In our recent article, we outlined the benefits of Security Information and Event Management (SIEM) systems, and why it is a must-have for every organization that operates in today’s cyberspace. It remains the best solution that proactively targets proliferating security threats, though SIEM also brings a number of risks and challenges. In this blog, we address these challenges and explain how they can be overcome by opting for SIEM-as-a-Service instead of on-premises or other options.
Let’s take a look at the biggest challenges enterprises face with SIEM deployments.
SIEM Pain Points
Long deployment time Approximately 60% of Gartner Peer Insights respondents in both 2017 and 2018 reported that it took up to three months to deploy their SIEM solution. That means about 40% of SIEM solution deployments take more than three months to complete, with just under 20% taking six months or longer. Much of that time is spent on shipping, receiving, installing and configuring appliances (whether physical or virtual) before the first log sources can even be consumed by the SIEM solution.
Deployments fail Unfortunately, you have about a 50% chance that your SIEM deployment will fail. There are many reasons that contribute to this; failure to grasp the technical challenges of the solution, lack of engagement from the entire organization, not allocating sufficient time and resources to maintain the system or immature IT operations are just some of the reasons that may lead to deployment failure. If you don’t provide the solution with enough threat intelligence and the proper correlation rules, it’s bound to miss some serious and evolving threats too. If a deployment does fail, prepare to cover the costs; it will be the second-biggest expense right after a major data breach.
High costs Some of the costs that have to be covered up-front with traditional SIEM include licensing, implementation and renewal costs. What’s more, security directors have to consider onboarding and overhead costs for dedicated staff if the solution is to be properly maintained. Additionally, resources are required to keep the solution up-to-date with the latest releases, hotfixes and patches, which some SIEM buyers fail to consider when buying an on-premises version.
The Benefits of Cloud SIEM
If high operational costs and the complex management of your existing SIEM solution (which isn’t exactly as efficient as you would expect) are the problems your enterprise faces, you should definitely consider switching to Cloud SIEM. It’s a legitimate option for organizations looking to add SIEM technologies to their security monitoring and operations toolkits. Here are the benefits of SIEM-as-a-Service:
Cloud is the new normal Enterprises are currently migrating all the workloads to the cloud - they have already realized that embarking on a journey to the cloud will allow them to benefit from everything the cloud has to offer. It no longer makes sense to download cloud logs on to an on-premise SIEM to detect security threats. It is easier and cheaper to monitor the cloud natively. In fact, it will allow you to fully leverage cloud capabilities and keep your infrastructure more secure.
Instant deployment When delivered as a service, SIEM technology allows you to significantly reduce implementation time. This option does not require installation; only your log sources or agents need to be pointed to the Cloud. Offloading is fully passed on to the third-party vendor. Licencing is a lot simpler than in the case of an on-premise installation, which makes it the best time-to-value option currently available on the market.
Cost savings With Cloud SIEM, administration and maintenance efforts, as well as maintenance costs, are passed on to the third-party vendor. It also allows you to transition from CAPEX to OPEX frameworks. SIEM specialists are increasingly responding to the demand for predictable expense control by offering pricing models based on the number of employees or IP addresses, with unlimited data capacity for a given retention period, which makes it a lot more cost-effective than on-premise SIEM solutions.
Reduction of dwell time With traditional SIEM, incidents are usually first reported when operational disruptions occur. What’s more, the logs produced by security products responsible for recognizing and filtering threats are of little use when it comes to detecting advanced threats that sneak by and are inside the network. Cloud SIEM, on the other hand, incorporates diverse data sources to detect such issues as compromised hosts, stolen accounts, fraud campaigns, insider misbehavior and negligent users, which allows you to react and neutralize threats before damage occurs. It really lets you be more proactive about detecting and eliminating threats to the network and infrastructure.
Elimination of staffing needs and costs Deployed SIEM solutions constantly log events and alerts, but making sense of them is the job of security operations staff. They have to be trained to know how to operate on-premises SIEM solutions, and the process is long and complex. Cloud SIEM, on the other hand, analyzes alerts and events to produce prioritized, condensed task lists to manage reactive corrections and proactive threat-hunting activities. This means you make significant savings on personnel and onboarding costs.
Scalability Cloud SIEMs can be conveniently scaled as needed and when needed. As data lakes mature, they increase SIEM capacity to adopt additional data sources. Cloud-based SIEMs can massively scale the amount of data managed without the difficulties associated with traditional SQL-based architectures. SIEMs can now consume log data for new applications or new sources of data for advanced analytics.
Uncompromised data security Security data is as safe in the Cloud as it is on-premises. There used to be vociferous resistance from security operations to ceding control of security data, with the fear that a breach of the Cloud provider datacenter would give hackers a blueprint of the network. The modern approach recognizes that much valuable business data exists in the Cloud in places such as Salesforce, Office 365 and Oracle Peoplesoft; there is no evidence that data is any less safe in shared Cloud datacenters than it is in private datacenters, and security operations can no longer justify being a laggard in realizing the economic benefits of transforming its infrastructure into the Cloud.
Security Management with Cloud SIEM
Cloud SIEM allows you to manage the security of the organization, not the solution itself, which is the case with on-premise options. The benefits of a SaaS SIEM model can outweigh the risks for many organizations. It’s all down to Cloud economics: SIEM-as-a-Service is faster, better, cheaper and now makes sense for every team of every size because of its ability to scale.
SIEM-as-a-Service will be the future of how many organizations consume SIEM technology. There are already a variety of vendors with diverse offerings.
When choosing a vendor, keep in mind that the complexity of the solution will increase with hybrid cloud. It’s important to choose a SIEM vendor that can handle multiple use cases and offers the necessary built-in integrations. Be wary of vendors like Splunk who deliver untested and uncertified apps.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
Sridhar Karnam leads the security product marketing for Sumo Logic. Sri has a decade of experience with SIEM, Security Analytics, Cloud Security, and IT Operations. He has led product management & marketing for SIEM solutions at ArcSight, Arctic Wolf, and at Oracle. He has written hundreds of blogs on SIEM, and has also spoken at many security and IT events.