SIEM in the Cloud (Part 1)

This blog entry is part one of a three part post relating to security event management in the cloud. This first entry gives a high level overview of SIEM in general, the second will focus on this technology in the AWS cloud, and the final piece will discuss managed security services in the cloud.

Security Information & Event Management ( SIEM ) is a rapidly evolving and expanding field in the world of IT security. The 2015 Gartner report on the subject found global spending on SIEM solutions to be $1.69 billion USD with annual growth of around 12.5%.

SIEM can broadly be defined as the aggregation and analysis of security events and metrics to produce trending data and real time alerts. It is important as it provides a centralised platform to ingest, store and monitor all the information that gets logged from security devices throughout the network.

The high level diagram below shows the basic premise of SIEM. Log data from a range of sources, such as firewalls, IPS/IDS, email/antivirus, web/app servers, LDAP etc are forwarded through to the SIEM appliance. The analytics engine then parses this data, making various decisions based on its internal threat signature database, risk algorithms and the policies that are configured.

The larger and more complex your environment is, the greater the need for a SIEM solution. The sheer amount of raw data produced by devices such as firewalls and IPS appliances  in a busy network is overwhelming. Once you factor in copious amounts of application logs, virus/malware scans and web access logs it becomes simply impossible to manage without some form of automated processing facility.

As important as storing and managing this data is, the ability to predict potential threats before they occur, is perhaps the most tangible benefit of implementing a SIEM framework. Based on a number of factors, a correctly configured and managed SIEM solution can take steps to warn you of potential weaknesses in your environment and advise of fixes before an actual attack occurs.

Traditional SIEM technologies have taken the form of hardware appliances. The two biggest players in this space, up until quite recently have been IBM’s QRadar and HP’S Arcsight with LogRhythm also commonly featuring in the top 5 list. However, these vendors have been relatively slow in adapting their products to be “cloud ready”. Whilst they do have virtual equivalents of their hardware appliances, they don’t seem to offer an “on-demand” licensing model or have readily deployable images in the AWS or Azure marketplaces.

On the other hand, both SumoLogic and Splunk, along with others, seem to have been part of the cloud story since the beginning and have released security focused offerings of their excellent log management tools to compete in the SIEM market. They have products in both AWS and Azure marketplace and offer a variety of cloud friendly pricing models. SumoLogic in particular seems to have decided that “the cloud” is now their major focus and are going to great lengths to make their products as easy to deploy and configure as possible.

The links below give more detail about a handful of the many products available in the SIEM space.

 

 


Cloudten Industries © is an Australian cloud practice and a recognised consulting partner of AWS. We specialise in the design, delivery and support of cloud based solutions. Don’t hesitate to contact us if you have any queries about this post or any cloud related topic.