CISO Series – Security You Should Know: Reducing SIEM Risk with Scanner
In this episode of the CISO Series, Cliff Crosland, co-founder and CEO of Scanner, explains how their data lake approach can reduce SIEM costs by 80-90% while giving organizations full custody of their data in their own cloud storage. Joining him are Nick Espinosa, host of the Deep Dive Radio Show, and Howard Holton, COO and industry analyst at GigaOm. The conversation explores critical questions around data retention policies, the fundamental challenge of managing growing log volumes over time, and how AI copilots are bridging the gap between security analysts and software engineers in detection workflows.
Click here to listen to the full episode.
David Spark
Welcome to Security You Should Know. I am David Spark. I am hosting today’s episode. Now, today we are talking about Scanner and how they are innovating in security operations. The problem they’re specifically addressing is spiraling log costs. You’ve got log files, the costs are spinning out of control. So, helping us get answers to these questions are Nick Espinosa, who is the host of the nationally syndicated Deep Dive Radio Show. Nick, say hello to the audience.
Nick Espinosa
Hey, everybody.
David Spark
And by the way, these are two of our favorites, Howard Holton, chief operating officer and industry analyst over at GigaOm. Howard, say hello to the audience.
Howard Holton
Hello, audience.
David Spark
All right, now you know their voices. So, Nick and Howard, we all need logs if you don’t want to know what’s going on, but there’s a lot of them. The storage costs can go out of control. Why are these spiraling costs still around? Why it’s so expensive? We’ve seen costs go down in data storage, but why are these spinning out of control? Why is this still an issue?
Nick Espinosa
Well, so I think part of it is that log volume is just growing faster than budgets. We add more stuff that logs, that requires aggregation, etc., etc.,but I think one of the major drivers of this is that we have increasing compliance requirements that is driving longer retention windows, which means we just got to keep the stuff around longer.
Howard Holton
I think that’s some of it. I think the problem is when you’re doing incident review and you go, “Why is this information missing? It’d be really useful to have this information.” You find you are missing things. You find you didn’t include all the logs. You didn’t include the depth. Additionally, it goes the other way as well, right? We get in the habit of kind of throwing everything at the wall as a matter of habit going, “We’ll figure out what we actually need and clean it up later.” And you know what never happens? Theclean it up later. You can replace it with anything you want, right? I mean, come on, “I’ll fix this at home, honey. I’ll clean up the drywall later.” You never clean up the drywall. You never finish the painting, right?
We do that in business as well. And when you do look at the number of applications we onboard and how we onboard modern applications, modern applications aren’t like the silos that we had before, the monoliths that we had before, right? We don’t onboard so many monoliths. Instead, we onboard these wonderful containerized applications that give us a ton of agility and flexibility, each one of which has a dozen or two dozen or three dozen logs, all of which has to be tracked because the log data contains the information necessary to troubleshoot each piece of the flow, and without it, you’re basically flying blind. So, I think there’s kind of a modernization issue. I think there’s kind of a natural, not enough resources to handle the problem correctly issue. And we’re just simply tracking more and more and more and more without ever really sitting down and going, “What should our architecture look like? How do we follow best practices? How do we make sure that we’re being good custodians of these things?”
David Spark
Sounds like just a good old-fashioned management issue, which we see this problem commonly. All right, so let’s set the table here. Today, we’re going to be talking to Cliff Crosland, who’s the co-founder and CEO of Scanner. Cliff, say hello to our audience.
Cliff Crosland
Hey, audience, how’s it going?
David Spark
That’s what his voice sounds like, but you’re going to hear more from him in just a second. Now to start out, we’re going to answer three very essential questions we begin every show with. Cliff, how to explain the value resolution to my CEO, that’s question one. Two, what does your solution do, and what does it not do? And then lastly, what is the pricing model? So, give us those three answers.
