How to Move Your SIEM to the Cloud
System information and event management (SIEM) solutions enable you to centralize threat management. You can use SIEMs to detect, analyze, and monitor potential threats. You can deploy SIEM on-premises or in the cloud—depending on your overall security needs. In this article, you will learn how on-prem and cloud SIEM differ, and how to move your SIEM to the cloud.
What Is SIEM And How Does it Work?
System information and event management (SIEM) solutions are tools that you can use to monitor, detect, and analyze potential threats. These solutions often form the foundation of an organization’s security operations center (SOC) and support many security and IT processes.
The primary purpose of SIEM is to centralize logging information, alert teams to issues, and provide context for investigating events. These solutions operate by aggregating data from across your system. This data is then analyzed and correlated to determine if it matches known patterns of threats.
An analysis is performed with a combination of predetermined rules and machine learning algorithms, which improve accuracy and depth with use. These algorithms enable teams to apply User and Entity Behavioral Analytics (UEBA) to identify “normal” vs. “abnormal” behavior. New events are compared to known patterns, and exceptions are flagged and used to trigger an alert.
On-Prem SIEM vs Cloud
When choosing a SIEM solution, there are two deployment options—on-premises and cloud-based. The type of solution you should choose depends on your infrastructure, the distribution of your resources, your IT security team’s capabilities.
On-premises SIEM solutions are hosted on your internal resources and are managed entirely by you. These solutions give you complete control over your configurations, what data is ingested, and what happens to your data after it is collected. Additionally, some SIEMs offer customized integration, which means you can adjust the solution to fit your existing tooling and infrastructure.
The downside of on-premises SIEM is that it requires you to manage all maintenance, configuration, and customization in-house. This requires significant expertise and time to ensure that solutions are up to date and operating as expected. It also requires you to have in-house resources to evaluate the data and alerts that SIEMs provide.
Cost-wise, on-premises solutions require you to pay for initial licensing, infrastructure provisioning and maintenance, and operation. If you need to scale your solution, you need to provision or purchase more resources to meet your needs. On-premises SIEM solutions usually do not have ongoing service fees.
Cloud-based SIEM solutions are hosted on cloud resources and are typically provided by a third-party vendor. These solutions are managed by the vendor and do not require you to manage infrastructure, configure integrations, or maintain the solution. When implementing a cloud-based solution, you define what system components should be monitored and manage data access from your end.
Depending on the service you choose, you may still be responsible for monitoring events, or vendor teams may provide monitoring for you. Alerts are typically still sent to in-house teams for investigation and response.
Cloud-based SIEMs are provided on a subscription basis, and the costs of hosting, maintenance, and licensing are included. The benefits of cloud-based solutions include scalability, built-in support, flexible deployments, and availability. The downsides of cloud-based SIEMs are the need for increased security (to account for Internet connectivity) and the potential for vendor lock-in. Additionally, depending on the vendor, you may only have access to select reports, alerts, or data.
Moving Your SIEM to the Cloud: 4 Key Steps
For many organizations, choosing a cloud-based SIEM is the better option. Organizations may not have the in-house resources to support a SIEM, may want to supplement in-house IT, or they may be operating in cloud-based environments. Regardless of the reason, if you are considering moving to the cloud, consider the following steps.
1) Determine SIEM priorities
Before you can move SIEM operations to the cloud, you need to take an inventory of your goals. Evaluate what your requirements are for monitoring, alerting, and support. You also need to evaluate what you’re subject to in terms of compliance regulations.
When selecting a solution, make sure that you understand exactly how your data is handled, what service level agreements apply, and your responsibilities. You should also carefully review your budget. While cloud-based SIEMs can provide cost savings, you still need to account for associated costs, such as staff time and training.
2) Scope data collection sources
Understanding what data sources you need to monitor are key to effectively choosing and migrating a SIEM solution. You need to ensure that data sources are compatible with the solution you have chosen and to set up connections for data transfer.
You also need to verify that sources are being reliably ingested after migration. If you do not have an inventory of your data sources and an idea of what type and volume of data should be present, you cannot guarantee visibility.
Sources to consider include applications, servers, network devices, endpoints, firewalls, operating systems, and directory services. You need to evaluate these sources across environments and ensure ingestion is reliable, secure, and timely.
3) Define operational processes
Integrating your new SIEM solution into your workflows is just as important as integrating data sources. Your analysts need to understand how to operate your solution, including configuring alerts, query data, and monitor system status. Depending on the SIEM, they also need to incorporate solution outputs into their investigation and response processes.
For some organizations, this means adapting existing playbooks to incorporate SIEM functionalities and outputs. For example, including components for asset discovery, endpoint detection and response, identify and access management, sandboxing, or threat intelligence.
As workflows and playbooks are adapted, make sure to document any changes. This is particularly true for changes in responsibilities and permissions. You need to clearly define how event data is handled in your system, who has access, and what measures are being taken to ensure compliance.
4) Establish benchmark criteria
Once your solution is in place, you need to audit your configurations and benchmark your performance. This can help you identify issues and ensure that your operations and visibility are optimized. Benchmarks to consider include ISO compliance, mean time to detection, search times, and the number of alerts managed.
You may also find it useful to benchmark performance throughout your migration and configuration. This can help you identify progress towards a complete implementation and help you keep track of what configurations, workflows, or integrations still need to be tuned.
SIEMs are powerful tools, often used by SOCs and incident response teams. You can deploy SIEMs on-prem or in the cloud, and there are certain advantages to each implementation. You should note that on-prem SIEMs require in-house management, whereas cloud SIEMs often offer a shared responsibility model.
With our expertise in managing SOCs and SIEM technology, we can help you choose the right technology that fits your unique needs and requirements.
Learn more about our SOC-as-a-Service solution.
About the Author
This blog is written by a guest blogger, Gilad David Maayan.
Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp, and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, a leading marketing agency in the technology industry.