SIEM, Meet the Public Cloud
Security information and event management (SIEM) systems have evolved quite a bit over the past 19 years. There have been quite a few shifts throughout that evolution, with different vendors, use cases and functionalities dancing in and out of the frame.
In simple terms, SIEM’s evolution started from a simple tool designed to help organizations achieve and maintain compliance, and spun into a complex threat-detection system that allows security operations center (SOC) analysts to respond to incidents more quickly and effectively.
SIEM has exploded into a $2.5 billion market, dominated by major players such as Splunk, IBM, LogRhythm and AT&T (AlienVault), according to CSO.
In technology, evolution is a good thing, right? Generally, yes; however, it’s said by some that SIEM has gotten a little too big for its britches. Trying to take on too much.
One of the reasons SIEM software for security operations is getting so much attention nowadays is because of its new, added capabilities.
“Now a lot of SEIM technologies bring in threat-intelligence feeds in addition to traditional log data, and there are multiple SIEM products that have security-analytics capabilities that look at network behavior as well as user behavior to give more intelligence around whether an activity indicates malicious activity,” explained Paula Musich, research director at Enterprise Management Associates (EMA).
Technology research firm Gartner is all about this. In its May 2017 report on the worldwide SIEM market, Gartner calls out the stellar SIEM tools, saying “innovation in the SIEM market is moving at an exciting pace to create a better threat detection tool.”
This is all well and good, but as SIEM scaled, organizations understandably began to need more and more hardware tiers to keep up with this added performance and scale. This has led to a situation where SOC personnel have to throw all of their focus and energy at activities such as threat detection and incident response, and forensic investigations are dependent upon SIEM infrastructure teams to upgrade hardware, load balance servers and add storage capacity.
Goodbye On-Premises Servers, Hello Public Cloud
This year, it is predicted the security analytics/operations technology model will start to undergo a sizeable shift — it’s about to get a bit cloudy. Over the next few years, experts say that the SIEM backend will migrate from on-premises servers to public cloud infrastructure.
This transition to cloud-based alternatives already has begun, spurred by shifts on the supply-and-demand side of things. CISOs and MSPs will likely go after cloud-based SIEM solutions because of the following reasons, as outlined by CSO:
- Huge growth in security data. According to experts, organizations collect, process, and analyze a lot more security data than they did two years ago. Continuous security-data growth means more infrastructure, personnel, and more operational tasks.
- Higher software costs. Some SIEM vendors basing their pricing on the amount of data under management. “I’ve heard CISOs complain that it’s not unusual for them to blow through a three-year SIEM budget in a year,” shared Jon Oltsik, a principal analyst at Enterprise Strategy Group ESG.
- Unacceptable tradeoffs. Considering the new capacity-based pricing of SIEM software, many organizations are being forced to ignore or get rid of valuable security data that they would have normally stored and analyzed. Frankly, this is a lousy choice for security analysts to have to make.
- Cybersecurity and IT skills shortages. Ahh, the classic problem of not having enough skilled personnel. Because of this, CIOs and CISOs are forced to make the decision whether they want to hire and retain personnel dedicated to the exhaustive care and feeding of networks, servers, and storage devices.
For CISOs and providers, cloud-based SIEM can …