Changing the SIEM Game

Making the investment for storage, processing and infrastructure support

For many companies, deploying security information and event monitoring (SIEM) technology to strengthen the ability to identify potential security threats has been an unreachable goal.

That might be about to change, with two of the largest public cloud service providers announcing new cloudbased offerings that include SIEM capabilities. Implementing SIEM has been a challenge because many organizations do not have the storage, processing and related infrastructure to support these applications. Many either cannot afford to make the investment or are unwilling to do so.

Now, with both Microsoft and Google announcing new services that support SIEM, the technology has suddenly become more approachable and affordable for organizations from the largest enterprises to small companies looking to bolster their cyber security postures.

Google announced a multitude of security-related capabilities for its Google Cloud Platform (GCP), including Cloud Security Command Center (Cloud SCC), a security management and data risk platform for GCP. The platform includes an Event Threat Detection service that leverages Google-proprietary intelligence models to quickly detect threats such as malware, cryptomining and outgoing distributed denial-of-services (DDoS) attacks.

Around the same time, Microsoft introduced Azure Sentinel, a cloud-native SIEM platform that provides intelligent security analytics at cloud scale. Azure Sentinel is designed to make it easy to collect security data across an entire hybrid organization from devices, users, applications and servers on any cloud using artificial intelligence (AI) to identify real threats quickly.

Multiple Benefits

With these cloud-native services, businesses can acquire the functionality and capabilities of SIEM without making the financial outlay for servers, storage and related maintenance and support. The cost shifts from capital expenditures to operating expenditures, and the economics of the cloud make pricing far more palatable even for organizations with limited security budgets.

Additionally, organizations don’t need to acquire as much, or any, of the internal expertise they would need if they were running these systems on premises. With the ongoing shortage of cyber security skills, that’s an important factor and another cost consideration. These services can also be deployed much faster than on-premises systems because the service providers are doing all the heavy lifting as far as infrastructure is concerned.

Another key advantage to cloud-based SIEM is scalability. Because of the cloud infrastructure supporting the services, organizations can easily scale processing and storage up or down as needed. Many companies have struggled with the issue of how many months’ worth of security logs to keep and how to scale storage to accommodate that. That’s not an issue with the cloud.

As a result, companies are not limited by storage capacity or number of events. They no longer need to port event logs out of the cloud environment into on-premise platforms if they have such products. There are long-term archiving solutions available. That enables companies to access past events without having to keep these records on more costly active storage.

Connectors Needed

One drawback, at least in the short term, is that these services have relatively few connectors to other technology platforms that can feed information about events and incidents. In comparison, on-premises SIEM platforms have a long list of pre-defined application programming interface (API) connectors that makes it easier to pull data such as log information from other systems.

That said, both Microsoft and Google are working hard to get as many pre-defined API connectors as possible and with the cloud, such efforts tend to move rapidly. In the meantime, organizations can build their own connectors with software development kits (SDKs) available for each of these new services. These could be used to overcome the limitation.

Companies can leverage the cloud-native SIEM services as they move into hybrid cloud environments. With the flexibility offered by these solutions, they can use one of the cloud-based services as their master SIEM platform and feed data into it from on-premises SIEM and other systems.

On the other hand, if they’re more comfortable making an onpremises offering the primary SIEM, they can then leverage the cloud-enabled services to support the on-premises platform, as long as these different environments are connected.

Moving Forward

How organizations handle SIEM comes down to what they are looking to achieve, how long they want to keep records, their level of risk tolerance, and other factors.

Some companies remain resistant to putting sensitive data in the cloud—even though the cloud in many cases has been shown to be more secure than data center environments—and therefore will prefer to maintain an on-premises SIEM as their main platform for security information and event monitoring. Others may be more concerned about keeping a long history of data or require a lot of processing power, so a cloud-native service makes more sense as the primary SIEM.

Either way, these offerings provide organizations with new options for their SIEM needs. These services represent an important step in the right direction.

This article originally appeared in the July/August 2019 issue of Security Today.

Featured

  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3