Advertisment

7 Things to Consider Before Implementing a Cloud Security Solution

author-image
Rahul
New Update

According to Wikipedia, Security Information and Event Management, short for SIEM, is a term for software products and services that combine security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. It's an approach to security management that provides a holistic view of an organization's security. Logs are generated by a lot of devices in an organization. In one branch alone, there are so many devices (Like Router, Firewall, IDS, etc) that can generate a lot of logs that need to be tracked constantly - for unauthorized access, indications of network threats, etc. Occasionally, it may even be required to find out what a particular user did on a particular date and time (forensics).

Advertisment

Analyzing so many logs is, as you would imagine, easier said than done. The complexity of the task increases exponentially with the size of the organization (companies with hundreds of branches will fully empathize with this statement and are probably looking for a solution). That's where the importance of SIEM becomes even more important. Because, security teams need to discover unknown threats hidden inside the vast amounts of data generated in logs, they also need to know when system activity doesn't match normal business patterns. McAfee, HP and IBM are some of the leading SIEM vendors in India.

General work case scenario

The traditional approach that most SIEM systems use is to deploy multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment -- and even specialized security equipment such as firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console, which performs inspections and flags anomalies. To allow the system to identify anomalous events, it's important that the SIEM administrator first creates a profile of the system under normal event conditions. The information collected by the SIEM is then aggregated and standardized to reduce duplicity and initiate analysis of data. It is then correlated between data sources and analyzed against a set of human or vendor defined rules to provide real-time reporting and alerting on events that may require intervention.

The Need or Cloud-based SIEM

Despite all benefits offered by cloud based services, security continues to remain a critical concern and a barrier to cloud adoption for most organizations. Even if the organization is comfortable with a cloud service provider's security background, they are often surprised to find they are ultimately responsible for securing their own data. Fortunately security event and information management (SIEM) solutions are able to extend information and access controls to cloud in addition to physical and virtual environments. Cloud-based SIEM provides a scalable, fully managed service that can be integrated with public and private cloud and on-premise systems and infrastructure. A traditional on-premise SIEM implementation can be complex to plan and install and requires specific IT expertise. A cloud-based service is ideal for organisations with limited IT resources, which would be unable to implement and maintain a full on-premise SIEM.

Moreover, a cloud-based service provides scalability and allows organisations to test and gradually deploy in a controlled manner, while only paying for the services they are actually using. This is more cost-effective than paying up-front for a full SIEM solution that may never be fully implemented and /or managed.

Advertisment

Things to consider before implementation

On the basis of some guidance published by Cloud Security Alliance (CSA), we are here marking out some implementations considerations before opting SIEM solution of a particular vendor.

1. Business Requirement - First document each of the problems in detail that needs to be addressed by the solution and the beneficiary of the solution. It should also include the perspective of how this benefits the corporate department (security, risk, compliance, fraud, Human Resources, Audit, etc.) and how responses to actions generated will improve processes over current solutions.

2. Monitored devices - Most providers market their offers based on number of monitored devices. There could be a difference between how their SIEM product counts device. Try to list all the devices that should be included. Some SIEM vendors will count a log server as a single device whereas others will base their count on how many devices report in to the log server.

Advertisment

3. Supported device vs. unsupported - Some SIEM providers will charge extra for unsupported devices or devices that have unique log formats. Insist on viewing support matrix and understand how it will affect the cost. If you are working with a virtualized environment, ensure that the SIEM can see within each individual virtual machine and track changes within the hypervisor.

4. Number of reports/rules/EPS (event per second) - Some SIEM provider will charge extra on additional reports/events. Make sure that you are covered.

5. Standard vs. custom rules - Some SIEM vendors will charge a per-rule fee for each rule invoked. They may also charge extra for custom rules or rules that the enterprise create ad hoc to examine a problem. This can become very expensive if the device is not tuned to your environment properly.

Advertisment

6. Number of dashboards or/and users - The number of dashboards and services made available for self service and customer internal use of SIEM should be clearly defined. There is sometimes a "Per Seat" charge for the dashboards and often the internal use of the SIEM is discouraged by charging extra for that service.

7. Log retention, log access and log storage - Make sure the offering helps you address your regulatory requirements; particularly where logs are stored and how access is controlled. Also, make sure that once the logs are deleted in accordance with your retention specifications. If the retention policies require active and then long-term retention, make sure that the vendor provides an option to transfer the logs to the enterprise in a standard (non-proprietary) format for internal long term retention.

Associated Concerns

Each application has to go through adverse situations because it is very unlikely that you will get standard condition every time. The strength of an application depends on how it responds in critical situation. There has to be some way-out in every situations. Therefore, some concerns are there which needs to be addressed:

Advertisment

1. DDOS Attack - An enterprise under a distributed DOS attack will most likely lose connectivity, response, and remediation data from the SIEM if the SIEM systems share the enterprise network data flows. The response to the incident is only as good as the security information it is based upon. Therefore, alternate routes for the security systems should be considered.

2. Deperimeterization of security controls - With the integration of public cloud-based services, private cloud services, traditional networks, and the mobile workforce, a well layered and segmented approach needs to be created in order to support a SIEM system. When the enterprise network is under attack or failing, the SIEM system infrastructure needs to be solid so that the incident response teams can rely on the data to protect and remediate.

3. Disaster Recovery and Business Continuity is another area of concern for network and security teams.

4. Security of log data in transit or at rest also needs to be a major concern for the architects. Encrypted data is useless if the keys are somehow corrupted or lost. The security of logs at the vendor should not be protected by the same keys as those within the enterprise

Advertisment