It is no secret that Security Incident and Event Management (SIEM) systems are a core part of the security controls for any enterprise. Most SIEM organizations focus on detection and response activities such as gathering logs, predictive threat identification, sometimes providing the tooling, and querying across multiple sources of data during investigations and normal operations. In recent years, SIEM tools have evolved to incorporate concepts such as machine learning and IT automation, which allow SIEM solutions to not only detect issues, but automate a response when appropriate.
Despite the advances in technology, the underlying problem with SIEM effectiveness has remained the same. What combination of endpoint telemetry, log capture/storage capabilities, processing power, and alerting will deliver the right alert to the right team at the right time with the right amount of detail needed to take decisive action to mitigate the threat?
In many ways, the introduction of cloud services changes some of the problems SIEMs have traditionally had, making some better and some worse. Taking telemetry as an example, cloud services are generally better at having telemetry out of the box than native applications. This is contrasted with the fact that there are now greater quantities of those logs to deal with, and those logs are still not security focused.
Enterprises therefore have to figure out how to deal with SIEM “at arm’s length” from the cloud perspective. Security teams will have to use creative techniques to gather all the inputs they require from cloud providers to build effective SIEM strategies. They will have to do this at cloud-speed, and, increasingly, thinking about systems and business processes in a distributed fashion. All of this on the backdrop of the division of responsibility between provider and enterprise, the shared responsibility for industry-specific regulation, and the broader businessto-business nature of SIEM processes and operations in a Hybrid IT environment.
This document shares some of the problems, experiences, and learnings that companies have gone through in this regard.
Recent Posts
