Compliance requirements and growing concerns over more targeted and sophisticated attacks have boosted interest in security information and event management systems. However, the complexity and cost associated with SIEMs have organizations looking to SIEM in the cloud
Typically, when you cross that bridge to SIEM, you are getting to a sophisticated and complex product -- cloud can simplify that.
Jon Oltsik, principal analyst, Enterprise Strategy Group.
While companies need to have a greater ability to monitor their systems and generate compliance reports to meet regulatory requirements, SIEM systems are typically expensive to deploy and complex to operate and manage. No wonder larger enterprises have been the core adopters of the information security systems. Midsized companies and small businesses have not had the technical skills to broadly deploy SIEM internally, said Jon Oltsik, principal analyst with the Enterprise Strategy Group.
Turning security information and event management into a cloud service allows small and midsized companies to avail themselves of the benefits of the systems, he said.
"It is typical that companies go from manual log analysis, to log management, to SIEM," Oltsik said. "Typically, when you cross that bridge to SIEM, you are getting to a sophisticated and complex product -- cloud can simplify that."
Streamlining SIEM via the cloud
SIEM systems combine security information management capabilities to collect logs and report on compliance with security event management capabilities to collect security-related events and analyze them to detect potential attacks. While compliance has traditionally driven SIEM adoption, concerns over advanced threats has become a stronger incentive to purchase the systems, according to analyst firm Frost & Sullivan, which predicts the worldwide market for SIEM systems will grow to $1.3 billion in 2015, up from $680 million in 2009.
Eye On SIEM Systems:
Editor’s Note: This news story is part of SearchSecurity.com's "Eye On" series that brings together various perspectives on security topics throughout the year from SearchSecurity and its sister sites. In the month of March the series examined SIEM systems.
Due to the relative complexity and expense of SIEM systems from major players such as HP, RSA, the Security Division of EMC and Q1 Labs, smaller businesses typically use managed security service providers that have SIEM capabilities built in. Yet a number of startups are also aiming to fill the gap in the SMB market. Companies like Alert Logic Inc. and Sumo Logic Inc. are attempting to provide the benefits of a well-managed SIEM system with the simplicity of the cloud.
Houston-based Alert Logic, for example, deploys sensors into the customer's network to collect log and event data, but shifts the operations and management to the cloud, said Urvish Vashi, vice president of marketing at the vendor.
"The heavy lifting -- the data correlation and analysis -- happens in the cloud," he said.
Smaller businesses are not the only ones that can benefit from cloud, added Vab Goel, the founder and former CEO of Virtela Technology Services Inc., a Greenwood Village, Colo.-based network and security management provider. Larger enterprises stand to save significantly by allowing a cloud provider to manage their security information infrastructure, he said.
"Most of the time, enterprises are trying to do it themselves, and they are finding that is taking too much time and is too complex," he said. "When they are global -- and 50% of revenue is outside of America -- you need staff that is online 24/7."
SIEM in the cloud has its own issues
However, cloud providers have to do more to assuage the security concerns of potential customers. Turning over internal security data to a cloud provider requires trust, and nearly half of all users of cloud services desire more clarity on providers' security precautions, according to Gartner.
Another problem with pushing SIEM into the cloud is that targeted attack detection requires in-depth knowledge of internal systems, the kind found in corporate security teams. Cloud-based SIEM services may have trouble with recognizing the low-and-slow attacks, said Mark Nicolett, vice president with research firm Gartner.
In targeted attacks, "90% of the time that organizations were breached, attackers created only a relatively small amount of activity," he said. "To see that evidence, you need to know the environment. Cloud services may not be able to do that."
About the author:
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for 15 years. He currently writes for several technology publications.