These days, everything is moving to the cloud, including—finally—nearly all security vendors. Today, there’s a dazzling array of cloud-native log management, products that secure your clouds, and a few cloud SIEMs that, upon further inspection, are a bit cloudy on the details.
Let’s talk about why modern SIEM is in the cloud, what core benefits you can expect, and how it is predicted to evolve as we soar toward 2020.
Modern SIEM solutions enable three new use cases
In the past, SIEM has been most valuable around:
- Correlation: Give me context, and help me investigate alarms triggered by my stack
- Compliance: Help me prove that all access is logged, events are being tracked, and file integrity monitoring is in place
While these use cases are foundationally valuable, getting to a successful deployment with traditional SIEMs requires a huge amount of up-front configuration, tuning, and ongoing maintenance. Historically, security teams had to spend more time tuning detection rules and filtering through the noise, instead of acting on the outputs and progressing their security posture.
Cloud SIEM tools, like Rapid7 InsightIDR, are quickly gaining market share today as security teams can shed infrastructure and data management hats to focus on three key use cases:
Use case No. 1: Unify data (all of it!) with your cloud SIEM
Our networks now have important log and event sources sprawled across hundreds of log sources, endpoints, and cloud services and hosting platforms. As a supporting visual, here’s our data architecture diagram:
Combined with alerts from your monitoring tools and prevention systems, all of this information should be able to flow into your SIEM for reporting and data visualization. This is where many on-premises SIEM deployments led to challenges, as hardware management, data parsing, and scaling requires continuous grooming and feeding to perform effectively.
Therefore, if you’re considering cloud SIEM, ensure that it has support for your critical data sources, such as cloud hosting, and will actually relieve you from management and maintenance burdens as your business scales. You should be able to start sending data for analytics within minutes of starting a trial or POC—you shouldn’t be waiting for an appliance shipment or professional services.
Be wary of cloud SIEMs that still require on-premises tuning and maintenance.
More native ingestion support for cloud hosting providers (e.g., Azure, AWS, and Google Cloud).
Greater support for telemetry gathering from the endpoint. This enables more nuanced detections, investigations, and threat hunting. Endpoint data such as parent/child processes is essential to our MDR SOCs—these data collection and hunt capabilities will become more accessible to security teams of all sizes.
Use case No. 2: Proactive threat detection with your cloud SIEM
Year after year, the Verizon Data Breach Investigations Report shows that the same attack vectors—phishing, malware, and stolen credentials—are being used successfully. Let’s say you need to detect malware. To identify modern threats, you need visibility into endpoint telemetry, such as PowerShell logs, which you may be able to access from your SIEM.
However, to investigate root cause and identify lateral movement, that information alone isn’t enough. Authentication tracking and user behavior data is also needed to catch account takeover and the use of stolen credentials.
Modern cloud-based SIEMs should not only give you access to this information, but apply security analytics to this data to proactively flag compromise. Accurate threat detection is a bold promise, but as SIEM is the only technology with access to this disparate data, ensure the product has the analytics to expose the behaviors you want to see.
MITRE ATT&CK has gained massive traction as a quantitative framework to map out detection capabilities. A suggested approach is to identify gaps in your detection, understand the data sources that would reveal malicious activity, then ensure your cloud SIEM either has appropriate out-of-the-box detections or the ability to build custom content.
While many SIEM providers claim user behavior analytics to detect anomalous behavior, few have out-of-the-box content for known-bad attacker behaviors. Put them to the test by performing attack simulation or POCing around penetration tests.
Use case No. 3: Automate and respond with your cloud SIEM
SIEM exists to give you the information and context you need in order to respond to and contain threats. This may involve booting an asset off the network, killing a process, or disabling a user account. User behavior analytics (UBA) can reveal the relationships between IP address → asset → user accounts, allowing you to make stronger decisions without hours of laborious investigation.
Cloud SIEM allows you to take investigation findings, such as machine-readable threat intelligence, and with security orchestration, automation, and response (SOAR), apply that to your prevention and detection defenses. By automating mundane and repetitive tasks, you can focus on high-value work such as threat hunting, attack simulation, and making proactive changes to strengthen your network based on investigation findings.
Automated workflows will become commonplace. Teams with high alert volumes today are using SOAR for phishing triage, alert enrichment, and to automate communications (e.g., to ticketing systems and ChatOps). This will allow threats that target users, such as phishing or Office 365 brute forcing, to be better defeated at scale.
Here at Rapid7, our approach to SIEM has been cloud-native since its inception as a user behavior analytics tool in 2013. Part of our Rapid7 Insight cloud, InsightIDR can help you unify, detect, and respond to threats across your environment within hours, not months. For more, check out our on-demand demo or start your full-featured 30-day trial today.