[0x4e53]

At least from my time at SpaceX - this is untrue.

SIEM costs were rapidly ballooning, and we were being charged by RAM. RAM?? Of all things!!

After our SIEM costs for ELK ramped up to where Splunk was - we just bought Splunk instead. I imagine there are many security teams out there that would entertain a cheaper alternative that isn't priced by RAM.

[slt2021]

the reason for that is near real-time detection of threats requires aggregation of terabytes of data according to rules (continuous GROUP BY on thousands columns on a sliding window) - and these aggregates by design have to be stored in RAM.

Otherwise these detections stop being near-realtime and become offline detection instead, just like any other sql server.

[0x4e53]

To be clear - we were hosting on-premise, and being charged for our own RAM. Servers we had to buy, and then pay for the privilege of using with ELK.