Cliff Crosland
Yes, what I would say to any CEO is that Scanner is really focused on reducing one of the biggest budget line items that you have. So, your SIEM might be half a million dollars, a million dollars, two million dollars in expense. The traditional SIEM architecture is really brutally broken in our opinion, and what the world needs to look like is a data lake. What Scanner does is it helps teams build out a data lake in their own storage, that they have full custody of their own data in their own S3 buckets. This will bring down costs dramatically. What does it do? What does it not do? Scanner really focuses on full-text search and detections and is really focused on cloud logs and pulling in logs from different SaaS tools and different cloud providers. It’s not about installing agents and sort of the old-school SIEM approach with like XDR, EDR agents. You don’t install agents on your machines. Scanner pulls the logs in. And you can push logs to Scanner, and it will feed them into your data lake, but we’re not about the agents.
And then finally, the cost structure is volume-based. So, as your log volume increases, that’s how Scanner is priced. However, it’ll grow far, far slower in terms of price than a traditional SIEM. It’ll be 5 to 10 times less than you get out of traditional SIEMs. We think this just unlocks all kinds of new use cases and really unleashes your data. So, that’s how Scanner works.
David Spark
Okay. Security leaders, we got Nick and Howard. You’ve got a taste of the solutions, but I’m sure you’ve got a lot of questions. I’m going to start with you, Howard. What other questions do you have about Scanner?
Howard Holton
So, my first big question is, if you give me an 80 to 90% price reduction, but it’s still based on volume, how do we control volumeso I don’t run into the same problem where this becomes yet another constantly growing line item that grows out of control again?
Cliff Crosland
Yes, it still requires discipline, but it will require far less discipline than it does with a traditional SIEM. What we encourage people to do is to connect to the common log sources and the really critical sources like Okta and so on. All of those log volumes are reasonable. For VPC Flow Logs, the very high networking logs, which are extremely high volume, we recommend you can spike them up. You can bring them back down.
You can use Scanner to turn them on and off. But really for the customers that we work with, there’s almost no limit anymore because they’re so far away from the upper bound of what’s expensive that the pain of managing logs goes way, way, way down. But yes, don’t go nuts with it. Don’t go absolutely nuts with it. You can go way more nuts than you could before but still need to execute some discipline.
David Spark
Everything has its limits. Nick.
Nick Espinosa
Right, right. Well, let’s go nuts a little bit here because if I’m thinking about this, if we can search literally petabytes in seconds here using Scanner because, again, we’re aggregating all of these logs for you. It’s in RS3 buckets. Do we really risk equating faster answers with better insight? How are you helping teams of your customers focus on asking the right questions, just not getting rapid answers? Because as we all know in an evolving situation with like an APT, advanced persistent threat, getting the right answers is better than getting the fast answer, right?
Cliff Crosland
Yes, I think that’s very, very true. One of the nice things about getting into a tight feedback loop is it allows you to ask more questions and improve your own questions rather than waiting hours for or maybe sometimes even days for a query to come back from a massive data lake query. So, if you kind of are like, “Oh, this is actually a dead end,” I didn’t waste a day on that. I got answers quickly. You can then pivot. But then, yes, I agree that like, okay, I can ask a thousand dumb questions.
How helpful is that? This is one of the reasons why we’ve added Log and Alert Copilot and also Detection Copilot to the system where you can chat with the logs that you see and ask questions of it to guide you as you’re spending less time trying to figure out what the log is saying and less time on what question to ask, and it will guide you to further questions to ask and patterns that it sees in the logs results that you’re seeing. So, we want both of those things to be true. Like asking questions very quickly to iterate fast but also getting help to ask better questions.
Nick Espinosa
And for the record, chatting with your logs, that’s an interesting concept.
[Laughter]
Nick Espinosa
I don’t necessarily know if I want to know the answer to that one.
Cliff Crosland
Yes. Yes, sometimes I get mad at the logs and then they are like silly back to me. Like, what is Leo doing in our system again? He keeps like getting into the dev environment and deleting stuff. Like, come on, Leo. And then the logs will respond gently. Like, it’s probably fine. Like, be compassionate to Leo. So, it is fun to chat with your logs.
Howard Holton
So, that brings up an interesting concept because when you started this conversation, it was very, very, very price focused. Well, price, as we all know, is unfortunately a commodity conversation, right? Once we’ve had the conversation, we’re not really interested. But the other thing my CEO is really interested in is risk, and you touched a little bit on risk reduction. So, what are some of the things that you do to help us reduce risk in our security apparatus?
