Are you using SIEM as a service?



SIEM as a service; in the cloud - Is it possible? Is it a fad? Or, is it yet to evolve?

While we are catching up on cloud transformations, and moving generously in someone's data center, someone's VM or container; SIEM as well joined the cloud market. And, out emerged the companies who offer such SIEM as a Service model[1]. These companies promise to provide SIEM in the cloud, and you gather your logs; and send it to them. Now, a critical question is - does it have the features of a classic cloud model or is it just riding the "cloud" buzz? Now, to understand and assess the true nature of SIEM in cloud as a service it should be assessed on the following,

1. Resource pooling

The classic cloud infrastructure has resource pooling which means resources are pooled together, and served on demand to different tenants. These resources are granted, and removed as user's need. This resource pooling must be elastic, and therefore should be flexible to meet the multi-tenant demands. I doubt that SIEM can address this elasticity or multi-tenancy.

2. Scalability

Cloud is scalable; it can be on-the-fly stretched (or vice versa) for more memory, storage, and computing power. Now, how about the SIEM? Can it accommodate more logs, computing and power to churn millions of logs on the fly? Or is it basically a SIEM installed on a VM (in cloud) which inherently is scalable? Then yes, it's a SIEM as a service, but not cloud SIEM. This is SIEM software installed on a virtual box in a cloud environment.

3. Self-service

The idea behind cloud was to take the load off the local IT, and let 'specialist' vendors manage your 'data'. The cloud vendors therefore provide templates to configure and migrate data. Now, how about the SIEM? AFAIK, IT team has to enable local agents to push logs to the external IP (SIEM in cloud). It is still a task for local IT; and has not fully moved to the 'ease in cloud' category. The rapid-provisioning aspect is missing and therefore, it is more like a 'remote SIEM'.

Most of the vendors in this market are proposing (indirectly) to collect your logs locally (via agents), encrypt them (hopefully) and then transfer them to the remote SIEM instance for you!

Does it sound like cloud? To me, it doesn't. Cloud SIEM has yet to evolve and manage to win the signatures of compliance offers, and auditors in multi-tenant environment.

Stay safe.

Update: My friend Chandra has, as well addressed this topic & other SIEM myths. I would recommend to read his opinions at LinkedIn pulse.

  1. Kustodian SIEMonster SaaS, FireEye Threat Analytic Platform and Proficio’s ProSOC. Refer the article @ InfoSec Institute ↩︎


Rishi Narang

I'm a hacker. I find inventive/ intuitive solutions to problems. I prefer open-source code; helping out people where I can, particularly if it requires an out of box solution. I do believe in karma.