I am putting a business case together for getting a SIEM into my organisation. I have looked at a number of options and I am trying to get some ball park prices to include.
Given that splunk works on a data consumption model, of $2,070 PA for 1GB per day. I was wondering how I would go about calculating an estimate of how much data my organisation would send to splunk?
Is there any kind of model for this?
Something that I can use to work out how much data my organisation will send splunk per day.
I.e a model that will guestimate that X number of Windows 7 clients send an average of Y MB per day, X number Windows Domain Controllers will send Y MB per day, X NGFW will send Y MB per day etc. etc.
@adonio's suggestion is the right one. I'm going to add some hopefully-mature political advice.
For certain uses, Splunk is awesome sauce squared, so once you have a working system, different departments will be clamoring to add their data and it will tend to expand to fill all space, time, and money available, like the blob in that old Steve McQueen movie. That's neither good nor bad, it's just a fact of life for systems that create value.
But, if you've created the cost estimate, and the above scenario plays out, both you and the organization need to be able to tease the expense data into a form where your original estimated costs are distinguishable from any later expansions of function.
So, if your use case for SIEM using Splunk gets approved, just make sure your initial design for stand-up actions and change processes includes some provision for additional users justifying and allocating the marginal costs for any additional data feeds that will inevitably accrue over time, along with some level of periodic review to determine whether each existing feed is still cost-justified.
try and contact splunk sales via splunk.com
they have some spreadsheets that can help you get a good ball park of predicted license usage
good luck!