Changing the SIEM Game
Making the investment for storage, processing and infrastructure support
- By Mike Sprunger
- Aug 01, 2019
For many companies, deploying security
information and event monitoring (SIEM)
technology to strengthen the ability to identify
potential security threats has been an
unreachable goal.
That might be about to change, with two of
the largest public cloud service providers announcing new cloudbased
offerings that include SIEM capabilities. Implementing
SIEM has been a challenge because many organizations do not
have the storage, processing and related infrastructure to support
these applications. Many either cannot afford to make the investment
or are unwilling to do so.
Now, with both Microsoft and Google announcing new services
that support SIEM, the technology has suddenly become
more approachable and affordable for organizations from the
largest enterprises to small companies looking to bolster their
cyber security postures.
Google announced a multitude of security-related capabilities
for its Google Cloud Platform (GCP), including Cloud Security
Command Center (Cloud SCC), a security management and data
risk platform for GCP. The platform includes an Event Threat
Detection service that leverages Google-proprietary intelligence
models to quickly detect threats such as malware, cryptomining
and outgoing distributed denial-of-services (DDoS) attacks.
Around the same time, Microsoft introduced Azure Sentinel,
a cloud-native SIEM platform that provides intelligent security
analytics at cloud scale. Azure Sentinel is designed to make it easy
to collect security data across an entire hybrid organization from
devices, users, applications and servers on any cloud using artificial
intelligence (AI) to identify real threats quickly.
Multiple Benefits
With these cloud-native services, businesses can acquire the functionality
and capabilities of SIEM without making the financial
outlay for servers, storage and related maintenance and support.
The cost shifts from capital expenditures to operating expenditures,
and the economics of the cloud make pricing far more palatable
even for organizations with limited security budgets.
Additionally, organizations don’t need to acquire as much, or
any, of the internal expertise they would need if they were running
these systems on premises. With the ongoing shortage of
cyber security skills, that’s an important factor and another cost
consideration. These services can also be deployed much faster
than on-premises systems because the service providers are doing
all the heavy lifting as far as infrastructure is concerned.
Another key advantage to cloud-based SIEM is scalability.
Because of the cloud infrastructure supporting the services, organizations
can easily scale processing and storage up or down
as needed. Many companies have struggled with the issue of how
many months’ worth of security logs to keep and how to scale
storage to accommodate that. That’s not an issue with the cloud.
As a result, companies are not limited by storage capacity or
number of events. They no longer need to port event logs out
of the cloud environment into on-premise platforms if they have
such products. There are long-term archiving solutions available.
That enables companies to access past events without having to
keep these records on more costly active storage.
Connectors Needed
One drawback, at least in the short term, is that these services
have relatively few connectors to other technology platforms that
can feed information about events and incidents. In comparison,
on-premises SIEM platforms have a long list of pre-defined application
programming interface (API) connectors that makes it
easier to pull data such as log information from other systems.
That said, both Microsoft and Google are working hard to
get as many pre-defined API connectors as possible and with the
cloud, such efforts tend to move rapidly. In the meantime, organizations
can build their own connectors with software development
kits (SDKs) available for each of these new services. These could
be used to overcome the limitation.
Companies can leverage the cloud-native SIEM services as
they move into hybrid cloud environments. With the flexibility
offered by these solutions, they can use one of the cloud-based
services as their master SIEM platform and feed data into it from
on-premises SIEM and other systems.
On the other hand, if they’re more comfortable making an onpremises
offering the primary SIEM, they can then leverage the
cloud-enabled services to support the on-premises platform, as
long as these different environments are connected.
Moving Forward
How organizations handle SIEM comes down to what they are
looking to achieve, how long they want to keep records, their level
of risk tolerance, and other factors.
Some companies remain resistant to putting sensitive data in
the cloud—even though the cloud in many cases has been shown
to be more secure than data center environments—and therefore
will prefer to maintain an on-premises SIEM as their main platform
for security information and event monitoring. Others may
be more concerned about keeping a long history of data or require
a lot of processing power, so a cloud-native service makes
more sense as the primary SIEM.
Either way, these offerings provide organizations with new options
for their SIEM needs. These services represent an important
step in the right direction.
This article originally appeared in the July/August 2019 issue of Security Today.