With FireEye Inc.'s announcement of a new threat analytics platform for Amazon Web Services, threat intelligence for the cloud is now becoming a reality. But will cloud-based threat analytics systems displace traditional security information and event management products and threat analytics systems in the near future?
Announced last week, FireEye's threat analytics platform (TAP) for Amazon Web Services (AWS) is the first of its kind because, according to Milpitas, Calif.-based FireEye, the product was built natively on Amazon's cloud and it combines FireEye's threat intelligence with event monitoring and analytics across AWS as well as a client's on-premise IT environment.
"We wanted to build a threat analytics platform that CISOs thought was missing for the cloud," Grady Summers, vice president of strategic solutions at FireEye, said. "It combines the intelligence you need to detect emerging or unknown threats with the speed with which you need to react and the context you need to understand the threats."
A key attribute of FireEye's TAP is that it's integrated with the AWS CloudTrail Web service and can monitor all AWS API calls made on a customer's account. The TAP product analyzes all CloudTrail data for any anomalous behavior or potential threats. In addition, the TAP for AWS can also integrate, index and analyze all of an enterprise's internal data.
"[TAP] can consume any type of data from the enterprise and apply that data to the threat analysis," Summers said.
But that enterprise data angle is a sticking point for many enterprises, according to Mike Rothman, analyst and president of Phoenix-based infosec consultancy Securosis LLC.
"There are a lot of folks that have a big philosophical challenge with sending their enterprise data to the cloud," Rothman said, "even if it's for security."
Rothman said FireEye's TAP for AWS, like many other cloud-based security products, has the kind of architecture that addresses many of the questions about where enterprise data is stored, how it's used and how it's then disposed of. But he said many enterprises still prefer to keep their data on premises, no matter what safeguards or reassurances a vendor can offer.
Grady Summersvice president of strategic solutions at FireEye
FireEye, however, hopes that benefits of its cloud-based TAP system, particularly the scalability of the cloud and the cost savings compared to on-premise software and hardware, will entice more enterprises to make that leap.
For example, Summers said, one of FireEye's customers is an entertainment company that sells tickets for events. It could no longer rely on legacy, on-premise security information and event management (SIEM) systems for threat analytics because of the hardware costs; the customer regularly experienced spikes in Web traffic and ordering. Summers said it made sense for the company to use a cloud model that could accommodate the fluctuations and growth in enterprise data and threat intelligence that needed to be analyzed.
"The cloud's flexibility is very helpful in terms of dealing with the growing amount of threat intel and data out there," Summers said.
Those advantages, coupled with the CloudTrail integration, are good selling points for FireEye, Rothman said. "The FireEye TAP solution is important because companies need visibility for what they're doing in AWS," he said.
But businesses that have regulatory and compliance concerns -- which Rothman said are not always legitimate -- are unlikely to be swayed by those cloud advantages unless they have a sizeable portion of their environment in the cloud already and have overcome the philosophical challenges.
"If a lot of an enterprise's computing is done in the cloud, then they'll go with a cloud-based security solution like this," Rothman said. "But if it's not, then I don't think the benefits will convince those enterprises to move to cloud security."
FireEye is optimistic, however, that the lure of cost-effective cloud services on AWS and an agile, scalable threat analytics solution will help convince customers to move away from legacy SIEM systems or at least add a cloud-based threat analytics solution to their defenses.
Summers said the majority of FireEye clients still have some kind of legacy SIEM systems in place, but that may be changing.
"The initial data we've seen this year indicates a big change coming," Summers said. "I think we're going to see more SIEM deployments in the cloud and more TAP solutions on top of those systems as well."
Rothman said it's too early to tell how enterprises will adopt threat analytics platforms in the cloud, but he agreed with FireEye that cloud-based security products and services are trending upward.
"Is this going to totally disrupt the SIEM market? I think it's going to take a couple years," he said. "But there's going to be an increasing amount of IT being done in the cloud, and that includes security."
Big data security analytics: Facebook's ThreatData framework
OpenDNS' Hubbard predicts Internet threats with security analytics
Amazon Workspaces gets MFA security update
Learn how serverless computing can mitigate threats in the cloud