Eric Sun, senior solutions manager for incident detection and response, explains why modern security information and event management, or SIEM, is moving to the cloud. He breaks down cloud SIEM’s three key use cases—unifying, detecting, and responding—and warns of some challenges that can come with moving to the cloud.
Security analytics, centralized log management, SIEM. Why is all this stuff moving to the cloud? I'm Eric Sun, part of the detection and response team here at Rapid7. Today, let's talk a little bit about cloud SIEM.Show more Show less
As a quick refresher on security information and event management, there's two key data sources here. There's the information, all of the disparate data across your network, logs, network endpoint data, and certainly cloud monitoring, if you're doing that as well. The other half are events. This is typically events from the rest of your existing security stack. Things like antivirus, endpoint detection and response tools, web proxy. If you're doing cloud monitoring, certainly alerts and notable behaviors from there, should also be able to go into your SIEM.
Traditionally, SIEM's been very strong around two major use cases. The first is, if you have an indicator of compromise, and you need to investigate more deeply. The second piece is proving compliance. So, showing that security controls are in place, there's audit logging, file integrity monitoring, so and so forth. But with modern threats, security teams are now using the power of cloud analytics to really solve three key use cases.
The first is Unify. The challenge here is that there is remote workers, there's infrastructure-as-a-service, folks are accessing data from so many different points, so analyzing that user behavior, and collecting that information really requires scalable, easy data collection that cloud can provide.
The second piece is Detect. If you look at the Verizon Data Breach Investigations Report, the same attack vectors continue to succeed. That's phishing, malware, and the use of stolen credentials. The nuance here is, for example, if you want to detect malware, looking at powershell logs on your endpoint is pretty important. That's something that you want to have access to in your SIEM. But at the same time, you need visibility into user behavior to catch impersonations, use of stolen credentials, and to mitigate the risk of phishing and the use of stolen passwords.
And the last piece is Respond, and that's where security teams are using the SIEM to get the context they need, and even contain threats. For example, booting an asset off of the network, killing a process, or disabling a user account. This is where things like user behavior analytics, which provides a tie of IP address to asset, to the user that was using it, really speeds up investigations, and allows security teams to respond to threats at scale.
The last thing worth noting for response is, the ability to take findings from your SIEM, translate into threat intelligence, and apply that to your preventative defenses.
And so, with on-premise approaches, what we see from talking with teams is, there are three major challenges. There's staffing, infrastructure, and scaling concerns. If you're using, for example, Managed SIEM, that can abstract a lot of the challenges away from data collection, hardware management, data flow, but it still leaves a lot of teams wanting, when it comes to expertise around investigating alerts, incident response, or taking meaningful action on the output of a SIEM.
Infrastructure and scaling, if you have healthy mergers and acquisitions cadence, or you have a large transient workforce, that adds challenges when it comes to the amount of hardware, and what you need to allocate to have full coverage over your network.
So, our approach at Rapid7 is, we have the Insight cloud, of which, InsightIDR is our SIEM that can certainly help you with unify, detect, and responding to threats across your environment. But best of all, the platform can solve many security use cases, and our deployment times are extremely quick and easy because of this cloud based architecture. So, if you'd like to learn more, check out the link below, and thanks for listening to this Whiteboard Wednesday. SIEM you later.