Kenneth Buckler, CASP, is a research analyst of information security/risk and compliance management for Enterprise Management Associates, a technology industry analyst and consulting firm. He has also served in technical hands-on roles across the Federal cyber security space and has published three Cyber Security books. Ken holds multiple technical certifications, including CompTIA’s Advanced Security Practitioner (CASP) certification.
What is a SIEM, and why do you need one for cloud?
Security information and event management (SIEM) is designed to combine the best of security information management (SIM) and security event management (SEM) to provide a unified platform for intrusion detection and response. While SIEMs traditionally don’t include prevention capabilities, users are increasingly expecting fulfillment of this use case from a SIEM as part of tool consolidation. We need to move away from reactive security toward proactive security, working to prevent intrusions before they happen (or get worse). A quality SIEM must equip practitioners to spot cyber-threats quickly, and investigate and remediate threats before they can cause damage.
The shift to the cloud exacerbates the visibility challenges of perimeter-based detection and response technologies, necessitating the agility and power of a different class of solution. With SIEM, the SOC can restore operational awareness and control. To succeed in this endeavor, consider the following dynamics of today’s cloud: compatibility, scalability, and the learning curve of working with cloud data.
Multi-cloud SIEM compatibility
To be effective, a SIEM needs to provide compatibility with your current environment — including your cloud infrastructure and applications — as well as support future expansion. Unfortunately, many SIEMs fall woefully short in enabling out-of-the-box threat detection and response across cloud technologies. A multi-cloud SIEM needs to be able to process cloud data out of the box and must also normalize that data into a standardized, readable format.
Out-of-the-box detection of attack indicators utilizing native cloud data types is critical. Organizations simply don’t have the time or resources to not only set up and configure the SIEM, but also program environment-specific attack detection signatures.
Multi-cloud SIEM data is diverse, high-velocity, and comes at a massive scale
Cloud data is inherently diverse in structure, high-velocity in information throughput, and stays at an exponential scale as cloud infrastructure and applications grow. Traditional SIEMs are designed for traditional security, with traditional data sources such as system and firewall logs. While some vendors might retrofit existing SIEMs to process cloud data, this interface is not always clean, or it does not work well when cross-correlating data between cloud and traditional data from servers and network devices.
Scalability becomes an extreme challenge for SIEMs not optimized for cloud data, especially multi-cloud organizations. The varying formats become a data processing challenge at scale without normalization, and the high-velocity ephemeral nature of this massive-scale cloud architecture means an instance of a cloud application may have been created, destroyed, and possibly even recreated by the time an analyst receives an alert. The SIEM must be able to capture all necessary data in real time because there may be no logs to review after an incident occurs.
The cloud security SIEM learning curve
Cloud security is a new concept for many organizations, and processing cloud security data through a SIEM can be a challenge on its own. Cloud security indicators and events look nothing like traditional security indicators, and SIEMs that do not normalize this data into a more readable format become very cumbersome and difficult to use.
Unfortunately, many SIEMs have a steep learning curve and offer no user community to provide mutual support. Without this support, not only will the implementation timeline for a SIEM be slow, but onboarding for new security analysts will be lengthy. Add to this the complexity of cloud data and even the most experienced cybersecurity analyst may have difficulty analyzing this data on their own.
The challenges of SIEM, including multi-cloud compatibility, data complexity, and scalability, as well as the learning curve for analyzing cloud data through a SIEM, simply cannot be ignored. These are tough challenges that few SIEMs can overcome, especially when considering the velocity of cloud data and how dynamic cloud instances are created and destroyed very quickly. While many SIEMs claim to support multi-cloud environments, when put to the test, they often fall short of expectations.
With their cloud security-focused SIEM, Elastic provides the tools to overcome these challenges and succeed. Read more about what to look for in a cloud security solution in the white paper An Open Look at the Top Seven Criterion for Evaluating a Cloud Security Solution or learn more about Elastic’s approach to cloud security.