The Cloud Security Alliance has developed a guidance document to help organizations evaluate cloud-based implementations of security applications, including information on evaluating and implementing Security Information and Event Management (SIEM) systems in the cloud.
Many IT organizations are looking to the cloud in order to make the most of their budget. This includes deploying IT security as a cloud-based service. Some of the security services for which companies turn to cloud providers include firewall management, vulnerability assessments, patch management, intrusion detection system (IDS) management, email security and content filtering, intrusion response/forensics, change and anomaly detection, and support for compliance reporting.
As it turns out, many of these security services work with the kind of raw data that can be monitored, correlated, reported and controlled by an overarching Security Information and Event Management (SIEM) system. Consequently, a SIEM system is a vital component of what a cloud security services provider can offer its customers.
SECURITY AS A SERVICE: The cloud services explosion
SIEM solutions allow service providers to deliver a full portfolio of security services, with SIEM providing the layer of supervisory analysis and intelligence across their overall portfolio of services. SIEMs transform noisy, low-level security event information generated by firewalls and other devices into meaningful alerts that can be readily comprehended and acted upon by security analysts.
SIEMs are a natural extension to the cloud security-as-a-service (SecaaS) model for a number of reasons. For instance, they typically require significant data storage that many IT organizations are challenged to provide. They have high scaling requirements with respect to event collection. SIEMs usually provide third-party device data interoperability that service providers can leverage across multiple customers. And, they often require a 24/7 security operations center approach with tightly defined technical requirements where service providers can demonstrate core competency across multiple customers.
Cloud-based SIEM services help security teams improve threat identification and risk mitigation, reduce remediation cycle times, and demonstrate regulatory compliance. But, just as with the introduction of early cloud services, organizations have many reservations and concerns about moving their sensitive and critical security services to the cloud.
To address such concerns, the Cloud Security Alliance (CSA) was formed to promote the use of best practices for providing security assurance within cloud computing, as well as to provide education on the uses of cloud computing to help secure all other forms of computing. The research arm within the CSA has spent several years developing guidance on all areas of security-as-a-service. The purpose of the research is to identify consensus definitions of what SecaaS means, to categorize the different types of SecaaS, and to provide guidance to organizations on reasonable implementation practices.
Recently the CSA released the SIEM guideline as part of its overall Security-as-a-Service Implementation Guidance. A 33-page section of the guide provides best practices on how to evaluate, architect and deploy cloud-based SIEM services to both enterprise and cloud-based networks, infrastructure and applications. It addresses the leveraging of cloud-based SIEM services in support of cloud environments, both public and private, hybrid environments, and traditional non-cloud environments. It looks at the requirements, implementation considerations and concerns, and implementation steps as part of the many considerations for SIEM.
The target audience for the guide includes executive leadership, compliance officers, auditors, IT security managers, technical architects and system managers who are responsible for monitoring and auditing their organization's infrastructure and applications. The guide is divided into four primary tactical sections:
• A high-level overview of SIEM functions and implementation options. This section addresses key functionality for which SIEM can be leveraged, and touches on less traditional deployments that can be implemented in specific markets where regulatory or other compliance issues requires it.
• The considerations and concerns that should be part of the decision-making process, whether by a architecture team, auditing team, or within the context of a purchasing decision.
• A technical discussion with two subsections that address architectural and security analyst considerations.
• Links to trusted sources on information regarding SIEM and SecaaS.
The number of cloud-based security vendors continues to grow for a variety of reasons, including greater economies of scale and streamlined delivery. As a result, organizations of all sizes are evaluating security offerings that are run in a hosted or Web-delivered environment rather than on-premises.
The CSA believes that both senior and IT management need to understand the unique nature of cloud-delivered security offerings so that they are in a position to evaluate the offerings and to understand if they will meet their organization's needs. The SIEM guide is a helpful resource to increase this understanding.
Read more about CSA's security-as-a-service work at https://cloudsecurityalliance.org/research/secaas/#_downloads.
Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at Bmusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.