Cliff Crosland
Yes, one of the things that teams come to us that they’re really worried about, so like really classic example with one of our larger customers is their retention period kept shrinking and shrinking and shrinking in their traditional scene because it was just too expensive. And they kept deleting log sources because they were just trying to keep within log volume limits. But then they started to have investigations where seven days of retention was definitely not enough, and it was very stressful to answer those questions. But then in Scanner, they jump in there and they say, “Here are questions I have about logs, and now I have six months of history that just got searched. And I see everything that this user did who was compromised a couple months ago. This isn’t invisible anymore.” So, just being able to do fast access to data in the past is really helpful. But also being able to ingest more log sources without as much pain, like more comfortably, means that you have more coverage for those log sources, which helps you reduce the risk of missing important insights and important data.
And additionally, a really important factor for Scanner is we really believe that teams should fully own their data, have full sovereignty of their data. That’s why Scanner operates such that all of the data is kept in your own S3 buckets. Whether it’s your own raw logs or index files, it is all under your custody. We think that that is the future of… Security log data, observability data, lots of different kinds of data should exist under the control of customers and not be locked into a vendor. That’s another way that we really focus on reducing risk.
Nick Espinosa
Right, well, and let me riff on that and also what Howard asked, and let’s talk about resilience for a little bit. Because as I understand it, you’re basically decoupling security analytics from like a traditional SIEM, right? So, you’re leaning on the reliability or rather the shared reliability of public cloud infrastructure. So, do you view this as actually enhancing collective resilience or do you think this concentrates systemic risk in the same cloud infrastructure that everybody’s basically depending on? Think about the Mirai attacks we had years ago that knocked out the Eastern Seaboard of AWS. I couldn’t go to Starbucks and use my credit card or Home Depot or Walmart or take your pick, right? So, what are your thoughts on that then?
Cliff Crosland
That is interesting. I think there are these trade-offs that unfortunately at the scales that we operate at with log volumes increasing that we have to make where cloud storage just helps you scale and is so much cheaper than running a multi-petabyte-sized on-prem data center. And so many kinds of like massive high-volume tools, whether it’s small companies or companies as large as Apple, Google, the storage is going to be in the clouds. And so what we recommend is multi-region resiliency. But yes, it is the case that the cloud unlocks a lot of ability and capability, and we rely on that, and we all thus rely on these cloud providers to be strong for us.
David Spark
All right. So, let’s close out. I know this was something that we talked about even before we started recording and that was how scanner.dev is helping through detection engineering and specifically with Copilot, a very, very popular space. Nick, you had a question about this. Why don’t you lead?
Nick Espinosa
Yeah, yeah. So, it seems like as I’m understanding your platform that you’re basically turning detections into pull requestable code. So, it seems like there’s a shift in security, right? More towards software engineering workflows than security analytics here. So, does codifying vigilance essentially democratize security here or does it simply move accountability from analysts to developers who might be unprepared for this? I mean, they’re not trained like security professionals are.
Cliff Crosland
I think it’s a great question. One of the things that we’re really excited about when it comes to AI is just how much it helps you get better at the skills that you don’t have. So, for engineers, it up-levels them in their cybersecurity skill and understanding how threats work and what they should be looking for. And then on the other hand, for analysts, it helps them do software engineering better, to write their detections, to put them up into GitHub and to make commits and write unit tests and so on that are classic engineering skills. So, AI helps level the playing field and make both types of people extremely good at what they do.
David Spark
Excellent. Well, that brings us to the end of our show, Security You Should Know. To learn more, you can head over to Cliff’s company site, scanner.dev. Now, if you have any feedback or questions for Cliff, you can send them over to us at feedback@CISOseries.com, or we’ll also have a link directly to Cliff’s LinkedIn page and you can contact him there as well. Now, thanks, Nick Espinoza, and also Howard Holton, for helping us learn more about Scanner, and thanks again to Cliff Crosland from Scanner for his time and being game to answer all of these questions. They were tough. And thank you, our audience, for listening to Security You Should Know.
