Changing the SIEM Game

Making the investment for storage, processing and infrastructure support

  • By Mike Sprunger
  • Aug 01, 2019

For many companies, deploying security information and event monitoring (SIEM) technology to strengthen the ability to identify potential security threats has been an unreachable goal.

That might be about to change, with two of the largest public cloud service providers announcing new cloudbased offerings that include SIEM capabilities. Implementing SIEM has been a challenge because many organizations do not have the storage, processing and related infrastructure to support these applications. Many either cannot afford to make the investment or are unwilling to do so.

Now, with both Microsoft and Google announcing new services that support SIEM, the technology has suddenly become more approachable and affordable for organizations from the largest enterprises to small companies looking to bolster their cyber security postures.

Google announced a multitude of security-related capabilities for its Google Cloud Platform (GCP), including Cloud Security Command Center (Cloud SCC), a security management and data risk platform for GCP. The platform includes an Event Threat Detection service that leverages Google-proprietary intelligence models to quickly detect threats such as malware, cryptomining and outgoing distributed denial-of-services (DDoS) attacks.

Around the same time, Microsoft introduced Azure Sentinel, a cloud-native SIEM platform that provides intelligent security analytics at cloud scale. Azure Sentinel is designed to make it easy to collect security data across an entire hybrid organization from devices, users, applications and servers on any cloud using artificial intelligence (AI) to identify real threats quickly.

Multiple Benefits

With these cloud-native services, businesses can acquire the functionality and capabilities of SIEM without making the financial outlay for servers, storage and related maintenance and support. The cost shifts from capital expenditures to operating expenditures, and the economics of the cloud make pricing far more palatable even for organizations with limited security budgets.

Additionally, organizations don’t need to acquire as much, or any, of the internal expertise they would need if they were running these systems on premises. With the ongoing shortage of cyber security skills, that’s an important factor and another cost consideration. These services can also be deployed much faster than on-premises systems because the service providers are doing all the heavy lifting as far as infrastructure is concerned.

Another key advantage to cloud-based SIEM is scalability. Because of the cloud infrastructure supporting the services, organizations can easily scale processing and storage up or down as needed. Many companies have struggled with the issue of how many months’ worth of security logs to keep and how to scale storage to accommodate that. That’s not an issue with the cloud.

As a result, companies are not limited by storage capacity or number of events. They no longer need to port event logs out of the cloud environment into on-premise platforms if they have such products. There are long-term archiving solutions available. That enables companies to access past events without having to keep these records on more costly active storage.

Connectors Needed

One drawback, at least in the short term, is that these services have relatively few connectors to other technology platforms that can feed information about events and incidents. In comparison, on-premises SIEM platforms have a long list of pre-defined application programming interface (API) connectors that makes it easier to pull data such as log information from other systems.

That said, both Microsoft and Google are working hard to get as many pre-defined API connectors as possible and with the cloud, such efforts tend to move rapidly. In the meantime, organizations can build their own connectors with software development kits (SDKs) available for each of these new services. These could be used to overcome the limitation.

Companies can leverage the cloud-native SIEM services as they move into hybrid cloud environments. With the flexibility offered by these solutions, they can use one of the cloud-based services as their master SIEM platform and feed data into it from on-premises SIEM and other systems.

On the other hand, if they’re more comfortable making an onpremises offering the primary SIEM, they can then leverage the cloud-enabled services to support the on-premises platform, as long as these different environments are connected.

Moving Forward

How organizations handle SIEM comes down to what they are looking to achieve, how long they want to keep records, their level of risk tolerance, and other factors.

Some companies remain resistant to putting sensitive data in the cloud—even though the cloud in many cases has been shown to be more secure than data center environments—and therefore will prefer to maintain an on-premises SIEM as their main platform for security information and event monitoring. Others may be more concerned about keeping a long history of data or require a lot of processing power, so a cloud-native service makes more sense as the primary SIEM.

Either way, these offerings provide organizations with new options for their SIEM needs. These services represent an important step in the right direction.

This article originally appeared in the July/August 2019 issue of Security Today.

Featured

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • The Future is Happening Outside the Cloud

    For years, the cloud has captivated the physical security industry. And for good reason. Remote access, elastic scalability and simplified maintenance reshaped how we think about deploying and managing systems. But as the number of cameras grows and resolutions push from HD to 4K and beyond, the cloud’s limits are becoming unavoidable. Bandwidth bottlenecks. Latency lags. Rising storage costs. These are not abstract concerns. Read Now

Most   Popular

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.