momius - Fotolia
One of the most prevalent technologies used in security operations centers today is the SIEM platform. However, SOC teams are struggling to adapt on-premises SIEM platforms to scale and deliver the promise of prioritized cloud-oriented threat monitoring, detection and response.
It is undoubtedly time for SIEM -- whose core functions and deployment models have not evolved in years -- to change with the times. It's time for cloud-based SIEM.
The problem with on-premises SIEM platforms
Maintaining an on-premises SIEM deployment today can be extremely expensive, especially for large organizations. First, there are costly hardware requirements involved. Second, many disparate branch locations and remote sites will have to collect and send data back over dedicated WAN links to a central SIEM source. This can result in diminished bandwidth and potentially lead to lost events or fragmented streams of information.
Cloud-based SIEM features and capabilities
By moving a SIEM platform to the cloud, organizations can better unify event data from on-premises infrastructure and cloud-native assets. For hybrid cloud deployments especially, a combined view of activities and events is essential.
Cloud-based SIEM tools can enhance SOC cloud monitoring with the following capabilities:
- Prioritized cloud environment alerts. Automated alert prioritization ensures analysts focus on alerts associated with the highest level of risk within the environment. This requires deep understanding of cloud infrastructure and services. Automated detection capabilities should use analytics and machine learning to help analysts easily identify alerts of interest and follow-up actions.
- Attack timelines. Grouping events based on identification of cloud-centric attack patterns is an important distinction of a cloud-based SIEM platform. Visualization of communications in the environment can also help show even junior analysts which types of attack patterns are observed.
- Integration with cloud APIs for automation. To improve the speed and efficiency of SOC workflows and playbook execution, all primary SOC tooling should be integrated with cloud provider APIs as much as possible. This can streamline automation for containment and response actions, such as automatically tagging a suspicious workload and changing its network attributes for isolation during an investigation.
Advantages of cloud-based SIEM tools
In addition to the tactical advantages of SIEM for the SOC team, cloud SIEM vendors promise the following cloud security benefits and use cases as well.
Deep expertise in cloud-specific attacks
Cloud technologies and environments present new variations on well-known, existing attack tactics, which security analysts need to understand. Unique cloud attack methodologies also need to be well understood by the SIEM service providers. One of the most important features of SIEM tools is a stable of correlation use cases for events that may indicate attacks and incidents. SIEM providers' research teams need expertise in cloud-centric attack workflows to ensure a strong set of playbooks and workflows is available natively for SecOps teams to track and detect malicious or suspicious cloud behaviors.
Cloud threat intelligence
Many internal security teams struggle with collection and analysis of data from cloud environments that may prove useful in refining SecOps functions. Understandably, many SOC teams look to cloud service providers and third-party cloud SIEM vendors to help. A cloud-based SIEM service should help SOC teams quickly and effectively search for compromised assets based on indicators provided, events generated on workloads and within the cloud infrastructure, and communications with known malicious IP addresses and domains. The goals of cloud-centric threat intelligence should be incident identification and remediation, based on the gathered intelligence.
Deep provider API integration
Another key benefit of a cloud-based SIEM platform is deep integration with cloud provider APIs and services. This function may improve streaming of events to a central analysis environment and enable more capable event detection. To get the most out of their cloud-based SIEM tools, customers should look for autoscaling ingestion of event data capabilities as well. Typically built on a microservices architecture, cloud SIEM platforms provide organizations with resource elasticity to automatically scale up or down quickly as demand varies.