The 2019 Verizon Data Breach Investigations Report reveals that there is a trend shift towards a broader range of sectors targeted by bad actors. It’s no longer just Financial, Healthcare, and SCADA as the big targets. Now, and more than ever, almost all sector organizations that utilize technology must be aware of their IT risk and find ways to reduce it. A primary control in most cases involves using some form of SIEM to provide the visibility necessary to stop threats and detect breaches. But like everything else, the times are changing.
"A shift to the cloud results in less infrastructure. This is a clear advantage to most organizations, since eliminating a costly hardware lifecycle on hundreds of SIEM appliances is a big win for the budget"
Small organizations struggle with the funding and infrastructure required to support an extensive SIEM deployment, while large organizations struggle with management complexity and outdated licensing models of the past. Buzzwords like “Machine Learning” have entered the SIEM discussion and things like User Behavior Analytics are on the forefront. Enter the buzzword: “Next-gen SIEM”. Now that we are moving to a zero-trust world and have modern encryption, authentication, and increasingly security-aware cloud providers, it makes a lot of sense to move these “Next-gen” SIEM products to the cloud.
A shift to the cloud results in less infrastructure. This is a clear advantage to most organizations, since eliminating a costly hardware lifecycle on hundreds of SIEM appliances is a big win for the budget. This cost savings is also apparent for organizations that have more autonomous sites and many internet egress points. Typically, a lightweight collector is deployed and using public key cryptography, pairs with the cloud platform ensuring a secure tunnel. The shifting away from SIEM data traversing private WAN links to using internet links reduces costs and frees up internal bandwidth.
Another major advantage of moving SIEM to the cloud, is the unification of data from both on-premise and cloud applications. As more organizations adopt cloud applications, it becomes more essential for visibility into cloud activity. Similar to CASB systems, native integrations with cloud applications like Office 365, Drop box, and Google are now becoming a standard in SaaS SIEM, and for good reason.
This unification also compliments the goals of next-gen SIEM by allowing for more data analysis. With your company’s log data residing on a cloud data lake, the SIEM platform can more easily utilize machine learning technology and “big data” analysis techniques on the back end that may require more extensive compute services that on-premise solutions could not replicate.
A successfully cloud hosted SIEM will typically work in tandem with an endpoint agent. This shift from more traditional, weighty data collection techniques like packet capture, instead relies on direct visibility into an endpoint’s processes and network connection tables. This ensures your mobile employees and offsite systems are always visible, with the added benefit of more easily detecting lateral movement and credential theft.
With modern encryption and authentication as the new norm, integration from companies like Okta and SecureAuth ensure that only your staff can reach the SIEM. This integration also provides support for more unified multi-factor authentication through the Identity Provider. Integration here also allows for security automation workflows that can automatically suspend or disable an account that is suspected of malicious activity.
In the end, I believe as organizations choose to adopt the newest detection techniques, they will also start to utilize the cloud for SIEM. It just makes sense.