Get started Bring yourself up to speed with our introductory content.

A full-service model for SIEM

The industry needs to recognize the value that full service "SIEM in the cloud" would bring to organizations.

Organizations continue to struggle with a rise in security incidents, and CISOs and their IT teams often lack the resources to meet the challenge. Like most information security programs, we are being asked -- and, in many cases, forced -- to do more with less.

George Do

Enter a concept that hasn't been a focus in the industry until recently: Developing a security information and event management (SIEM) system, which addresses not only the high costs of setup and ownership, but the most important use cases.

SIEM promises to improve the security incident response lifecycle by collecting and analyzing data from a myriad of sources (network and security devices, security programs and servers). SIEM technologies provide log management, event monitoring, alerting and compliance reporting through complex infrastructure involving hardware, software, custom processes and analytics. Given the push towards the cloud, there's a unique opportunity to deliver SIEM in a way that adds far greater value to users.

What is the goal of a SIEM? That depends on the organization, but the common use cases are to detect, validate and adequately respond to system compromises, data leakage events, malware outbreaks, investigations into a particular user and service outages. At least that's what it is for my organization. Simplistic as it may sound, I expect that this would be the answer from most other organizations, too.

George Do, Director, Global Information Security, Equinix

  • Developed the Global Information Security Program at Equinix, integrating legacy security systems and the latest information security technologies.
  • Evaluated SIEM technologies and managed SOC services to architect a full-blown SIEM in the cloud, and cloud Web proxy service. These protect systems and users from malware and enables enforcement of established acceptable use policies.
  • Credentials and affiliations: CISSP, GIAC Certified Forensics Analyst, GIAC Certified Incident Handler, ITIL Foundation Certified, SANS Institute member

Much has been researched, written and deployed in practice regarding SIEM. However, the industry still fails to recognize the valid need for cloud-based SIEM services. A full-service SIEM would not only leverage the commonly accepted benefits of the cloud, it would address the complete incident response lifecycle. After all, a SIEM's output is basically a correlated event that responders use to investigate incidents. When and how the event is used is the key to adding greater value to any SIEM investment.

Consider a subscription-based SIEM service that is straightforward to deploy and goes beyond just spitting out events by taking it several steps further. The complexity of log and event management (collection, storage and analysis) is significantly reduced because users no longer have to invest heavily in these security activities in terms of human or monetary capital. Because all these complex infrastructures live in the cloud, the model can be as simple as forward all your logs/events to the cloud, execute a basic security baseline exercise during setup and agree to a service-level agreement (SLA) for event alerting. In addition, the service would offer 24/7 security operations center coverage, in which frontline responders analyze each SIEM event and escalate it to users only if necessary based on SLAs.

The value proposition for such a service is vastly more attractive compared with traditional on-premises SIEM systems. The goal of SIEM in the cloud is to have 100% in the cloud with nothing on-premises.

As with most options that marry complex technology and processes, the devil is in the details. SIEM systems store and process highly sensitive data (security logs and events) for an organization and may even contain personal data.

Cloud SIEM users are required to have an extremely high level of trust with the SIEM provider. Key security challenges, such as the following, need to be addressed:

  1. Security level and posture of the vendor
  2. Limits of liabilities (customer data compromise)
  3. Governance, risk and compliance requirements (consider companies that comply with EU regulations)
  4. Compliance with privacy policy (user and corporate data leaving the premise)

Outside of work

Apple or Android? Apple

Plan B: Become a tour guide in Bora Bora.

Security hero? Richard A. Clarke, former national coordinator for security, infrastructure protection and counter-terrorism for the United States

Two things people don't know about you: I'm a political junkie. I love Legos and 80s music.

Six degrees of separation: Salvadore Rositano, an engineering college professor who changed my life by introducing me to IT, spent 50 years at NASA Ames Research (Office of Chief Technologist).

What keeps you up at night? Our struggle to leave the Earth better than we found it.

There's help out there for many of these issues. Companies such as Skyhigh Networks offer cloud security software to help organizations efficiently assess the security level and posture of cloud services. This enables organizations to quantify the risk of cloud services with hard data to back up their assessments. CISOs can then make an informed decision about whether to engage with the cloud vendor based on these merits.

The SIEM field is crowded and contains a mash of providers from traditional players -- RSA enVision, HP ArcSight, McAfee and Splunk -- to innovative log management companies, such as Sumo Logic. Each offering has strong as well as weak points. However, no one has really crafted an offering for a full-service SIEM in the cloud that includes a security operations center (SOC) with human eyes to proactively monitor events. Managed security service providers, such as AT&T and IBM, have offerings that cobble pieces together. However, these services are targeted at managing or leasing SIEM infrastructure.

A full-service SIEM should offer the following:

  1. Zero (or negligible) investments in on-premises hardware and software
  2. Quick to deploy: Just forward logs from your existing infrastructure
  3. SOC coverage, 24/7
  4. Packaged common use cases and SLA (out-of-the-box configuration)

Hopefully, the industry will come to recognize this as an issue and, more importantly, develop complete options for SIEM in the cloud. It's time security technology started taking advantage of the scalability and cost benefits realized by other services.

This was last published in December 2013

Dig Deeper on SIEM, log management and big data security analytics