its portfolio. So, how can it pursue a cash flow and market share strategy, yet still be the high-priced option?

WHAT’S THE ANSWER?

LogZilla NEO, the world’s most effective log management platform, solves your problem in 30 seconds.

If you choose Splunk as your cloud-based SIEM vendor, then choose to position LogZilla NEO in front. LogZilla NEO’s patented deduplication algorithm eliminates the duplicate data flow and eliminates noise - maintaining full fidelity, maintaining full source data, and does so in true real-time. The second the data is ingested is the same second it’s indexed and is the same second it appears on your monitor. LogZilla NEO reduces the data flow going to Splunk while maintaining that real-time data integrity and also reduces the resources needed downstream which saves the money for the end-user. As a result, LogZilla NEO becomes the Manager of Managers or “MoM” as its the only scalable centralized log management platform that can coordinate between all downstream SIEM vendors and other solutions to eliminate separate silos of information.

THE BENEFIT OF MoM TO ELIMINATE THE SEPARATE SILOS OF DATA

Different teams within your organization have always had their separate silos of data, but it doesn’t need to be that way. It’s very difficult to manage an entire organization’s Cyber and IT Architecture infrastructure when no one talks to the other, and no one allows you to touch their data. We all know that the existence of separate silos is the direct result of the antiquated architecture of legacy software vendors. Separate silos prevent the different software stacks from communicating with one another efficiently, thus, prohibiting actions or resolving incidents in real-time. LogZilla NEO overcomes that hurdle as it can process massive amounts of data on a single instance. In effect, all the other software solutions are moved up to the service management layer (SML) so that LogZilla NEO becomes the Manager of Managers, or “MoM.” Better yet, data enrichment and automation are built-in so all those downstream stacks and your team becomes more productive – no extra charge.


SML/NML Network Layers
SML/NML Network Layers


  • Don’t be fooled by the sales pitch of other vendors when they say they can scale.
  • The ability to horizontally scale means adding extra resources, and that will cost you money.
  • LogZilla NEO processes 10 TB/day on a single server, and 20 TB/day if used as a simple pre-processor – that’s scale!

The bottom line is that Splunk won’t reduce its pricing because it can’t. It requires too many resources to operate. Only the user can force Splunk’s hand. Positioning LogZilla NEO in front will do it.

Lastly, if you are currently using Elastic, the recently announced codebase fork of Elasticsearch and Kibana likely means that you are adding business risk to your deployment. Read our Blog post about whether Elastic is forking its users too.

Check out our follow-up post - Part 2 - about how LogZilla can show similarly large and proportional COGS $$ saving results for Elastic, DataDog, and Sumo Logic.

Deploy LogZilla NEO in 30 seconds or Schedule your 15-minute demo now to see if LogZilla is right for you.



Richard Piotrowski

Richard Piotrowski

Founder and COO

About Richard

Richard leverages two decades of helping companies grow. At LogZilla, he is focused on planning, execution, and financial acumen to develop compelling selling strategies. Richard spent over a decade working on Wall Street and Bay Street and earned a #1 ranking in Canada.
Tags: LogZilla , log management , IT architecture , enterprise log management , LogZilla NEO , Centralized Log Management Platform , SIEM , Data Management , Splunk , Elasticsearch , Elastic , ELK , DataDog , Sumo Logic

Real-Time Threat Hunting using Zeek, LogZilla, and Axellio - A DCO_SOSSEC Cyber Talk

Did you miss our last webinar?