Security Monitoring in the cloud - Part 2
On PremSIEM vs. Cloud SIEM
How to choose a SIEM solution
To protect your organization against security threats, you need maximum insight. That’s the fundamental suggestion behind SIEM (security information and event management) software, which is essential to the security defences of the majority of large and medium enterprises.
A SIEM needs to collect data from various log sources such as Windows, Linux servers, workstations, network devices like switches, routers and load balancers, security devices like firewalls, IPS/IDS, VPN, URL filtering, and any application that can produce logs. Using the various log sources, it must perform data analysis and aggregation, event correlation, reporting, and log management for security and troubleshooting purposes.
For on-premise environments, the usual place of a SIEM is with most log sources, with SIEM agents deployed to endpoints or servers that lack agentless logging capabilities. For the devices, appliances, and applications with reporting options such as Syslog, the SIEM can ingest the logs by acting as a Syslog server.
However, with businesses moving more and more workloads and workflows to the cloud, their security defences need to catch up to them. Cloud-based SIEM (also referred toas SIEM-as-a-Service) takes SIEM to the next level with the ability to deploy resources with a click of the mouse, limit capital expenses and provision capacity on-demand and various business groups within organizations have begun taking advantage of it.
Selecting, purchasing and implementing a SIEM is quite an investment of time and resources. Many large enterprises prefer a SIEM platform installed on-premise, while SIEM-as-a-Service is gaining in popularity among small and medium-sized organizations that cannot afford to install and maintain on-premise SIEM solutions.
The main advantage of a cloud-based SIEM lies within the implementation speed, agility and the relative ease of scaling up and down to include or exclude collection points as business activities expand or decrease.
The on-premises SIEM model keeps the organization’s sensitive data in-house and, in theory, allows for greater customization than managed SIEM services.
The final decision, whether the on-premise or the cloud-based model for SIEM adoption is more advantageous for your organization, does not depend on a single factor such as implementation or maintenance costs since every SIEM adoption should also consider an organization’s specific business context.
Up Next –> NEXT Gen SIEM
What Does a Next-Generation SIEM Include?
- Combines internal data with third-party threat intelligence feeds on threats and vulnerabilities.
- Collects and aggregates data from security systems and network devices.
Correlation, Security Monitoring and Alerts
- Links events and related data into security incidents, threats or forensic findings, analyses events, and sends alerts to notify security staff of immediate issues.
- Uses statistical models and machine learning to identify anomalies and detect advanced threats, unknown threats, and lateral movements within a network and enrich the context of security alerts to make it easier to investigate and detect elusive threats.
- Creates visualizations to let staff review event data, identify patterns and anomalies
Search, Data Exploration and Reporting
- Search vast amounts of security data without reviewing raw data and without data science expertise, actively explore data to discover patterns and hunt for threats, create and schedule reports on essential data points.
- Gathers log data for standards such as HIPAA, PCI/DSS, HITECH, SOX and GDPR and generates compliance reports. Helps to meet compliance and security regulations requirements, such as alerting about security conditions for protected data.
- Stores long-term historical data relevant for compliance and forensic investigations. Built-in data lake technology facilitates unlimited, low cost, long-term storage.
- Enables log and event data exploration to discover details of a security incident, with the automated attachment of additional evidence organized in a situation timeline.
- Enables security staff to run queries on log and event data and freely explore data to uncover threats proactively. Once a threat is discovered, it will automatically pull in relevant evidence for investigation.
Incident Response Support
- Helps security teams identify and respond to security incidents automatically, bringing in all relevant data rapidly and providing decision support.
- Automatically responds to incidents by automating and orchestrating security systems, known as Security Orchestration and Response.