If we look back into the history of threat detection and mitigation, we’ll see that everything started from hardware. OSI model on all seven layers was first handled with firewalls and intrusion detection/protection blocks, which were later supported by corresponding software and virtual environments. But then, SIEMs stole the thunder from all the other solutions. They paraded victoriously in the digital information security market because they were the first products to be all-in-one. Collect the data from all the infrastructure, correlate, analyze, detect, and remediate in one place. What can be better?
Traditionally, the best way to control something on your digital infrastructure is when it’s on-premise. You can easily set up properties for anything you want: from the physical layer to the application level. However, there are tons of intricacies to be handled on a continuous basis which also requires sufficient resources for ongoing maintenance. So security professionals keep asking themselves if the game is worth the candles. Meaning, are all these on-premise SIEM expenses cost less than a potential data breach? The answer is not always positive.
New and more efficient ways of dealing with an evolving threat landscape lie in global virtualized solutions. For example, a collaborative threat detection approach can be leveraged by deploying MITRE ATT&CK mapping at SOC Prime’s Detection as Code platform and continuously streaming relevant detection content. Online translation engines like Uncoder.IO can help instantly convert Sigma-based rules into vendor-specific formats. Within the organization’s infrastructure, a viable solution might be transitioning to a cloud SIEM, which is infinitely fast and scalable. Let’s review the possible tactics for transitioning to a cloud SIEM environment.
Step 1. Assessing and Planning
Replacing the old architecture might be a complicated process, especially if you want to keep a non-stop operation and make sure that all the sensitive data is stored correctly while maintaining compliance standards and achieving total visibility.
First and foremost, it is necessary to assess the current resources and the ones that need to be spent in correlation with the goals that you want to achieve. You also need to review the probable challenges and risks and create a risk tolerance (risk appetite) diagram.
Here are the areas where an initial assessment is needed:
- Business needs and opportunities
- Security goals and objectives
- Possible solutions (vendors, services, etc.)
- The number and qualifications of the needed employees
- Processes that need to be changed/updated
- New architecture design
- Planning: a step-by-step outline of how to achieve SIEM transition to the cloud
- Deployment: the overview of processes that need to be leveraged in order to deploy a new solution
- Budgeting: how much CapEx and OpEx expenses are you going to need and in which timeframe
By the time you’re done with all the assessment, budgeting and planning, you might run into multiple issues. But don’t let them discourage you. Instead, take a granular approach and try to resolve one issue at a time. It’s also useful looking at them from a different perspective. Let’s see what obstacles you might face while implementing a cloud-based SIEM and how to resolve them.
Step 2. Overcoming Obstacles
First of all, it might be difficult to envision the right structure and to get it implemented by your staff. Additionally, while looking for qualified professionals, you might encounter a shortage of talent. You might end up spending months looking for the right professional to join yur team.
Maybe a better solution is to ask for professional services at some point of your transition. For example, the architecture of the system could be outsourced, meanwhile a less skilled personnel can be trained in order to start using the new cloud-based solution right after it’s ready, utilizing its full potential. Bear in mind that deployment might also take time – companies report the average time from six to twelve months. So all the other points of the plan should be handled in time accordingly.
Another concern is that cloud SIEMs usually have limitations to the types of data that they can collect and process. This is associated with applicable policies, laws, and regulations. Since the accuracy, timeliness, and full visibility of data sometimes plays a crucial role in a good threat detection and response, you need to understand whether you can handle the risk of sacrificing the collection of data which cloud SIEM doesn’t support.
Step 3. Understanding Benefits
It today’s SOC environment, it is common that no single solution can cover all pains and needs of a security team. That’s why they usually use a few solutions which may overlap in some domains. That’s why it’s also important to understand what are the strengths of the cloud SIEM that you’re particularly interested in, and how are you going to use them.
Here are weighy pieces of evidence in favor of SIEM migration to cloud:
- Cost reduction by eliminating excessive infrastructure, maintenance, human resources, and licenses
- Faster threat detection and remediation
- Ability to combine fast automation with AI algorithms
- Improved scalability and stability of performance
- Reducing alert fatigue by automating common scenarios
The amount of possible threats that need to be monitored 24/7 is continuously increasing, along with the cost of a data breach. Hence, increasing the speed of SIEM performance and automating redundant tasks becomes necessary for maintaining the utmost security of an organization. Cost reduction is also a serious advantage, especially for small and medium-sized companies. It is fair to suggest that the final decision should depend on the company’s goals and available budget.